Hackers, careless users, porous networks and indefensible perimeters. Is the current reality of security enough to make the intelligent CIO give up - or get smarter? Gary Flood reports
Security breaches happen every day. It was reported by the BBC, for instance, that shadow chancellor Ed Balls was leaked details of chancellor George Osborne's growth strategy, part of the Budget, in enough time for him to prepare his Parliamentary attack on the day, while Julius Caesar became an expert in military cryptography to guard against security failures.
There is also, sometimes, a funny side. For example, some digital road signs in Colorado were recently hacked; to the bemusement of drivers, they were warned of somewhat hair-raising imminent traffic disruption in the shape of 'Zombies Ahead'.
Cost of cybercrime
But because security failures are so prevalent and so much a part of human nature doesn't in any way stop them being a very serious - and very expensive - problem.
According to the newly formed central Government Office of Cyber Security (OCS), cybercrime may cost the UK economy an eye-watering £27bn a year - the equivalent of the average UK business losing £10,000 per year due to cyber espionage, extortion and other forms of online fraud, with the UK Government losing possibly as much as £2.2bn alone by such means every year. (The survey was criticised for being based more on assumptions than hard data, although it still highlights a notable problem.)
What's going on here? It seems as more and more ICT happens outside the corporate firewall, the more fragile our attempts at disciplining its use become. In short, the way we all communicate and socialise, as well as work, is therefore an unexpected boon to online criminality.
"Cybercriminals are stealing data indiscriminately - not just bank account details and credit card numbers, but all the information we casually disclose in e-mails, in tweets and in social networks," warns David Emm, senior security researcher at security specialist Kaspersky Labs.
How? Say someone reveals tangentially, while tweeting, that their company standardises on Windows XP, or uses Office, or Adobe Reader, for Emm, this information, if picked up by cybercriminals, allows them to narrow their focus on particular types of vulnerability to target that company specifically.
All in all, he thinks "the 'always-on' culture - supported by the widespread use of smartphones - means the volume of data that cybercriminals can use to target businesses is growing". The proliferation of devices is a familiar headache with items such as USBs and portable hard drives, but now the smartphone is becoming yet another highly porous part of your perimeter.
In March, consumer security experts AVG Technologies polled some random US users. They found that 89% didn't know smartphone applications can transmit confidential payment information such as credit card details without their knowledge or consent, 91% were unaware that smartphone financial applications can be infected with customised malware designed to steal credit card numbers and online banking credentials, and 56% did not know that failing to properly log off from a social network app could allow an imposter to post malicious details or change personal settings without their knowledge.
Advanced evasion techniques
Not content with the potentially easy access to networks provided by users' devices, hackers have continued to innovate, developing advanced evasion techniques (AETs) that have been recognised as a real threat by the likes of Gartner, the NSS and ICSA Labs.
According to their claimed 'discoverer', Finnish network security vendor Stonesoft, AETs are an evolution of traditional evasion techniques that could, on paper at least, "provide hackers with a new way of bypassing many, if not all, firewall and intrusion prevention solutions".
Not everyone believes this, but a recent investigation by Verizon Business 2010 on data breaches reported that approximately 20% of malware attacks have an 'unknown' component for the infection vector.
Even the best-protected organisations can be penetrated, it seems. Earlier this year, EMC's security division, RSA, revealed that an "extremely sophisticated" hack had breached its security systems. The attack was presumed by insiders to mean its member database was at least potentially compromised, as in accessed, copied or stored.
If this type of attack can occur, then how on earth can any kind of sensible defence mechanism be set up in such a connected, highly porous, highly human world?
Fortunately, security experts can offer cheering news for CIOs by highlighting that steps can be taken to reduce an organisation's potential exposure to mischief. "If you encrypt data, not the device, you remove the worry about the need to physically encrypt the device that has to be secured," says Peter Durrant, area sales director, Northern Europe, for systems management player LANDesk.
For Durrant, the best way forward must be based on IT departments employing lock-downs to prevent staff from using unauthorised devices wherever possible, and identifying attempts to do so, and only allowing the use of mandated, secure devices, again wherever possible, to reduce the risk of inbound malware reaching the corporate network. Also, IT departments should also try installing technology to remotely wipe a device, such as a laptop, that is, for instance, left on the Tube, so that if found it would at least be free of sensitive records.
Technology, then, can be a great help, yet that human dimension when it comes to information protection and possible loss cannot be ignored. "Humans are often the weakest link in corporate security," notes Kaspersky's Emm. "That's not their fault; they're expert sales people, expert marketers and expert engineers, not security experts. So it's up to businesses to find imaginative ways to 'patch' human vulnerabilities."
Education, education, education
Emm - and others - suggest staff education is one of the core building blocks of a security strategy. "A security strategy is far more likely to be effective if staff understand and support it," he says. He also believes that it's essential to create a culture of openness: staff should be encouraged to report suspicious activity, rather than hide it for fear of facing disciplinary action. As he says: "If employees feel threatened, or are made to feel stupid, they will almost certainly be less co-operative."
Such an organisational culture buttressed by reliable security software would be a great end point. But how does a CIO who is worried that he's slipping behind start such a journey? For Ray Stanton, global head of business continuity, security and governance at BT, the task is clear: "Without clearly identifying your risk boundaries and identifying what really are the problem areas for the business, you have no methodology as CIO to cope here."
As we said at the start, people seem to be incorrigibly fond of trying to open up other people's secret boxes to find out if there's anything in them they might find useful. And as we also said, we live in an ICT-penetrated world where there seems to be more data 'boxes' than ever before, which could tempt them to try.
However, we've had solutions - codes, ciphers and the like - for just as long as we've had problems, which means that the intelligent CIO's response to security, Q2 2011 and beyond, has to be to roll up his sleeves and find out what the modern equivalent of Caesar's CISO can give him today.
Security 101 - plug gaps by taking action
- Check what data is held, where it is kept, who has access to it and where it goes.
- Assess the business impact should any of that data be lost, stolen, or compromised.
- Familiarise responsible members of the team with the principles of information security, information assurance and risk management, and how to apply them.
- Determine specifically what and who the data needs to be protected from (usually uncovered by the risk assessment step carried out above).
- Having identified the data and associated risks, CIOs should then look to appoint a senior information risk owner (SIRO) who will provide help and guidance in setting up organisation-wide security policies and procedures.
- Assign information asset owners to each business system who are operationally involved with the system and the data it contains.
- Set up documented policies and procedures, which include detailed instructions for handling data, reviewed and updated each time the system changes.
- Address the technical aspects of protecting data, using appropriate tools/technology - e.g. encrypting data held on portable devices like laptops, PDAs and removable media such as USB sticks, and CDs/DVDs - and look to control the flow of data into and out of the organisation using end-point control/port control solutions, ensuring that mobile/home workers have secure access to corporate systems and data, and limit their access as appropriate.
- Other steps may well include enforcing the use of strong passwords, possibly introducing two-factor authentication where appropriate; ensuring automated procedures for updating antivirus, antimalware, firewalls and patching; looking to make sure data is backed up and stored securely; and finally, identifying how data will be disposed of at the end of its life.
- Further steps may be vetting staff who may end up handling sensitive data, setting up audit trails of when, how and by whom data is accessed (and building in alerts for non-compliant actions), and possibly training.
- And don't forget to conduct a full system audit including penetration testing at least annually!
Many experts worry the cloud could be the next Wild West when it comes to security. They may be right. A major global survey carried out last October by access governance specialists Courion of 384 organisations, 86% of whom had headcounts of more than 1,000, provides some worrying potential evidence, with 48% of respondents saying they are not confident a compliance audit of their cloud-based applications would show that all user access is appropriate, and 16% admitting they are aware that potential access violations exist, but they don't know how to find them.
The survey also suggested confusion about whose 'job' cloud security is; 65% said the company from which the data originates, the application provider and the cloud service provider are all responsible, while another 13% said they were not sure. Meanwhile, 61% of respondents said they have limited or no knowledge of which systems or applications employees have access to.
Tempted by a 'quiet' life, security-wise? Your (younger) colleagues certainly are
There is plenty of data out there suggesting end-users just cannot 'get' the need for security. One of the most striking was systems management specialist Quest's March survey of some 1,000 office workers and 500 IT professionals in the US, which found that a fairly shocking 42% "regularly compromise data security in the workplace for an easier life" by, for example, keeping their password details written down and within easy grasp, or casually sharing such details with colleagues within the organisation.
Given that they are expected to remember around five alphanumeric strings, they might be forgiven. However, it seems our allegedly computer-savvy digital natives aren't any better, with youngsters now entering the workforce said to be the worst culprits.
Meanwhile, 36% of IT professionals contacted said the number of identities they have to manage makes it difficult to get their job done, while 51% agree that managing employee access to systems is currently inefficient.