The next instalment in the interview series, sees a great interview with David Emm, Senior Security Researcher as Kaspersky Lab.
Ed: Hi David, thanks for your time today with Infosec Professional. How has information security changed in the last three years?
David: I believe there have been several key changes.
First, the traditional ‘work place’ is
disappearing. So the task of securing data has become harder for
businesses, as staff increasingly conduct business ‘on the go’:
at home, at the airport, in the hotel – or anywhere else they can
get a wireless signal. It’s not so much that the traditional
network perimeter has disappeared. Rather it has become fragmented –
and moves around as employees do. This has increased the points of
exposure to malware and hackers. Second, we’re seeing a related
development – the growing use of smartphones at work. IT
departments now have to manage a heterogeneous mix of endpoint
devices. This problem is compounded because many people use the same
smartphone for business and personal use. So loss of data may be bad
news not just for an individual, but for the business too.
The nature of the threat from malware is changing
too. For the last eight years, the threat landscape has been
dominated by speculative attacks designed to steal financial data
that gives access to victims’ bank accounts. During the last two
years we’ve seen a growing amount of targeted attacks.
Cybercriminals are selecting a specific target and are focusing on
compromising this victim – to steal corporate information, to
discredit an organisation or to make a political point.
Paradoxically, in tandem with this targeting, we’ve seen a trend
towards ‘steal everything’, not just bank data. Cybercriminals
are trawling through the vast amount of data individuals post online
and are sifting through it for information that can help them set up
a targeted attack on a business or other organisation.
The growing volume and sophistication of threats
in the last few years means that it’s no longer viable to rely
solely on signature-based defences. Kaspersky Lab processes more
than 70,000 unique malware samples daily. This onslaught can be
dealt with effectively only by using a blend of proactive
technologies – including heuristics, sandboxing, whitelisting,
behavioural analysis and cloud-based systems that can respond to new
threats in real-time.
Ed: What do you think are the main threats facing organisations in 2012?
David: I don’t believe the speculative attacks outlined
above will disappear any time soon. They represent the low-hanging
fruit for cyber-criminals – like the activities of pickpockets in
city centres around the world. However, it’s clear that, in
relative terms, the weight of targeted attacks is growing. And the
well-publicised attacks of the last 12 months or so have demonstrated
that no organisation – or type of organisation – is immune to
attack. For eight years illegal profits have dominated the scene.
But it’s abundantly clear that cyber-crime now has a variety of
motives. This should hardly be a surprise, given that the Internet
is simply a reflection of life in general. And the more that we do
online, the bigger the target for all types of cyber-criminal.
Ed: Are organizations ready to deal with those threats and what can they do to protect themselves?
David: In a general sense, security remains the same.
The starting-point for securing any system, is to consider the
potential risks and develop a strategy for mitigating those risks.
But for a security policy to be effective it must be measurable and
must be reviewed regularly to ensure that it is still fit for
purpose. With regard to the trends outlined above, there are clearly
two distinct areas of security. The first is to secure corporate
systems from outside attack – to prevent intrusions, Denial of
Service attacks, misuse of systems, etc. The second is to secure the
data held on the system. Given today’s working practices, this can
only mean ‘follow-me’ security, i.e. protecting the data held on
all endpoints, including mobile devices. After all, its one thing
for an intruder to break in, but you also need to ensure that if this
happens, they don’t escape with valuable data [e.g. third-party
data, customer passwords, etc.]. This means not just defending
against malware, but encrypting data and securing against data
leakage from the inside.
I think one thing that is sadly often neglected is
the human factor in security. Social engineering or manipulating of
human behaviour is the starting-point for most attacks. So it’s
essential to put in place a security education programme designed to
foster a security mindset among staff. It’s not about *training*
marketers, sales people, etc. to become security professionals.
Rather it’s about helping them to realise the potential dangers to
themselves and the organisation. Unfortunately, where such education
exists, it’s often placed in the hands of security personnel [the
obvious choice, of course], whereas we need to also engage HR,
marketing and legal teams.
Ed: Mobile
phone use is increasing and smart phones are becoming more
sophisticated – virtually mobile laptops in your pocket. Will we
see mobiles becoming the main anti-virus attack vector and what can
businesses and individuals do to protect their mobile data?
David: It will take some time for mobile phones to become
as big a target as desktop and laptop computers. Right now the
volume of malware aimed at smart-phones is a trickle compared to the
torrent of malware targeting people who use Windows. However, it’s
growing fast – already there exist more than 9,000 mobile malware
modifications. Mobile malware has been around for several years now.
However, it’s only in the last 18 months that it has become a
serious tool in the hands of cybercriminals. There are several
reasons for this.
- The use of smart-phones has increased.
- Internet access from a smarphone is cheaper than ever before.
- They now hold valuable personal data, e.g. bank data, social network logins, etc.
- The same devices are often used at work too, so they also hold corporate data.
We see a mix of mobile malware. This includes SMS
Trojans that silently send messages to premium-rate, or international
numbers. It also includes banking Trojans and Trojans that steal
social network logins and other data. However, the problem of data
loss, from lost or stolen devices, is also important.
Part of the problem is perception. While
smartphones are really powerful computers, they are perceived by most
people as *phones*. This isn’t surprising. After all,
historically this is what they were. And we still refer to them as
phones, albeit using the prefix ‘smart’. As a result, it’s not
immediately apparent that there’s a security dimension to using a
smartphone, unlike traditional computers.
It’s important that we all make use of security
apps to protect the ‘computer in your pocket’. This includes
anti-malware protection, but also encryption, blocking of unwanted
numbers and remote wiping of lost/stolen devices.
For businesses specifically, the key problem lies
in managing security on smart-phones alongside other endpoint devices
used in the enterprise. This feature should be considered a key
component when evaluating security solutions for corporate
smart-phones.
Ed: If you
were a newly appointed CISO in a large corporation, what would be the
first item you would want to complete ASAP?
David: That’s a difficult question, since the security
of any organisation really needs to be looked at as a whole.
However, going back to something I discussed above, I think I would
want to review the organisation’s approach to its human assets.
The focus of IT security is, understandably, on securing computer
systems and digital assets. Consider, for example, the attention
paid to applying security patches to software. However, given the
attention paid by cybercriminals to exploiting human vulnerabilities,
I believe we ignore our human resources at our peril. ‘Patching’
humans is much less straightforward than patching computer systems
[though even this can be a serious challenge]. But it’s essential.
There are several aspects to address. First, remember that we’re
dealing with humans. They learn in different ways, respond to
different stimuli, etc. So a ‘binary’ approach may not work –
we should consider all the techniques we use to engage with customers
when dealing with staff. Second, there’s no quick fix. It’s an
ongoing process and, like creosote on a garden fence, it must be
re-applied to be effective. Third, we’re much more likely to
succeed, and get staff buy-in to corporate security, if we tap into
people’s self-interest.
Ed: Thanks David, for some fantastic explanations and insights to some complex questions.
Comments
Post a Comment