Hacks of Google and at least 20 other companies in December prove that sophisticated cyber espionage attacks are a real and present danger. But in the light of the fact that most commercial security tools are ineffective against these attacks, according to the SANS Institute, what can and should corporate IT managers do to ensure data protection?
Simone Seth, senior research consultant, Information Security Forum (ISF)
Information security continues to make the headlines for all the wrong reasons. Typically, news stories focus on data breaches, crime and exposures that leave organisations and individuals vulnerable to cyber attacks.
So, it is not surprising that some security professionals are being asked by their boards why information security investment is still proving ineffective in protecting vital information. There is no one simple answer to that question, but a number of key points to consider.
The pervasive view at senior business level remains that technology is capable of delivering the silver bullet solution that will solve all security issues. The fact that information security is usually viewed as part of an organisation's IT function serves only to further this notion. The truth is that security is about people and processes as much as it is about technology.
More investment needs to be made in security awareness and education programmes that reach out to individuals to make them understand and accept responsibility for securing their organisations. This will also help to create a security-savvy culture, which in turn will help to protect information assets.
Second, organisations need to take a strategic view about information security. Although it is understandably difficult to change the tyres on a moving car, it is imperative that security practitioners are able to strategically align their efforts with business objectives, while tactically delivering front-line support.
Putting out fires and pre-empting attacks is the baseline level of service. To protect information assets, information security practitioners need to become more business savvy. They need to understand the business models in play, to be seen as key enablers, rather than as simply an insurance policy.
Finally, information security practitioners may need to work with what they already have. All too often, requests made for additional funding fail to adequately demonstrate value for investment. Recycling, repurposing and more intelligently addressing interoperability with tools and solutions already in place will often serve to close security gaps.
At a time when there is tremendous pressure to demonstrate ROI and to do more with less, information security practitioners should review their existing environments, enhance the controls they already have in place, invest in tools to close control gaps and ensure that the process and human element is not neglected when addressing security vulnerabilities.
Raj Samani, ISSA UK
When Paul Ives came home from work one day, he found thief John Pearce suspended from his window. The burglar had caught his foot after smashing his way through the glass and had been suspended for more than an hour before police released him. Ives later said, "The man must be the world's dumbest thief."
Does this mean that home security can be restricted to installing glass in window panes to trap thieves? Much like the physical world, cyber criminals have varying degrees of capability and motivation. However, this is not a new piece of remarkable research, and 'Knowing the enemy' should be the foundation for any organisation.
The danger of high-profile cyber incursions is an overreaction, and ultimately overspend. This not only leads to obvious cost implications, but also to potential mistrust with senior management (Y2K bug, anyone?). A more logical approach will be to determine the value of company data to third parties, and undertake an exercise to identify these third parties. Is the membership database for a football club likely to be of interest to state-sponsored hackers? Unlikely. However, would that data be of interest to third parties wishing to sell football-related services/products? Absolutely.
Undertaking an assessment of organisational data, the potential threats and the respective capabilities of would-be attackers should be the first step. This will determine whether additional controls beyond agreed baselines are required. Such exercises are cyclic because data and capabilities will change. Even if data were not to change, environmental factors may make data more/less desirable.
While perspective is encouraged, it is worth noting that the information security landscape is evolving. No longer is computer crime the exclusive modus operandi of lone teenagers. Recent examples clearly demonstrate attackers with almost unlimited resources and skills, encouraged by the lucrative rewards for successful infiltration. Unless a strong defensive position is employed, it will not be long before another high-profile incursion hits the front pages, and with the Information Commissioner's Office being given new powers from April, serious breaches could also result in heavy fines.
John Colley, managing director EMEA, (ISC)2
In the past few years, the threat has moved from targeting the network to targeting the data that users manage. That data, which used to be securely housed behind firewalls or in central datacentres, is now increasingly dispersed - often at the whim of the users - across disparate systems.
And now we have the cloud influencing many to send the data outside the organisation, with little appreciation of the due diligence required. At a technical level, the issue will never be with the tools themselves, but whether they are aptly applied and whether they cover all the devices and systems that house the targeted data.
Achieving this relies heavily on the organisation committing to some basics of security management, establishing policies and processes, living by them, understanding them and enforcing them. It must also be accepted that the responsibility extends beyond the IT department or dedicated security team. Business units must develop an understanding of what data they use, what data they actually need access to and, with help from the experts in the security department, how that needs to be protected. Security policy can then evolve with the business and be supported by workable business processes, and tools that address very current and clearly defined requirements.
Our business world continues to change at a phenomenal pace; we must expect and plan for the applied tools and defences to become outdated. The challenge for the CISO, no longer that of IT security alone, is moving from the systems to the people, who must be considered as a means to achieving the objective. The colossal task ahead therefore is to ensure all employees appreciate the value of the data they work with, develop an instinct for the risks to that data, and an acceptance of what is being asked of them. Should the security team lead its efforts with this task, the rest - effective tools, policies, process and agility - should fall into place.
Dani Briscoe, research manager, Corporate IT Forum
Data protection is about more than technology. While, if installed and configured correctly, it can be a vital first line of defence, the power of 'security aware' users should not be underestimated. People are the backbone of the organisation and they are no different when guarding and protecting the data. Not only are they employees, in many cases they are the customer as well; data protection should be personal.
Daily contact with highly confidential data can make even the most dedicated employee complacent. We can't expect every user to be a security expert (that's why we employ a security team), but we should expect them to be able to follow and understand best practice.
Understanding the risks and the consequences of a breach in data protection is essential. Armed with this background information, users can make informed decisions about the data they are handling, with the confidence of a strong security team to back them up. Effective lines of communication up, down and across the business are important to keep the message promoted at all levels, but to also keep the IT security department approachable; they are ultimately a business enabler.
Policy always comes up during these exercises and should not be disregarded if it has not worked before. Some Corporate IT Forum members have made the mistake of having too complex a policy in the past, resulting in users not understanding or following the guidelines. Keeping it simple and short, and embedding it into the corporate ethos, is the most successful method that the majority of our members employ.
To quote an award-winning member in this space, "The data that organisations hold is more than just binary code and each employee has their part to play." Protecting this (sometimes personal) information should form part of the everyday processes that employees use to carry out their duties. Quizzes and training manuals have their place, but nothing beats a security culture of responsible information sharing or knowing that the CIO follows the same process!
Gareth Niblett, head of the information security specialist group at BCS, the Chartered Institute for IT
Few organisations have the resources available to Google, which was still unable to prevent or readily detect the recent wide-scale electronic espionage, and most are unlikely to work with the National Security Agency after a compromise. Yet, organisations that form part of the UK critical national infrastructure (CNI) have for years received government advice and guidance on threats, including those emanating from China, from the Centre for the Protection of National Infrastructure (CPNI). Although its private advice is not readily available, the CPNI website provides non-classified information that non-CNI businesses should be aware of.
Many organisations tend to focus on preventative measures - policy, procedure, and technology - and fail to fully address the detective and responsive controls required for good information security management. Log analysis, required for firewalls, intrusion detection and data loss prevention, is resource intensive, requires expert interpretation of results and is not particularly appealing, but is necessary to detect anomalous behaviours. A robust incident reporting and management procedure is also required, along with an associated forensic readiness plan.
Every organisation should understand the need for regular upgrades and patches, after adequate testing and planning, for all vulnerable systems. Sometimes this is set aside for operational expediency, for critical systems where downtime or the risk of failure is unacceptable, or due to backward compatibility requirements, for legacy applications or platforms, but the risk posed by the failure to upgrade or patch must be mitigated by additional controls that compensate for the vulnerabilities. Defence in depth, or layered security, would mean that a single weakness or vulnerability does not expose everything.
Common factors in this and similar attacks are the level of research and targeting that goes into them, not just utilising multiple zero-day vulnerabilities in IE6 and Adobe Acrobat, but directing the attack at specific people with sufficiently contextually correct information to trick them into effecting the compromise. The attackers appear patient and with long-term goals, rather than seeking money or glory, which makes them all the more insidious. A long-term strategy of user awareness training and education is required to combat this threat, in conjunction with technical and procedural security measures.
Avivah Litan, vice-president and distinguished analyst, Gartner
In 2009, Gartner saw a number of Trojan-based, man-in-the-browser attacks circumvent strong two-factor authentication, enabled through one-time password (OTP) tokens.
Two-factor authentication based on telephony was also being avoided, using call forwarding so that the fraudster, rather than the legitimate user, is called by the service provider performing the authentication. These attacks were successfully and repeatedly executed against many global banks and their customers, and clearly demonstrate that two-factor authentication methods can be defeated, and that it is not just password-only protected accounts that are under threat.
Consequently, organisations need to establish complementary fraud protection safeguards. There are three proven measures that can fend off attacks. First is the monitoring of users' access behaviour. This method captures and analyses users' web traffic to spot abnormal access patterns that indicate that an automated programme is accessing the application, rather than a human being. Second is the monitoring of suspect transaction values. This function looks at a particular transaction and compares it with a profile of what constitutes "normal" behaviour for that user and/or group of users. Third is the out-of-band transaction verification, which uses a different communication channel of verification (for example, text messaging) from the procedure.
While future attack types are unpredictable, one thing is clear. Organisations need to protect their users and accounts using a layered fraud prevention approach if they want to achieve optimal fraud prevention results.
- Avivah Litan will be conducting a session with Gartner research vice-president Ant Allan on the topic of best practices in external user authentication at the Gartner Identity & Access Management Summit 2010, to be held on 3-4 March in London
John Walker, member of ISACA and CTO of Secure-Bastion
InfoSecurity Europe 2010 will see the event enter its 15th year, in which the industry will encounter smarter and slicker security applications entering the market, securing against cyber attacks and incursion.
However, the good guys have not had it their own way because, as they developed next-generation security applications, the opposition of cyber criminals, serious and organised crime, and some miscreant governments, have also joined in the cyber arms race.
The information security community would seem to be very much on the back foot, constantly playing catch-up to counter the threats, which infers that within the period of the reactive window, there are opportunities for insecurity. The question this prompts is, given that the deployed security applications do not seem to be providing the silver bullet they were expected to deliver, should businesses throw out their security tools, and save corporate budget in this time of downturn?
The answer is an unequivocal no.
The actual flaw in achieving robust security may be associated with the delivery chain and approach, where at times there can be more than a modicum of point, click and forget security, which is then expected to deliver 100% cyber defence. However, tools and applications are by their very nature dumb, and look to the free-thinking style of their human counterparts to orchestrate and direct their intelligent deployment and operational use.
In a nutshell, if businesses expect to achieve a maximised security profile, then they must continue to invest in appropriate tools, aligned to a risk-managed defence-in-depth approach, based on, say, ISO 27001. The most important aspect here is to exercise a watchful operational eye to ensure the security mission is informed and fully tuned to the latest security exposures.
Last, but not least, empower the organisation with enterprise-wide reporting and alerting system(s) that enable human interpretation of network, system and application-generated events, to facilitate a big brother centric view of user and logical activities. For only by aligning machine-driven defences, underpinned by human interpretation of potentially adverse conditions, may robust security be achieved.