Fighting the new breed of security threat

The digitisation of virtually all of the modern business' intellectual property puts us in a situation where we are vulnerable to a new breed of security threat.

The digitisation of virtually all of the modern business' intellectual property puts us in a situation where we are vulnerable to a new breed of security threat.

High-capacity digital storage devices, such as the USB thumbdrives, home broadband connections with virtual private network and the threat of malware are all mechanisms by which thieves can get their hands on your data.

Recent high-profile cases highlight the problem. The warning in June from the National Infrastructure Co-ordination Centre that hundreds of UK businesses were being targeted by Far-Eastern cyber-criminal gangs, as well as the recent Israeli spyware arrests, emphasise its seriousness.

Information can leave our business in a number of ways that circumvent the traditional security measures of firewalls and anti-virus software that UK businesses normally have in place.

Spyware can make its way into a business and transmit sensitive information - from passwords to customer details to contracts - via key logging or other mechanisms. In the much-reported Israeli case, top executives of Israel's leading companies were convicted after uploading a piece of spyware to the computers of their commercial rivals to steal sensitive information.

Phishing attacks, which aim to fool the recipient into clicking on a bogus website and enter confidential data, are changing as users become more savvy. Attackers know they are unlikely to fool their targets, and so now use other techniques to infect those who merely click on their e-mails out of curiosity - just visiting a website can be enough.

The increasing capacity of portable devices, including MP3 players, means that a rogue employee could copy the entire contents of their server onto the device, wipe the system and walk out in minutes. These devices can be used to sneak confidential information out from behind the corporate firewall and act as an infection vector for spyware. They could also be used to put illegal material onto the network, for which the business then becomes responsible. So, the threat is from accidental use as well as malicious use.

There are other new transports for these threats, including VPN links that allow individuals to access the corporate network remotely. In the wrong hands, this can wreak havoc on your data. The increasing uptake of broadband and the rise of IP telephony are making this kind of flexible working model more practical, and therefore more of a security issue for IT directors.

Another infection vector for malware comes from mobile workforces, who often sit beyond the protection offered by the corporate network's security systems, only to come back into the fold infected.

Current security policies are still very much focused at point security solutions - in particular, firewall and anti-virus. These offer limited defence faced with the new breed of data thieves.

A more in-depth approach to information security is needed, starting with the information security policy. Businesses must update their policies to take account of the new threats and the new ways of working.

In addition to the work done by anti-virus systems and firewalls, advanced behaviour and policy management software is needed to monitor for anomalous network behaviour. This gives protection against "day-zero" threats and allows policies to be implemented across an organisation.

Given the criminal involvement in data theft, monitoring, analysis and response systems within the network layer can be used to track anomalous activity and help identify the source of the threats, in collaboration with the proper authorities such as the National Hi-Tech Crime Unit .

The threat offered by mobile devices can be addressed by a number of network access control and protection initiatives. These initiatives refuse access to machines that lack the appropriate security and anti-virus patches, as set out in the information security policy.

The current thinking many businesses have for their information security is in terms of anti-virus and firewalls; and these tools have their place in the overall architecture. However, current threats around data theft, from trojan e-mails to portable storage devices, can get past these.

Any signature-based system will not be sufficient to protect against these new attacks in the new threat model. There is a need to move from this point to include a complete systems "defence in depth" approach to information security, moving beyond signature matching.

The increased mobility of business, accessibility of networks, portability of devices and proliferation of malware has increased the number of threats facing the 21st century company. However, tools are available to strengthen defences to ensure organisations can use the internet safely and securely, and so increase the productivity of their business.

  • Paul King is senior security adviser at Cisco Systems UK & Ireland


Read more on IT risk management