A Porous Perimeter Perplexes Security Pros
The notion that a network firewall is the first and only line of defense a company needs is going up in flames. Social engineering techniques are becoming much more insidious, thanks to hackers designing more personalized temptations for users. That is forcing security professionals to remind clients that firewalls are just one layer in a company's protective cocoon.
Feb 19, 2013 5:00 AM PT
While it's a nasty pill to swallow for old-line security folks, the perimeter isn't what it used to be. The days when a company could hide behind its firewall and feel secure are gone.
Pockets of resistance to that notion still exist, but the message is getting through to security pros. "It's a painful message to receive if you're someone in traditional information security," Hugh Thompson, senior vice president and chief security strategist at Blue Coat Systems told TechNewsWorld.
"It's harder to draw where the line is in the sand between the good guys and the bad guys," he said.
Security pros aren't the only people who find the world behind the porous perimeter unsettling. "It's harder and harder for an employee to make good security choices," Thompson said.
"I'm almost nostalgic for Nigerian prince scams," he quipped, "because now we're seeing very personalized attacks. Attackers will research a person, create a very compelling sounding ruse and get you to click on a link, so it's getting harder and harder for people to make good choices online."
Perimeter defenses are just a part of the picture, noted Seth Goldhammer, director of product management for LogRhythm.
"Security has never been a single product, a single technology," he told TechNewsWorld. "A layered security approach has always been best for a good security practice. Having the right collection of technologies coordinated correctly is the best chance an organization has to defend itself."
M2M: Hacking Terminator's Skynet?
As the Internet of Things grows, it will open a new frontier for hackers. Imagine almost everything having a wireless radio polling the Internet for information. Now think about how that opens up what's available for hacker mischief.
Machines that "talk" to machines (M2M) could be a goldmine for hackers, observed Eric Byres, CTO and vice president for engineering for Tofino Security Products.
"They're the perfect fertile ground for the hacking community, because the security community right now is totally focused on the desktop and the server," he told TechNewsWorld. "They've really done nothing to figure out how to secure a machine versus a computer."
The Stuxnet worm is an almost perfect example of the kind of havoc that can be raised in a M2M attack. Stuxnet attacked a machine -- a programmable logic controller -- and sent commands to another machine -- the drive controller -- which controlled the centrifuges for Iran's nuclear development program.
The Stuxnet attack, though, wasn't a pure M2M situation. That eventually did it in, according to Byres. In addition to performing its M2M attack, it also infected some computers.
"It would have been more successful if it hadn't infected those computers, because it wouldn't have got out into the wild and people wouldn't have discovered it," he said.
Coming Soon: Flexible Authentication
The Fast Identity Online Alliance (FIDO) took the wraps off a system last week to insure people are who they say they are on the Internet.
The new system, which ultimately FIDO hopes will replace the need for passwords, is built on a spec that allows businesses to authenticate a person using a variety of devices -- smartphones, tablets, fingerprint readers, microphones, cameras, NFC and throw-away password tokens.
Such a system would make it much more difficult to compromise an account, because the set-up depends on something a person has, not something the business knows -- namely a username and password.
Another thorny Internet problem -- abuse of digital certificates -- received the alliance treatment last week when all the major certificate-issuing authorities announced they were forming a trade group.
The Certificate Authority Security Council (CASC) includes Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Symantec and Trend Micro. The group plans to act as the voice of the certificate industry and recommend best practices to prevent the kind of incidents that have embarrassed the industry over the last few years.
Data Breach Diary
- Feb. 12. Open Security Foundation reports the total number of global data breaches in 2012 more than doubled the number in 2011. Although there were 2,644 breaches reported in 2012, the number of records exposed in those breaches -- 267 million -- was substantially below the 412 million exposed in 2011.
- Feb. 12. SafeNet, a data security company, reports that 66 percent of U.S. security professionals predict their organizations will suffer a data breach in the next three years.
- Feb. 13. Trustwave reports that of 450 data breaches it investigated in 2012, 45 percent involved retailers, 24 percent were food and beverage establishments, and 9 percent happened in the hospitality industry.
- Feb. 13. A group of banks that suffered losses during a data breach at Heartland Payment Systems in 2008 move to reopen the case. They are arguing that courts were in error when they ruled the company was protected by New Jersey's economic loss law. Heartland's breach is considered the largest in history with 100 million records stolen.
- Feb. 13. Redspin reports that the number of large data breaches in the health care industry increased 21.5 percent in 2012 compared to 2011 -- to 146 incidents from 121 -- but the number of records affected during the period declined 77 percent to 2.4 million from 10.7 million.
Upcoming Security Events
- Feb. 21. Accelerating the Analyst Workflow. 1 p.m. ET. Black Hat webcast. Free.
- Feb. 21. "UTM" is Critical for Network Security -- But What Is It Exactly? 1:30 p.m. ET. Watchguard webcast. Free.
- Feb. 24-25. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco. Free.
- Feb. 25-Mar. 1. RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: To Jan. 25, US$1,895. After Jan. 25, $2,295.
- Feb. 26. Optimizing and Safeguarding Your Data Network. 11:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
- Mar. 1-2. Battlefields, Boardrooms, and Backyards: The New Face of National Security Law. 210 Science Drive, Room 3014, Duke Law School, Durham, N.C. Sponsored by the Center on Law, Ethics and National Security. Free.
- Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1,095 euros (US$1,447); through Feb. 28, 1,295 euros ($1,711); Mar. 1-15, 1,495 euros ($1,975).
- Apr. 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
- Apr. 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; after Apr. 19, Pounds 20.
- Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.