Securing business in the information age
Security is perhaps never so high in the public conscience as it is today, thanks largely to the high-profile blunders by several government agencies.
While the monetary and commercial losses may be minimal, these issues have proven that perhaps the greatest risk faced by any organisation with a less than rigorous approach is reputational damage.
Government may be able to walk away from that with no more than (another serving of) egg on its face – but for business, reputation is bank.
Of course, securing your enterprise throws up very little that is new.
Pete Benson, Trend Micro Senior Security Architect, notes that regardless of the changing ways in which technology is introduced and used in the enterprise, security is still about people, process and technology.
“Certainly, the technology to do what is required to fully secure data environments is available,” he agrees.
“The bigger challenge is to drive behaviour; all too often, the processes and how people use them just haven’t caught up to the technology,” he says.
Specifically, Benson refers to the ‘BYOD’ trend. “That presents a huge opportunity for improved ways of working; what remains [for the CIO] is how to manage the risk that typically accompanies opportunity.”
He says in this changing landscape, an approach of ‘detect, analyse, adapt and respond’ is advisable. “Most existing technology does a good job with everyday scenarios [virus, firewall, etc] but does not address consumers.”
Corporate responsibility starts with the individual
Websense Asia Pacific vice president, Alison Higgins-Miller notes that organisations are starting to determine the extent of what they cannot always control, including mobile devices; publicly accessible Wi-Fi networks and cloud-based applications often served through mobile apps.
It is necessary to introduce the ability to protect data in motion, to stop data theft and reduce risk. But what about the responsibility of the individuals who are bringing these devices in, either under the nose of the CIO or with his tacit approval?
“Everyone has a responsibility to ensure that their behaviour is appropriate. For example, sound policy should ensure an agreement is reached with employees regarding Facebook and URL behaviour,” she says.
Higgins-Miller agrees that when individuals abdicate their own responsibility - and when this combines with malware – problems can occur.
“When [a miscreant] launches an attack, they look for the weak link. Cybercriminals understand social behaviour; they take time to research individuals through their social profiles and use that information,” she says.
Throw in a little social engineering and the results can be disastrous: an email which purports to come from a trusted source could carry a malicious payload.
And it does happen: Websense’s CEO, relates Higgins-Miller, was a victim of just such an attack when an email arrived in the form of a writ to sue the company. What CEO, in a flush of indignation, wouldn’t open such a communiqué?
Archie Reed, CTO of Strategic Enterprise Services, HP Asia Pacific & Japan, says the environment confronting data security is aggressive, endemic and increasingly hostile. “And it’s not just enterprises and government in the crosshairs, it’s individuals too.
Attacks today are targeted and seek specific outcomes, typically information or money.”
Reed agrees that this is not news to anyone in technology; however, he echoes Higgins- Miller’s sentiments – and goes further:
“The point is that it is no longer just the security officer or a specific group within the organisation who is mandated to protect against attacks.
"Even more than everyone’s responsibility to take precautions, it is also a compliance and governance issue – and that means it goes right into the boardroom.”
Reed says companies are beginning to realise that systemic risks are the real issue.
“A lot of focus still falls on an approach that can be described as lining up dominoes. However, if any one falls, it impacts everything.”
It is, of course, practically impossible to contain or prevent all threats; the cost would be too high and the people who need to access information to conduct commerce would be too inconvenienced for any sortof efficiency.
However, in Reed’s ‘dominoes’ analogy, it makes sense that if a compromise occurs at one point, detection and containment is the obvious response – rather than a collapse across the system. “You don’t want one compromise to impact everything,” he agrees.
Advanced persistent threat attacks
As an example of the aggression and sophistication of modern attacks, Reed points to Operation Aurora (2009), an advanced persistent threat attack which marshalled significant resources and combined many layers of technological and social engineering techniques.
The targets? High profile American companies. According to McAfee, the primary goal was to gain access to and potentially modify source code repositories at defence contractor companies.
“[This information] were wide open,” said McAfee’s VP of Threat Research Dmitri Alperovitch.
“No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."
Reed says today, organisations have to assume that ‘The attackers are already inside’.
“At the same time, [owing to the necessity to access information], security can’t be a department of ‘no’. Instead, the CIO has to implement technology and procedure to be a department of ‘yes, and ‘how’.”