The growing ubiquity of mobile technology and internet-connected devices will present new threats and increase the challenges for IT security managers, according to speakers at the McAfee Focus 11 Security Conference, supported by Computer Weekly.
Delegates heard about the unfolding threat landscape and issues such as how to combat future security risks, the consumerisation of IT, cloud computing and enabling mobile productivity while securing data. Here we look at the key areas of discussion from the conference.
George Kurtz, worldwide chief technology officer at McAfee, said a perfect storm is brewing to make 2012 the year of the hack. Kurtz cited a combination of an explosion of internet-connected devices, the complexity of IT, and a proliferation of malicious software, with 70 million pieces of malware found over the last 18 months, the same as in the previous 20 years combined.
McAfee discovers 100,000 potential malware samples per day, 60,000 of which are unique.
“Every day is patch Tuesday,” said Kurtz who also offered the worrying fact that two million websites every month basis to have malware.
“Information is the currency of the 21st century which the bad guys are after,” said Kurtz. With more and more devices – such as televisions and medical equipment - becoming IP-enabled, criminals are set on conquering the new internet-connected frontier.
For example, McAfee has been able to demonstrate in its labs that it can control a wireless insulin pump and quadruple the dose remotely without authentication. Modern cars are also a target with 10 million lines of code in the average vehicle. The Stuxnet virus that attacked industrial equipment has proved that it is possible to hack devices other than conventional computers.
With the mobile application explosion, malware has followed suit - Android malware increased 400% in 2010 and is targeted by 63% of malware attacks because it is an open platform, compared to 6% for the BlackBerry.
The shift has been away from Symbian and Java-based systems as hackers follow what’s popular. He said mobile is an immature technology compared to PCs.
“There are hundreds of thousands of apps and a man and his dog can publish an app and most people don’t think twice about downloading one,” said Kurtz.
I knew we were crap at security and the French were tapping us.
Former home secretary David Blunkett, MP
The criminals are no longer kids in the basement and no-one is immune, as testified by Sony which hit the headlines when it was hacked, and Nato which was threatened by hacktivist group Anonymous.
“There is more and more malware in the Apple Mac space as it has reached 15% of operating systems in developed countries, which is the tipping point making it worthwhile for the bad guys to create malware,” said Kurtz.
There is a proliferation of advanced persistent threats (APTs), as demonstrated by Operation Shady Rat, which targeted information held by 70 organisations worldwide.
“Firms’ intellectual property is being targeted,” said Kurtz.
An over-looked area is database security, but sophisticated attacks often target databases, such as the TJ Maxx hack, said David Davidoff, global sales, database security products at McAfee.
“More than 50% of organisations will never patch the database. Those that do will only do so months after the patch is released, but regulations say you can’t pass an audit if you don’t patch the database,” he said.
Although the security landscape appears more threatening there is some good news.
“Global spam volumes are going down significantly, thanks to taking out huge botnets, but they are recovering and building up,” said Steve Shakespeare, director, European enterprise solutions, Intel.
The $180m revenue generated by fake antivirus products also took a hit when the CEO of the payment card processor used by the scammers went to jail in Russia and orders stopped being processed.
However, APTs are growing and criminals are increasingly after specific information and intellectual property, and will use spear phishing to achieve their aims by gleaning personal information, such as hobbies, from social media sites to make their scams look more credible.
Kutz said there is focus in moving the security industry beyond blacklisting, and towards controlling what software is allowed to execute.
“Oxygen plus a match equals combustion, and malware plus execution equals an infection - but malware plus non-execution equals security. We are focusing on non-execution and adding hardware-based blacklisting to the mix,” he said.
Shakespeare said user awareness is key to security as “users readily install malware as they tick yes to user agreements and do not pay attention to what they are signing up for.”
In this way hackers can infect phones and listen through a back-door port for information via text messages so they can log into online bank accounts, for example.
Google has tried to protect users by cleaning up after the DroidDream attack on Android by remotely removing infected apps and installing another tool – although hackers then think, ‘Let’s see if we can do that,’ said Shakespeare.
But common sense is the ultimate weapon.
“The best whitelist is your brain – shut off things you don’t use. Don’t install just anything and use strong passwords and minimise remote unlocking services,” said Shakespeare.
Consumers will continue to drive the movement towards mobile devices and Gartner’s prediction in 2007 that the iPhone wouldn’t be accepted into the enterprise has been proved spectacularly wrong.
“Organisations need to think about what policies are appropriate and how they will treat ownership of devices, how they will protect data, governance and policies for own use and for corporate devices,” said David Goldschlag, vice president, mobile technology, McAfee.
Demand for the cloud has accelerated despite the downturn, and the growth in connected devices means this trend will continue as organisations use cloud to help manage the cost of data, said Shakespeare.
He said there are four billion connected devices on the planet and a $455bn spent in the datacentre.
“By 2015 Intel’s cloud vision predicts 15 billion connected devices and this explosive demand means we must innovate automation in the cloud and it needs to be client-aware, so that security is not an inhibitor to the vast range of devices, and people can interact and exploit services and capability,” he said.
People want devices that are highly mobile, portable and responsive and with advances in chip technology and smaller transistors, Shakespeare said security will be enabled by exploiting silicon innovation and combining with software for a more available and secure platform.
“Security is the third pillar of computing, the first is performance and the second is connectivity,” he said.
Scott Chasin, CTO for software as a service at McAfee, said, “All roads lead to the cloud.”
Application complexity is growing and web services are the primary means of integrating into the cloud. For example, some 60% of Salesforce.com’s consumption is done through APIs rather than consoles, and some 48% of UK companies are already using some form of cloud service today, but security remains a roadblock especially regarding regulatory issues.
Application architecture will “demand you have connectivity within the cloud, and build a bridge from the enterprise to the cloud,” but he said traditional certification models just build a snapshot of security.
“Annual certification must move to daily validation and extend policies into the cloud,” said Chasin.
Nick Leeson, the “rogue trader” who brought down Barings Bank by losing £862m of its money, said the world of finance is very reactive.
“Risk is not properly assessed or understood. Lots of the oversights that occurred existed in the human realm,” he said.
No-one dared challenge him while he was accumulating losses, but if people had amalgamated information they would have seen lots of inconsistencies, he said.
“The recent UBS rogue trading scandal proves the problems have not been eradicated,” said Leeson, but he said it only occurs where systems and controls in organisations are insufficient.
“Financial markets are based on financial innovation and unfortunately the regulators never keep up,” he said.
Leeson believes better quality risk managers are necessary. He was once handed a piece of paper to sign off that nothing was remiss because nobody else could understand his work.
“There was poor auditing by the Big Four [accountancy firms]. The point of referral was me. They had every single piece of information they needed, but they deleted it,” said Leeson.
Some IT security chiefs suggest security education should follow road-safety awareness campaigns with its own version of the Green Cross Code.
John Lyons, chief executive of the International Cyber Security Protection Alliance (ICSPA) said, “’Clunk-click every trip’ got the message across [about wearing seat belts] and we need that level of awareness, but there is not sufficient senior support in government.”