Ed: Hi David, thanks for your time today with Infosec Professional. How has information security changed in the last three years?
David: I believe there have been several key changes.
First, the traditional ‘work place’ is disappearing. So the task of securing data has become harder for businesses, as staff increasingly conduct business ‘on the go’: at home, at the airport, in the hotel – or anywhere else they can get a wireless signal. It’s not so much that the traditional network perimeter has disappeared. Rather it has become fragmented – and moves around as employees do. This has increased the points of exposure to malware and hackers. Second, we’re seeing a related development – the growing use of smartphones at work. IT departments now have to manage a heterogeneous mix of endpoint devices. This problem is compounded because many people use the same smartphone for business and personal use. So loss of data may be bad news not just for an individual, but for the business too.
The nature of the threat from malware is changing too. For the last eight years, the threat landscape has been dominated by speculative attacks designed to steal financial data that gives access to victims’ bank accounts. During the last two years we’ve seen a growing amount of targeted attacks. Cybercriminals are selecting a specific target and are focusing on compromising this victim – to steal corporate information, to discredit an organisation or to make a political point. Paradoxically, in tandem with this targeting, we’ve seen a trend towards ‘steal everything’, not just bank data. Cybercriminals are trawling through the vast amount of data individuals post online and are sifting through it for information that can help them set up a targeted attack on a business or other organisation.
The growing volume and sophistication of threats in the last few years means that it’s no longer viable to rely solely on signature-based defences. Kaspersky Lab processes more than 70,000 unique malware samples daily. This onslaught can be dealt with effectively only by using a blend of proactive technologies – including heuristics, sandboxing, whitelisting, behavioural analysis and cloud-based systems that can respond to new threats in real-time.
Ed: What do you think are the main threats facing organisations in 2012?
David: I don’t believe the speculative attacks outlined above will disappear any time soon. They represent the low-hanging fruit for cyber-criminals – like the activities of pickpockets in city centres around the world. However, it’s clear that, in relative terms, the weight of targeted attacks is growing. And the well-publicised attacks of the last 12 months or so have demonstrated that no organisation – or type of organisation – is immune to attack. For eight years illegal profits have dominated the scene. But it’s abundantly clear that cyber-crime now has a variety of motives. This should hardly be a surprise, given that the Internet is simply a reflection of life in general. And the more that we do online, the bigger the target for all types of cyber-criminal.
Ed: Are organizations ready to deal with those threats and what can they do to protect themselves?
David: In a general sense, security remains the same. The starting-point for securing any system, is to consider the potential risks and develop a strategy for mitigating those risks. But for a security policy to be effective it must be measurable and must be reviewed regularly to ensure that it is still fit for purpose. With regard to the trends outlined above, there are clearly two distinct areas of security. The first is to secure corporate systems from outside attack – to prevent intrusions, Denial of Service attacks, misuse of systems, etc. The second is to secure the data held on the system. Given today’s working practices, this can only mean ‘follow-me’ security, i.e. protecting the data held on all endpoints, including mobile devices. After all, its one thing for an intruder to break in, but you also need to ensure that if this happens, they don’t escape with valuable data [e.g. third-party data, customer passwords, etc.]. This means not just defending against malware, but encrypting data and securing against data leakage from the inside.
I think one thing that is sadly often neglected is the human factor in security. Social engineering or manipulating of human behaviour is the starting-point for most attacks. So it’s essential to put in place a security education programme designed to foster a security mindset among staff. It’s not about *training* marketers, sales people, etc. to become security professionals. Rather it’s about helping them to realise the potential dangers to themselves and the organisation. Unfortunately, where such education exists, it’s often placed in the hands of security personnel [the obvious choice, of course], whereas we need to also engage HR, marketing and legal teams.
Ed: Mobile phone use is increasing and smart phones are becoming more sophisticated – virtually mobile laptops in your pocket. Will we see mobiles becoming the main anti-virus attack vector and what can businesses and individuals do to protect their mobile data?
David: It will take some time for mobile phones to become as big a target as desktop and laptop computers. Right now the volume of malware aimed at smart-phones is a trickle compared to the torrent of malware targeting people who use Windows. However, it’s growing fast – already there exist more than 9,000 mobile malware modifications. Mobile malware has been around for several years now. However, it’s only in the last 18 months that it has become a serious tool in the hands of cybercriminals. There are several reasons for this.
- The use of smart-phones has increased.
- Internet access from a smarphone is cheaper than ever before.
- They now hold valuable personal data, e.g. bank data, social network logins, etc.
- The same devices are often used at work too, so they also hold corporate data.
We see a mix of mobile malware. This includes SMS Trojans that silently send messages to premium-rate, or international numbers. It also includes banking Trojans and Trojans that steal social network logins and other data. However, the problem of data loss, from lost or stolen devices, is also important.
Part of the problem is perception. While smartphones are really powerful computers, they are perceived by most people as *phones*. This isn’t surprising. After all, historically this is what they were. And we still refer to them as phones, albeit using the prefix ‘smart’. As a result, it’s not immediately apparent that there’s a security dimension to using a smartphone, unlike traditional computers.
It’s important that we all make use of security apps to protect the ‘computer in your pocket’. This includes anti-malware protection, but also encryption, blocking of unwanted numbers and remote wiping of lost/stolen devices.
For businesses specifically, the key problem lies in managing security on smart-phones alongside other endpoint devices used in the enterprise. This feature should be considered a key component when evaluating security solutions for corporate smart-phones.
Ed: If you were a newly appointed CISO in a large corporation, what would be the first item you would want to complete ASAP?
David: That’s a difficult question, since the security of any organisation really needs to be looked at as a whole. However, going back to something I discussed above, I think I would want to review the organisation’s approach to its human assets. The focus of IT security is, understandably, on securing computer systems and digital assets. Consider, for example, the attention paid to applying security patches to software. However, given the attention paid by cybercriminals to exploiting human vulnerabilities, I believe we ignore our human resources at our peril. ‘Patching’ humans is much less straightforward than patching computer systems [though even this can be a serious challenge]. But it’s essential. There are several aspects to address. First, remember that we’re dealing with humans. They learn in different ways, respond to different stimuli, etc. So a ‘binary’ approach may not work – we should consider all the techniques we use to engage with customers when dealing with staff. Second, there’s no quick fix. It’s an ongoing process and, like creosote on a garden fence, it must be re-applied to be effective. Third, we’re much more likely to succeed, and get staff buy-in to corporate security, if we tap into people’s self-interest.
Ed: Thanks David, for some fantastic explanations and insights to some complex questions.