Infosecurity Europe 2008.
The Impact of the Consumerization of IT on IT Security Management
Alexei Lesnykh, Smartline
Driven by the proliferation of high-end consumer technology such as PDAs, MP3 players and Smartphones, we have seen increasing adoption of consumer technology in the corporate environment. The age of consumerization of IT, defined by Douglas Neal, Research Fellow at CSC's Leading Edge Forum, as the blurring of lines between corporate IT and consumer technology, is well and truly upon us. Thanks to the fundamental growth of endpoint device capabilities and the corresponding changes in security threat profiles, this new era has significant ramifications for the management and enforcement of corporate IT.
Consumerization goes mobile
Today's personal mobile devices (smartphones and PDAs) have already been proven to increase personal and employee productivity. Despite a rather limited range of mobile applications and services being used in typical corporate environments--mostly email, IM and, less frequently, Presence Awareness--the use of smartphones is becoming increasingly commonplace in mid to large sized organizations. According to a recent report from Osterman Research, 15 per cent of the corporate workforce used employee-supplied mobile devices in 2007, and a survey from TechTarget forecasts that this figure will exceed 25 per cent in 2008. Recent technology advancements including the chip makers' continued confirmation of the full validity of Moore's Law, suggest that IT consumerization is only going to become more widespread.
The world is entering an age of ubiquitous mobile broadband connectivity: a global proliferation of Wi-Fi; the fast-growing commercial deployment of 3G/HSPA networks; and the "injection" of Mobile WiMAX by Intel's fifth-generation processor platform, Montevina, which promises to enable WiMAX for 750 million people by 2010. With the new generation of SoC platforms, ignited by Intel's invasion of the mobile SoC market, and the subsequent explosive growth of enterprise-class mobile applications, the world is going 'ultra mobile.'
The consumobilized threat (consumerized mobile threat)
The consumerization of corporate IT will soon mobilize the entire corporate workforce, with everyone using either company-supplied or individually-owned mobile devices or MIDs. The Yankee Group predicts that this will lead to Zen-like co-operative IT management models being deployed to maximize employees' productivity.
But from an IT security perspective, the task of managing 'rogue' or disgruntled employees in a consumobilized enterprise will become a real art--especially as a high degree of co-operative behavior and self-discipline will be expected and required from all employees including those who are discontented, malicious, negligent, or forgetful. In this way, the very same technology advancements and social trends that drive the progress of consumerization will also cause a sharp increase in information security risks for the enterprise, based on the development of 'production quality' mobile malware, and--to an even larger extent--the growth of corporate data leakage from and through employees' mobile devices.
The typical size of a mobile device's removable flash memory (currently 4--8GB) is already sufficient for storing and running a standard Operating System. The significant increase in mobile internet devices (MIDs) computing ability, together with a tenfold drop in their power consumption, has already triggered rapid mobile OS and application industry growth, making the development of 'commercial' mobile malware extremely profitable. From its current stage of proof-of-concept prototypes, this mobile malware will very quickly move to a "production-quality" stage, thus increasing the probability of attacks to mobile devices and their infection.
How soon this happens really depends on how quick and dedicated the mobile OS vendors will be in their efforts to control this emerging market. Although, realistically, it is unlikely that we will see any impact before the end of 2009 because the 'target market' for commercial malware needs to be mature enough to justify investment in their 'product' development.
Conversely, the threat of corporate data leakage through personal mobile devices is unavoidable and immediate. Unavoidable because certain features of human nature will not change: since there is no ultimate cure for accidental errors, negligence or malicious intent, mobile devices will continue to be lost and stolen. Immediate because nothing new is required for exercising the threat and it is happening right now.
So what is the scale of this threat, as we enter the early stages of IT consumerization? The figures make for unpleasant reading. In-Stat has estimated that over eight million mobile devices went missing in the US in 2007; and for Smartphone users, the people with the most access to sensitive information, the probability of loosing a device was 40 per cent higher. According to the 2007 CSI Computer Crime and Security Survey, seven per cent of total financial losses incurred by US corporations from IT security incidents were related to the loss of proprietary or confidential data resulting from mobile device theft.
Projecting these figures onto the latest predictions on mobile device market growth made by Tim Bajarin, President of Creative Strategies, one can anticipate an alarming figure of about five and 14 million Smartphones being lost in 2008 and 2010 respectively. This will equate to about 14 per cent of the total financial losses caused by attacks on corporate IT resources in 2008, rising to 21 per cent in 2010.
Mobile encryption is not enough
Every instance of data leakage through a mobile device is a two-step process: firstly, uncontrolled data transfer from a corporate server/host-based resource to the device and, secondly, further unauthorized transfer of this data from the device to the outside. To mitigate this efficiently, existing Data Leakage Prevention (DLP) solutions for mobile devices include two layers of defense. Firstly, DLP components residing at servers, PCs or dedicated network appliances prevent data leaking from the corporate resources to the mobile devices by intercepting and filtering data in all communications channels used by those devices. Secondly, device-resident infosecurity components should prevent data from uncontrollably leaking from the mobile devices. Reviewing the functions of security components running on mobile devices, it appears that there is currently only one truly effective mechanism that directly prevents data leakage--the device-resident encryption. Typically implemented as 'file/volume encryption' or 'whole device encryption', it blocks access to encrypted files and other objects stored in the memory of stolen or lost devices, as well as removable memory cards.
Security vendors also tout remote data wiping as an additional mechanism for preventing data leakage from missing mobile devices. However, realistically, this should not be considered as a reliable means of protection as any cyber thief will immediately remove the memory card of the stolen device for analysis on a 'failproof' device.
All other device-resident security components--FW, VPN, device/port control, anti-virus/anti-malware, IDS, application control, NAC, user/device authentication--are not designed for informational data and type filtering and, therefore, cannot be used to determine whether outbound traffic contains any leak to block. As for anti-spam device components, they work in the opposite direction, filtering data coming in rather than preventing the downloading of unsolicited data to the device.
Although cryptographic solutions like "whole device encryption" could completely eliminate data leakage from stolen or lost mobile devices, they are not a DLP panacea for mobile devices. This is because applications use data in RAM rather in plain, decrypted form; so nothing prevents users from deliberately or accidentally sending plain data to an external destination from within an opened network application like email, web-browser, or instant messaging (IM).
As a result, a negligent employee could forward an email with order delivery instructions to a subcontractor without noticing that the attachment to the email contains clients' personal data that should not be revealed to third parties. The only way to achieve truly encryption-based protection against mobile data leaks would be in a physically isolated intranet-type system without any external communications at all. However, this scenario is useless to any business or public sector organization as their operations are inherently based on external communications.
According to Deloitte & Touche and the Ponemon Institute about 45 per cent of US businesses do not use encryption to protect their data. However, in the consumerized corporate future, because of employees' privacy concerns, the percentage of personal mobile devices without protection by employer-supplied encryption solutions is likely to be much higher.
Without underestimating encryption as the most effective security technology for preventing data leakage from mobile devices today, it should be acknowledged that once the data gets to the device there is, and always will be, a high risk of it being uncontrollably leaked to the outside. This is why, for the foreseeable future, a critically important layer of corporate defense against mobile data leaks needs to be the intelligent control over data delivery channels to the mobile device.
Gone with the sync
Mobile devices can basically import data through three channel types: network applications, removable memory cards, and local connections to PCs. Today, there are numerous products and solutions on the market for preventing data leakage to mobile devices through network applications such as email, web-browsing, file transfer, web-mail and instant messaging. Implemented as serverside components or dedicated network appliances that use well-developed data and file type filtering as well as content-based filtering technologies, these solutions have proven to be highly effective for fighting data leaks and ensuring users' compliance with applicable security-related legislation and industry standards.
These data filtering technologies have already been integrated with several host-based endpoint device/port control products available today, so the data uploaded from PCs to removable memory cards is intercepted and filtered to block detected leaks. Importantly, these DLP solutions are based on underlying protocol parsing techniques for the most popular network applications, and intercepting file system calls from some office applications.
However, the synchronization of local data between mobile devices and PCs is implemented by very specific applications that do not use network application protocols, and do not interact with office applications. Technically speaking, this means that no existing file type detection or content-based filtering solution can control data flow through local connections from PCs to mobile devices and the only possible method of preventing data leakage through local sync currently is to completely prohibit it at device or local port-type level on the concerned PC.
This means that any company concerned with uncontrolled data leakage though mobile devices should prohibit their employees from synchronizing data between corporate PCs and mobile devices. This is obviously unacceptable, even today, since it would completely block the use of mobile devices in the business.
The problem is that if local syncs are allowed--as is the case in most organizations today--then every click on a "Sync" button means that highly valued corporate data may be potentially transferred to a personal mobile device without any way of controlling or tracing it. Weakly protected local sync communications already constitute a serious security issue for organizations. In the future, as consumerization progresses, this issue could grow into a major security problem and business risk. This is why developing a comprehensive DLP solution for local sync connections of mobile devices needs to be urgently addressed by the infosecurity industry.
Developing the solution
So what should the security industry be doing to address the mobile security threats brought about by IT consumerisation? The key part of the architecture for preventing data leakage needs to be local sync parsing. The local sync data leakage prevention architecture should be built as a stack of integrated security mechanisms including bottom-up endpoint device/port control, local sync application parsing, file type filtering, and content-based filtering technologies. In addition, a central policy-based management console integrated with a major systems management platform, comprehensive centralized logging, reporting and evidence enablement components need to be put in place.
Every layer of the architecture controls those parameters of a local connection it is designed to deal with by blocking or filtering prohibited elements out, and detecting and marking the types of objects to be controlled by a higher-layer architecture component to which the classified data flow is then passed for further processing.
The device/port control component of the architecture is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port type, device type and ideally the device model and its unique ID. The output can then be passed to the localsync parsing component, which parses the sync traffic, detects its objects (e.g. files, pictures, calendars, emails, tasks, notes, etc.) filters out those prohibited, and passes allowed data up to the file type filter. The file type filtering component checks the input flow, deletes those files not allowed, and filters information data to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.
Sync parsing is the most important "piece of cake" to develop because the rest of the required enforcement components are already available on the market just in implementations designed not for the local sync. Not only is local sync parsing key, but its scale (i.e. the range of supported mobile OS platforms) and implementation quality will also be critical for its market adoption. With local sync parsing in place, the other components can be stepwise integrated in the stack by adjusting the existing ones.
Examining the local sync DPL solutions commercially available on the market, the situation is quickly improving with Microsoft ActiveSync[R] and Windows Mobile Device Center (WDMC) protocol filtering now available.
Security administrators can now centrally and granularly define which types of data users are allowed to synchronize between corporate PCs and their mobile personal devices, including files, pictures, calendars, emails, tasks, notes, and other ActiveSync and WDMC protocol objects.
Administrators can also centrally block or allow the installation and execution of applications on corporate mobile devices. In addition, it is now possible to detect the presence of mobile devices regardless of which local port or interface it is connected to.
The security threat brought about by the consumerization of IT and the consequent mobilization of the workforce is real and upon us. Organizations need to take immediate steps to ensure that they address this threat before it gets out of control and the infosecurity market needs to continue to develop solutions to mitigate the unavoidable risk brought about by the growth of consumer technology in the corporate environment.
Smartline is exhibiting at Infosecurity Europe 2008.
Sometimes the horse will bolt ... how do you close the stable door?
Piers Wilson, Head of Technical Assurance, Insight Consulting, a division of Siemens Enterprise Communications Limited
Security is a risk management discipline. What that means in practice is that any level of defence is only "partial": there is always an element of residual risk.
Of course once you then introduce the human element this increases--even very strong security controls, once installed, configured and used by fallible humans can introduce weakness.
Also there is the malicious element (i.e. internal misuse of legitimate access). Finally there are those attacks which are almost impossible to prevent--targeted attacks which specify exploit your weakness, zero day attacks which are not picked up by signature based defences and blended attacks which comprise several attack vectors or which use other vulnerabilities to cause much wider impacts. There is a continuum--you apply controls and draw a line (your risk appetite), beyond that you are vulnerable.
On the basis that there is always some vulnerability (whether highly complex or trivial to exploit), one can assume that at some point a breach, attack or incidence of misuse will occur. The proverbial horse will bolt--how are you going to react?
Incident response -- first, DETECT it ...
Do you know what is happening right now on your network? Would you know if one of your workstations were comprised? Are your users honest? Detection is an obvious prerequisite for any form of response--it's broader than just noticing something might have happened though ... its important to be able to establish what. At any rate you are going to need some of those traditional controls but also some knowledge of what "normal" behaviour looks like.
So an IDS (Intrusion Detection System) is a good idea. You may prefer an IPS (Intrusion Prevention System) which is a fairly common enhancement to find these days--but very often either system looks for attacks of a certain type in a certain place (e.g. external attacks against a web application). An extension is to have log collection, consolidation and analysis--this will often have a wider scope--pulling in and analysing data from server systems, applications devices and even workstations around the enterprise. Either of these may not be able to detect all network or system usage anomalies--radical changes to behaviour which might indicate an something untoward was occurring.
Do you often send several Gb of data to a specific IP address at 3am? No? Well you might want to be made aware if suddenly one day that happens ... One further idea, again not a silver bullet, is to outsource elements of your detection to a third party or involve your ISP--they might offer the ability to correlate attacks across several clients or around the Internet. This can give you (via them) advance warning that an attack is happening before it actually gets as far as your systems.
At any rate, spotting that you are being attacked, noticing that an employee is abusing his authority or identifying that you are a victim of a zero day or targeted attack is actually pretty hard; deciding it is an attack, initiating a response and establishing what is going on can be even harder. This leads us on to ...
Incident Response -- CORRECT it ... find out what happened and putting it right
Diagnosing security breaches is becoming increasingly complex. Regrettably many companies make simple mistakes which can make it impossible. There are therefore many of the traditional safeguards which, if properly adopted, can still help.
Analysing an environment to find infections, malware, malicious code and the footprint of a targetted attack is not easy ... many attackers, code infections or corrupt staff will aim to cover their tracks. You will probably not be looking for trojan.exe.
A simple security control that can help enormously is that of standard builds (often called "Gold Builds")--especially at the workstation level. If you suspect a workstation has been compromised, tampered with, or subverted in some way (perhaps even root-kitted) then you may find it impossible to identify the elements of that unless you have a good static reference environment. If you have nothing to compare against, that means you cannot find out which files and executables are compromised, which means you cannot search the rest of the estate to find further infections. Also, you need to contain the infection so you have something to analyse, or reverse engineer, to find out what it does. Without adequate logs, centrally collected and held for a period of time your ability to track activity, monitor infections or breaches and establish a timeline are going to be limited. This is another familiar topic in the security industry which is seldom comprehensively implemented. As such, when a breach does occur you only have a vague idea of the fact that something has occurred, but no way to track when, or where, or what was affected, or who was responsible ... you might not even know when the attack started or how long it has been going on!
So effective diagnosis is not only hard, but may be impossible if you don't have the reference point, the available data or the ability to reverse engineer infections, protocols and activity. Don't think therefore that you can put all your eggs in the "response" basket, there are controls which have to be put in place before a breach to enable the response afterwards. Understanding is key ...
Incident Response -- PREVENT it happening again
It's essential that you don't end-up being attacked twice in the same way. By building up a full understanding of the attack, what your exposures were, and how onward loss of data or breaches occurred, you can put in place preventative measures to stop it happening again. The techniques and controls that helped investigate your initial breach can be used to detect and prevent future incidences.
Organisations exist that can help you analyse the attack--these same organisations can also help you devise suitable preventative measures. Building up a full understanding of the nature of the infection is essential--this will include the initial implementation and exploitation techniques, hiding techniques, communications protocols, and techniques used to scan the network and then infect further machines. For example, bespoke IDS signatures developed to monitor the progress of an attack and identify further infections can be kept in place--they may help in detecting the next occurrence of that attack. Protect against the "class" of attack, not the specific instance, and make sure those more traditional controls such as Gold Builds, log collection systems, user access controls and alerting services are in place.
Summary and Conclusions
The business impact of all this is striking; recent surveys have reported that the costs of breaches and data loss can be huge--they may be a few hundred pounds per lost record, but it has also been reported that in total 162 million personal records were lost last year (some from HMRC of course). Forrester reported recently that 65% of breaches are not detected and 87% are from people misusing their own access rights.
Much enterprise level security improvement has been driven by compliance--including the Sarbanes-Oxley Act of 2002 (SOX), Payment Card Industry Data Security Standards (PCI DSS), and Health Insurance Portability and Accountability Act (HIPAA). However, the controls that you will find are necessary to give you a fighting chance of preventing a breach, and also of detecting one which you can't prevent, and then diagnosing what the impact is to minimise losses may not be the same as those mandated by the compliance programmes.
If you are following a risk management approach, then by definition you have to plan for the worst cases which you are declining to invest in preventing. For every accepted risk, there needs to be a "what if ..." conversation.
Siemens Enterprise Communications Limited is exhibiting at Infosecurity Europe 2008.
Compliance--Overhead or Business Benefit?
Clifford May, Manager--Business Consultancy Practice, Integralis Ltd, UK
The very word "Compliance" strikes dread in many senior management forums. Viewed most often as a pain, necessary evil, or at best a burden on the business, Compliance has become a word most often associated with a sigh of despair. But should this really be the case?
The very reason many senior managers have to be dragged kicking and screaming into the Compliance arena is often the complexity of the subject and fear of the unknown. At the end of the day most senior managers are focused on making money for the business, controlling costs and generating value for the shareholders so they view compliance issues as a distraction. Now that is interesting in itself, particularly the latter two points. Surely controlling costs and generating value for the shareholders should be really good drivers to understand what Compliance can mean to the business? Part of the problem, and the perception, is the plethora of different compliance issues that appear when the surface of the topic is scratched, e.g. Human Rights, Privacy, Data Protection, Freedom of Information, Taxation, Corporate Governance, Intellectual Property/Copyright, Health & Safety, Fraud & Corruption, Competitive Practice, Anti-trust, Money Laundering, Standards (e.g. ISO/IEC27001, COBIT, SAS70) and much more. Is it any wonder why senior management would rather avoid getting embroiled in this as much as possible? The problem is--it is their responsibility, and they are accountable for Compliance so, in time, many will become to realise that they have no choice and even that Compliance can provide real benefits to the business. How can this ever happen? Surely the whole Compliance effort costs a fortune and bogs the business down in unnecessary procedure? All many managers see is increasing red-tape, extra costs for controls, new or increasing compliance teams, personal liability and spiraling overheads. But, is this a fair view? Sure there are additional costs to be carried for the compliance efforts, but it could be argued that these are more than balanced by factors such as: Increased Customer/Shareholder/Partner confidence and trust (avoidance of embarrassing incidents!) Improved analysis, documentation and efficiency of business processes Better business resilience Greater buy-in from management and staff The de-duplication of control efforts Faster audits with less hold points Reduced audit costs Reduced crisis/incident management and remedial action costs Avoidance of legal or regulatory sanctions or fines and more ... It is surprising how the very attempt to ensure Compliance can often become a catalyst for change. As a business grows often the development and documentation of sound business processes falls by the wayside and greater reliance is placed upon staff knowledge and expertise. This can work for a while but we live in an ever changing world where the pace of life is increasing daily and a lack of sound business practice will mean trouble in the future. It only takes a key member of staff to leave, or say a disgruntled member of staff to 'throw a spanner in the works' and serious repercussions can ripple throughout the business. Yes--we all know we should write procedures so that someone can take over if the worst should happen; but the 'instant' nature of the working environment today (e.g. the Internet, email, instant messaging, mobile connectivity) makes that very unlikely--we just do what we do! This is where Compliance brings back some sanity to the workplace. An auditor is not satisfied by 'hearsay' evidence that a key business process is operating in line with legal or regulatory requirements--they want cold, hard documentary evidence! The Compliance drive has a tendency therefore to underline the need for key controls, procedures and evidence, and to ensure that adequate funding is committed to their maintenance. What is often missed is the opportunity to develop one management system to control all aspects of compliance, regardless of law, regulation or standard. Many organisation still approach Compliance from a piecemeal angle--HR do their bit, IT do their bit, Legal do their bit, etc. It is also common to see organisations creating separate teams, tasked with compliance to a particular piece of legislation. This is, at best, unwieldy, inefficient and expensive; a practice to be avoided. This can be due to the 'siloed' nature of many organisations, internal politics, expertise issues, or just plain stubbornness to get involved. The problem is Compliance issues usually cut right across the business and a very strong lead is needed for any team that is going to co-ordinate all issues company wide. A competent Compliance team can build one management system that will provide co-ordination of the compliance effort, one repository and source of information for audit trails and associated evidence. This avoids the 'empire building' that often happens when say a new piece of legislation comes along, containing and potentially reducing costs. So 'Overhead or Business Benefit'? Much depends on your viewpoint and the type of organisation you work for. Finance, Banking and Insurance are heavily regulated, and accept Compliance as just part of daily business, whereas for, say a manufacturing business, this is all just a cost they would prefer not to have. Hopefully this will change in time, legislation may become simpler and easier to understand (eh .. possibly ..), business practices and management systems will improve, and many will see how the Compliance effort can bring real dividends.
Integralis Ltd is exhibiting at Infosecurity Europe 2008.
Cyber crime threatens the core infrastructure supporting critical business activities. Tapping into fibre optic cables is easier than you think!
Bernard Everett, Region Sales Director Western and Southern Europe InfoGuard
As we start to assess the damage and possible consequences of the 25 million people now open to data fraud after two disks containing personal and financial records have gone missing, it has to be asked 'what happens if this information was freely available to anyone possessing off the shelf eaves-tapping equipment?'
State-of-the-art fibre optic networks are employed by many banks, insurance companies, enterprises and public authorities as their communication backbone, supporting critical business activities, it just so happens to be the place where industrial espionage is rife. If no security precautions are taken to prevent the theft of data, the consequences could be devastating. Unlike in this most recent case were two disks have clearly gone missing, in a premeditated tapping of an optical network it is extremely unlikely that the victim will even be aware the perpetrator exists; information will not go missing as our data thief will be simply eavesdropping and coping what transpires over the network.
What could it mean to your business?
The world has been shocked to think that the institution that sets the standard and writs the rules, legislating how data needs to be protected can be today at the forefront of one of the largest losses involving 25m files containing individual personal information.
In the commercial sector directors are now made personally liable and can face prosecution, and made to pay damages and fines and can even face imprisonment. In regards to HM Revenue and Customs the question can be rightly asked as to who will ultimately take responsibility?
For some industry sectors the worst impact can be the devastating customer's trust which as in the case of Northern Rock can have huge consequences on the investment and stability of a financial institution.
In a survey by the Wall Street Journal it is estimated that companies that have incurred a breach of information can face a share price loss of up to 3.3% on the day of disclosure, followed by 5-24% thereafter with only 30% of such companies being able to recover at all. A recent example is Card Systems which lost $300m in the first 24hrs after disclosing a breach in which 45m credit card details were hacked; Card Systems were then acquired by its competitor Choice Point.
After the humiliation of numerous press conferences, the financial damage does stop with the share price. There are huge additional indirect costs associated with a breach where sensitive data whether it is National Security Numbers, Health Data, Credit Card details or other financial records are lost. Some of these costs will be linked to Public hearings, e.g. Bank of America and Card Systems, call centers, investigations, and credit checks. With an estimated cost of between $100 and $125 per customer, it is reported that Atlantis Resort paid an approximate $6m and Fidelity $15m in additional indirect costs.
It is unlikely that in this situation the HM Revenue and Customs will go out of business as it is clear who ultimately will pick up the tap for this 'oversight'!
InfoGuard is exhibiting at Infosecurity Europe 2008.
Defending Against the Unusual Suspect, the Modern Cyber Criminal
Jim Doherty, CipherOptics
When you look at the evolution of cyber crime, it is clear that day-by-day, businesses and consumers are facing even more serious threats to their security. Phreaking, hacking, viruses, worms, identity theft--what's next?
Before looking at what's next, we must take a look at what's now. One of the more troubling aspects of network security is that threats change well ahead of IT's ability, or sometimes willingness, to adopt new measures. First a threat emerges and then the IT community responds. By then, the bad guys are already looking for a new weakness to exploit. There may actually be hundreds or even thousands of hackers looking for new ways to penetrate perimeter defenses or operating system loopholes. Once an exploitable weakness is found, the methods to take advantage of it are distributed and the race is on for IT to plug the hole.
Previously, the back and forth battle between hackers and IT departments was led by a group of disconnected loners on the hacker side of the fence. Typically under resourced and by their very nature secretive, these hackers went after whatever targets of opportunity they could find. Tips, tricks and best practices were shared, but hacking was more of a social function than a directed attempt to accomplish a mission objective.
Unfortunately there is a very troubling trend emerging in cyber crime; a trend that may actually tip the scales in favor of the hackers. The hackers are uniting and forming organized groups. These groups are well funded and are staffed with large teams who may have higher skill sets than your IT department. They are likely going after a specific target and have a project plan with a goal and milestones along the way.
So who are these criminals? More importantly, what do they want and what can you do to stop them?
Organized Crime: Forget about Tony Soprano and his stranglehold on the Sanitation Workers' Union. The gangster you need to be worried about is Sergi Ivanov and his band of Romanian hackers. Over the past few years, Eastern Europe has emerged as the epicenter for identity theft. Through spear phishing, database cracking and a variety of other methods, these groups are stealing your customers' credit card numbers, social security numbers and mother's maiden names. Stolen in bulk or one at a time, this information is sold on the black market for a high profit. There is even an eBay of sorts for stolen credit card numbers.
Outsourced IT Chop Shops: Remember those hackers we used to be worried about? A lot of them were teenagers operating out their parents' houses. Well they grew up. Some of them never got the hang of the nine-to-five job, but they have bills to pay now. Why not just use the skills they've acquired and get paid doing what they love to do: hacking. In fact, there's a booming economy out there for hackers for hire. These groups have their own conventions and job boards just like legitimate IT contractors. So unlike before when these hackers would look for just any old system to hack into, now they have a specific target to hit and are being paid good money to hit that target. Worse is that they are working in teams; some may even have performance incentives built into their job contracts.
Foreign Governments: As if the idea of organized groups of hackers wasn't scary enough, there is now growing proof that some governments are in on it too. Even with all the hackers out there, some people feel safe because there are so many targets available, allowing you to "hide in the crowd." What happens, though, when a government with seemingly infinite resources at their disposal starts to monitor all the data moving across their networks? Hiding in a crowd no longer works because every last bit and byte moving across a WAN can be sniffed and stored. Pattern recognition programs can be used to weed out the data that may be valuable to someone, whether it's financial data, intellectual property or strategic plans. If Chinese hackers (assumed to be backed by the government) are able to breach the Pentagon's network, it's a good bet that they are sniffing packets on China's Telecom networks too.
Now for the really bad news
The really bad news in all of this is that most companies still don't get what these hacker groups are after--and because of this, they make it easy for the hackers to retrieve the sensitive data. Companies are just about handing over the data on a silver platter.
The hackers don't care about taking down your network or disrupting your e-commerce solutions. In fact, they want your network to be up and running because when it is, you are moving data around on it, lots and lots of data, which is exactly what they are after. Your data is worth money. Your data is what they want.
"But I have data protection solutions installed," you say. "I have IDS and firewalls," you shout. And the hackers smile because they won't bother breaching your network (unless you leave the door wide open). No, instead they will monitor the WANs and wait patiently for you to send the data beyond the firewall and other perimeter based defenses; over the service provider network you think is secure; and then maybe even over the Telecom system where the hackers have an inside guy or even completely own outright. Ultimately, the data arrives at the destination and gets safely brought behind another set of perimeter defenses. The data is all there on the receiving end so nobody has stolen it, right? Wrong. As soon as the data leaves your perimeter, criminals can siphon it right out of your hands. If you are not protecting your data "between the rings," that is, as it moves between the various perimeter defenses you have set up on all your LANs, then you might as well just send the criminals a disk with the data on it. It would save them a step, which they would surely appreciate.
So what can you do about it?
The first thing that any IT group can and should do is to recognize that these criminal groups are after data, not the network. Therefore, any and every security strategy should have data protection as its primary purpose. Firewalls only keep people off your LAN and for the most part can easily be breached. IDS systems do not protect your data; they just let you know when the rest of your security solutions have failed.
IT groups can get ahead of the game and break the cat-and-mouse cycle by adopting proactive security measures. If your security solutions are set up to alert you in the event of a breach, it's already too late. Organizations should deploy solutions that keep the bad guys from getting your data in the first place. Encryption is especially effective here because even when hackers get access to the data stream (and you never really know when they do, especially "between the rings"), the data is useless and worth nothing. The best protection you can ever have from data thieves is to have nothing they can profit from. You have two choices: stop moving data around or encrypt it.
CipherOptics is exhibiting at Infosecurity Europe 2008.
Trusting Unmanaged Machines
Dr Bernard Parsons, CTO, BeCrypt Ltd.
Security Vendors typically, and unsurprisingly, view with negativity the "cash flow" approach that many organisations take towards data security. Such an approach entails assessing the immediate cost to the business that would result from attacks against their IT infrastructure. If this cost is seen as being less than or roughly equal to the cost of improving system security, then system security may not be improved, as the investment to do so is not justified.
As a result, the role of the vendor community is in part to highlight the risks associated with emerging threats, typically those to which potential customers have had little or no exposure. The objective here is to influence the investment decision, highlighting both potential risks, and the compromises that have occurred elsewhere. This is often regarded as "threat hyping", but as a process has some validity, partly because a simple "cash flow" algorithm can ignore issues such as potential brand damage from high-profile incidents.
Nevertheless, given that decisions are predominately made or defended at board level, some version of this algorithm often applies. This is not only the case for the vast majority of commercial organisations worldwide, but includes government departments, which have had to adjust from a previous risk-averse stance. Even the more paranoid organisations have had to accommodate the acceleration in technology, both in terms of evolving threats, and in the need for increased flexibility and efficiency across business processes. This is reflected by the development of risk management policies and frameworks. Risk management entails assessing the value of assets and the impact to the organisation resulting from their compromise. The approach allows far more room for the consideration of system availability and integrity alongside, or often in place of, governments' traditional focus on confidentiality.
There is a general acceptance that one needs to allow for the possibility that data on systems may be compromised, particularly if not doing so results in an unacceptable reduction in the availability of systems.
System compromise will continue to pose a threat for most organisations, driven by an increasingly capable attacker community. Their sophistication is growing as a result of collaboration across diverse communities, where vulnerabilities, tools to exploit vulnerabilities, and the results of exploits are traded on a relatively new, but expanding electronic black market.
Compromises typically occur at a system's weakest point, and technology mobility has been one of the principle factors defining weak points. Competition for efficiency and flexibility across industry sectors drives an increasing distribution of electronic assets. The pattern of: vulnerability popularisation, followed by initial security solutions, followed by product maturation and commoditisation, has trodden a path out from the corporate HQ, across laptops, mobile devices and peripherals, and has landed more recently at the un-managed machine.
Businesses are being forced to consider the use of machines that are not under the direct control of the organisation. Whilst email access from anywhere is not uncommon, there is a growing requirement to open corporate resources to home machines, partner networks, or even public machines, to support occasional remote working and business continuity. This is a new frontline: a recent impromptu survey of a US defense department's employees' home machines used for official email uncovered numerous instances of key logger and other forms of malicious software. Along with equally popular screen-grabbers, these are in-vogue tools for both targeted and random attacks. Initial security solutions have offered a nominal and limited level of defence for the un-managed machine. Combining end-point inspection with an SSL VPN makes a huge assumption that the security controls being inspected for are less sophisticated than, and knowledgeable of, resident malicious software. Such an approach may be little use in protecting against a targeted attack. Employing virtualization technology requires similar assumptions. Both solutions allow for an arms race to progress between attacker and defender, without even requiring the attacker to change the nature of the attack.
Over the last year product maturation has occurred in solutions that employ secure operating systems on bootable media. This approach allows an organisation to remain in control of a system, rendering the un-managed platform arbitrary. The home computer is used solely to boot the official, albeit portable, OS. Typical security controls include device encryption to enforce confidentiality and system integrity, as well as a modified OS to prevent disk or peripheral access and to protect network connections. The level of security provided can approach, or in some cases exceed, that of the corporate issued laptop. The impact on potential flexibility within the workplace is significant, enabling a larger percentage of the workforce to work remotely and, for those that already do, increasing the reliability of their access.
The coming year will see broader adoption of the bootable media approach to securing remote access. In parallel, security vendors will look to make better use of the increasingly pervasive built-in hardware support for security from device and machine manufacturers. When used within appropriately controlled procedures, this will enable the establishment of trust points resistant to the most sophisticated of attacks. Soon, our most sensitive corporate resources will follow us everywhere!
BeCrypt Ltd is exhibiting at Infosecurity Europe 2008.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||SOFTWARE WORLD INTELLIGENCE|
|Article Type:||Company overview|
|Date:||Mar 1, 2008|
|Previous Article:||Retail banks' spend on business intelligence technology expected to reach USD$9bn by 2012.|
|Next Article:||New construction tool with NAG Routines.|