Back to security basics, say Infosecurity Europe exhibitors

The attendees of Infosecurity Europe 2009 can expect to hear one particular message from vendors and exhibitors: get back to basics.

Visitors to Infosecurity Europe 2009, one of Europe's largest security conferences, can expect to hear a concerted message from vendors: get back to basics.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
A group of the show's exhibitors, plus a panel of CISOs, assembled in London this week to preview the April event and discuss the state of the market. Most were convinced that current security practices were not keeping up with threats. A rising tide of cybercrime is posing greater external threats, they said, while the economic downturn is likely to increase the dangers of internal fraud.

Know your current assets
Chris Schwartzbauer, VP of development and customer operations at Shavlik Technologies LLC, said senior management had been lulled into thinking security was under control because it had spent so much money on security products.

"They have bought the latest and greatest products because they're cool, but they don't look at what the technology is doing for them. They cobble together pieces and pieces, but that doesn't mean it will all work as a complete system," he said.

Schwartzbauer added that companies spend their time chasing threats and plugging holes rather than trying to be proactive in their approach. "Our problems are being compounded. Applications are becoming more complex, and therefore more vulnerable. Virtualisation allows us to run multiple operating systems. And in the third quarter of 2008, there were more vulnerabilities published for non-Windows systems than Windows systems," he said.

Criminals are looking to exploit those other vulnerabilities that may occur in Adobe Acrobat, iTunes, Firefox and other non-Microsoft environments.

His answer is to return to basics, and for organisations to get control over what assets they have, and apply proper policies. "You need to discover your assets to know what inventory you have on each machine -- operating systems, accounts, permissions, services and applications. If you don't know what's out there, then you'll never know how vulnerable you are," he said.

Agenda: Back to basics

*Discover all assets and maintain inventory

*Adopt some form of data classification

*Put controls on systems administrators, identify individuals

*Implement secure development practices (not just coding)

*Have a policy, enforce it.

*Take advantage of free information (Cabinet Office, Jericho Forum)

*Automate where possible

*Review defences and cut out duplication.
Infosecurity Europe 2009 runs April 28 to 30 at Earl's Court in London.
The only way to keep control of assets is to have continuous automated assets discovery and vulnerability remediation in place, he said. To back up the claim, he cited a study by the Aberdeen Group last July, which showed that best-in-class organisations derived huge benefits from this approach, in some cases saving $1.91 in vulnerability-related costs for every $1 invested.

Automation of compliance and risk management
Building on the theme of automation, Ed Cooper, vice president of marketing for Skybox Security Inc., outlined the problem of trying to keep compliant with regulations as systems and networks become increasingly complex. He described the situation as "a perfect storm" where IT is too complex, and companies have too few resources to manage the technology effectively.

"When Patch Tuesday comes, some companies spend a week deciding what to do and what vulnerabilities to prioritise," he said. "It is very labour-intensive, and decisions tend to be subjective and based on educated guesses."

Cooper advocated an automated approach -- called automated risk and compliance management -- which applies business intelligence techniques to security, pulling in information from devices on the network and then using BI-type tools to analyse and present the results.

He added that BI tools also allowed companies to model changes in the security architecture and assess the impact of changes. "We have seen layers of security build up over time to tackle different threats. Much of this could be cut by using automation," he said.

Focus on data classification policies

Security tips for surviving the credit crunch

When budgets get tight, security experts will need to have smarter, more efficient ways of maintaining defences.
Most speakers agreed that some form of data classification is fundamental to good security, and most believed that few organisations have managed to apply it effectively. One speaker, Bernard Parsons, CEO of Becrypt Ltd., suggested that the industry could learn from the U.K. government, which in the wake of some embarrassing security breaches over the last couple of years has carried out a major Data Handling Review, and produced its Security Policy Framework last December. Designed primarily for the public sector, the document is equally applicable across industry and is downloadable from the Cabinet Office website.

As Parsons pointed out, the government takes a risk-based approach to classifying data against four levels of security, from "Top Secret" (a danger to the state if disclosed) down to "Restricted" (an embarrassment).

Paul Simmonds, CISO for AstraZeneca Plc and a board member of the Jericho Forum, suggested that even a three-level traffic-light model (red, yellow and green) as recommended by the G8 group of industrialised countries, can be effective -- and is certainly better than nothing.

The importance of knowing what data you want to guard is increased with the growing collaboration between organisations and the sharing of information with partners and sub-contractors. Simmonds said the Jericho Forum has developed a lot of guidance for companies on how to best build a collaboration-oriented architecture, all of which is downloadable from the Jericho website. "You have to architect for this [collaboration]," he said. "It is radically different from what you did before. For the first time in 25 years of information security, the sticking-plaster solution will not work. You need to go back to first principles. It is why the Jericho Forum was formed. Network-based security controls have had their day."

He said it is essential to tell people in an organisation how you expect them to handle data and give them a simple classification scheme. "If it's not simple, they won't use it," he said.

Who watches the IT department?
Several speakers identified the IT department as a potential weak spot for security, with poor separation of duties, and many staff having privileged access rights, all with the same sysadmin identity. As David Hobson, CEO of distributor Global Secure Systems Corp., said: "This is IT's dirty little secret. Most security money is spent keeping out external threats, while the IT people have the keys to the kingdom. They have highly privileged accounts that are not even linked to individuals.

Read more on Regulatory compliance and standard requirements