The growing consumerization of IT, the rapid pace of change in technology, the rise of new variants of malware, and the hack attacks carried out by cybercommunities such as LulzSec and Anonymous are putting enterprise IT under tremendous pressure.
Users are increasingly bringing in their own devices for use in the enterprise, keeping IT on the hop.
Meanwhile, new technologies such as near-field communications (NFC), which not only enable mobile payments but also let users transfer files between two NFC-enabled devices by tapping them together, may be opening up new vectors of attack.
Traditional security solutions, including in-depth defense, have proved infuriatingly helpless against aggressive, highly competent hackers such as the members of LulzSec or Anonymous, who seem able to waltz into any system they like and wreak havoc freely.
Their victims include the CIA, the FBI, Sony and Congress.
The government and our elected officials are trying to fight back.
The Department of Homeland Services has released a list of the top 25 software weaknesses.
The National Institute of Standards and Technology, or NIST, is seeking comment from businesses on how to improve security.
Meanwhile, Senator Mary Bono Mack has proposed legislation making it a criminal offense not to report a security breach.
Will any of this help?
Yesterday’s Tools for Tomorrow’s War
In light of recent widespread hacking activities, it would appear that our traditional defenses are inadequate.
“Traditional security solutions have focused on preventing malware infections from occurring,” Stephen Newman, vice president of product management at Damballa, told TechNewsWorld.
“However, with network perimeters eroding due to the advent of the mobile workforce and the commercialization of IT, leading to personal devices that aren’t heavily protected coming into the workforce, infections are happening inside corporations,” Newman said.
These developments have in some ways negated the money businesses spent on intrusion prevention systems (IPS), intrusion detection systems (IPD), antivirus software and antimalware packages.
“The hackers are innovating faster than IT security departments,” remarked Todd Feinman, CEO of Identity Finder.
“Our IDS and DPS solutions are still largely designed to detect the attacks of the early part of the last decade — attacks against listening ports make up the majority of the signature bases,” Mike Murray, managing partner at MAD Security, told TechNewsWorld.
“However, the attackers have moved on to attack the clients and the humans within the organization much more often than they attack the servers,” Murray added.
“It’s not so much that hackers are waltzing in [into their victims’ systems]; it’s that they are tangoing out with your assets or reputation in hand,” Suzanne Magee, CEO of TechGuard Security, told TechNewsWorld.
Strong egress filtering policies are effective defenses, but they haven’t been adopted because they’re difficult to implement and the risk of hacking was perceived to be low, Magee said.
“LulzSec and company are showing us that the risk is very high,” Magee added.
Progress Favors the Perps
The difficulty of securing IT infrastructure is partly due to the fact that the initiative often belongs to the attackers.
“The disadvantage for IT security professionals is that we do not know where the next attacks will come from,” said Hongwen Zhang, president and CEO of Wedge Networks. “That’s why innovations that can help us shorten the line of defense are heavily sought after.”
Further, software, by its nature, is updated and changed regularly, which means defenders must be able to detect any changes made by an unauthorized entity, Lark Allen, executive vice president at Wave Systems, pointed out.
“Complexity is the enemy of security” Allen told TechNewsWorld. “The fact that there are all kinds of new devices accessing the network is making it more complex.”
Managers should assume the bad guys are already in the system or have accessed the system, Allen suggested, and they should also simultaneously implement strong authentication and good access controls on the networks. “Both approaches are required,” he told TechNewsWorld.
Stop Fearing Tomorrow
Security implementers should accept that technological innovations will require them to come up with new approaches, MAD’s Murray said.
“This is the nature of security,” Murray pointed out. “Ten years ago, you could have replaced NFC, mobile devices and the consumerization of IT with terms like Bluetooth, wireless networks, ubiquitous camera phones and text messaging. Security should always be focused on the newest technologies.”
A new approach to security requires us to understand that the threat has changed, Murray stated.
“The attacker is no longer focusing on directly attacking listening ports, so firewalls don’t really do that much,” Murray explained. “They’re focused on attacking application flaws and, more importantly, our user community, through attacks that look very much like appropriate behavior.”
Existing reactive controls, such as our current security tools, can’t tackle this new threat, but IT can compensate for this by proactively modifying users’ behavior instead, Murray suggested.
Official Attempts to Fight Back
The Department of Homeland Security worked with non-profits and the private sector to create a list of top security threats and how organizations can deal with them.
SQL injection flaws top the list. Other high-ranking problems are cross-site scripting and operating system command injections.
Hackers have used SQL injection flaws and cross-site scripting for so long that it’s surprising these issues haven’t been dealt with by now.
The solution to these two flaws is, in essence, better coding.
“We need to follow guidance that already exists and test implementations,” said Steven Sprague, CEO of Wave Systems.
“We need to get down to basics and make sure the basics are well done,” Sprague told TechNewsWorld.
Congresswoman Mary Bono Mack released a discussion draft of the Secure and Fortify (SAFE) Data Act, which seeks to establish uniform national standards for data security and notification about data breaches.
Among other things, it will require organizations to notify the Federal Trade Commission and affected consumers within 48 hours from when a breach occurred. The Act will also give the FTC the authority to levy civil penalties for not adhering to its provisions.