What are the security threats?
Sophisticated Malware or just People?
"Security", as the first article in this series points out, can always be found near the top of the list of concerns of every IT manager and IT director. Unfortunately the same subject can also manage to not quite make it onto the more important list of things to do something about now.
Over the years, a diverse array of solutions has come to market, each of which claims to enhance different aspects of an organisation's IT security. Many can, indeed, enhance the capabilities in one or more areas. But security technology is only effective when deployed appropriately and, more importantly, when used correctly – by everyone in the business. And of course, security is not a one-shot operation – it cannot be assumed that the measures put in place a couple of years ago will still be appropriate today.
So this brings us to the question of what are the threats and weaknesses that must be guarded against and resolved? Several areas must be assessed. These include a direct appraisal of existing technological threats- perhaps the area most normally associated with IT security deliberations - as well as looking at how people use IT systems and the processes associated with routine business operations.
To build a reasonable picture of the threats we first need to acknowledge that the majority of corporate security breaches come about because internal staff do something that they should not or, just as likely, do not do something they should. All the same, external challenges are becoming more sophisticated as the months go by – and even ‘good’ security behaviour may not be enough to protect against all threats.
So what are the most important threats and security weaknesses that challenge business IT today? Last year, we surveyed The Register Tech Panel to find out what what they thought. Here is one finding:
The figure above shows that even for the better-understood security challenges such as virus infections, spam, external hackers and other outside threats and annoyances, there is still a sizable community (nearly one of three) that do not consider themselves to be well protected. Issues such as anti-viral protection and systems that can scan files before they are read or executed are now a common feature of most business systems. But, as in all areas of IT, the authors of malicious code are always moving forward.
New infection vectors are being exploited, with “drive by” infections gaining particular notoriety. Here, when a user access a compromised web site, often sites of respectable entities, the web browser itself is used to insert malicious code, key loggers or Trojans onto the user’s machine. In some parts of the world this route of infection has reached similar levels as the more traditional infected email attachment. Another vector, namely infection via the use of compromised USB sticks, has become prevalent in parts Asia-Pacific.
The motives of those creating the new threats have changed dramatically over the past few years. No longer are malware authors releasing their creations just to garner notoriety or to inconvenience people. Today’s malware is more usually created with financial goals in mind as the authors, individually or in groups, try to get hold of data that can be transformed into monetary rewards. Password stealers, credit card and account number / PIN seekers are now routine targets of malware infection, with the authors of the infection either using the information themselves or selling it on for others to exploit. Identity theft should now be a major consideration for all IT systems users, at work and at home.
By the People
The figure above highlights other areas of concern for those charged with securing IT systems, and these fall very firmly into the ‘people’ space. Broadly speaking, these can be classified under the headings of ‘data leakage’ and deliberate misuse. As can be seen, a half of organisations consider themselves to be well protected against third parties breaching security from inside the firewall. Of more concern, less than a third of respondents considered their organisations to be well protected against their own staff deliberately breaching security.
These results support the often unvoiced concern that the most serious security challenges are to be found inside the enterprise, rather than outside. Data leakage, or staff inadvertently breaching security, say by losing their PC or smart phone full of encrypted data, or giving someone a USB stick loaded with sensitive data, can result in considerable financial loss and brand damage. But our survey shows that just over 40 per cent of organisations think they are reasonably well protected against this myriad of threats.
These are all real threats and the current dark economic climate, along with the increasing proportion of the world’s population getting online, is likely to exacerbate the dangers. Coupled with trends such as the rise of home working and managers looking to access corporate systems, wherever they may be, will make securing the enterprise even more demanding. An additional challenge comes from the use of new business services and technologies such as SaaS and virtualization. The need for those responsible for security to know just what equipment and users they must protect, what they do and how they work has never been clearer.
To deliver effective, secure IT services one must understand what IT assets are deployed in the company, for what they are being used and by whom.
In many organisations the quality of this knowledge is usually neither sufficient nor up to date, and in future articles we shall discussthe role of assessing existing infrastructure and developing appropriate policy. Without such an understanding, it is impossible to evaluate the nature of any potential threat, to recognise when usage patterns diverge from the expected and hence be in a position to implement appropriate security measures across the IT portfolio and indeed the organisation as a whole. ®
Good commentary. A couple points, though ...
"So what we find is that whether a security issue is classed as "malware" (a nice excuse), internal people, accidental or whatever - the underlying cause is that the systems in place and the people behind them allowed a problem to occur. Adding more stuff won't help unless the mindset of a company's employees are changed and the directors of the company are prepared to back them with the policies and money needed to take a professional approach."
Exactly. Adding more staff won't help, either ... Especially not more middle management.
"Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward sysytem of most companies."
Someone with a clue about security posting on ElReg? How refreshing!
"Plus of course, there's no objective way to reliably measure how secure a system actually is."
Of course not. However, if I go into an organization and observe them for a couple hours (sometimes just a few minutes), I can get a pretty good idea of how secure they are WITHOUT eyeballing any of their so-called "core technology". Security starts with people.
Most security problems occur due to the people driving the computers on desks. Whenever I make a deskside visit I usually see the little yellow shield in the systray and when I make a move to install updates.."oh, it always bloody does that, sooo annoying" I ask why they don't let it install the updates and to date haven't had a good answer. - Same with AV dat files, unless all updates are set to install automatically they don't get done.
Invisible elephants in the room.
Maybe I'm being a little bit naive here but it seems to me that there are two startling omissions from that tasty little graphic:
1. Interception of external network traffic by government (UK) agencies.
2. interception of external network traffic by government sanctioned commercial enterprises such as Phorm and Nebuad.
I realise that the general drift of the article is directed at corporate enterprises who will be tunnelling their traffic through VPNs but surely the majority of businesses fall into the Small to Medium sized Enterprises (SMEs) category where such technology is not as widely deployed. But that may turn out to be not such a big problem after all.
Given the UK government's slavish grovelling to the demands of the business community it wouldn't be too surprising if we discovered that a clause had been inserted into some obscure bill, say The Restoration and Maintenance of Ancient Monuments act, which would confer total immunity from network interception on all businesses for all time. Ever.
Now citizen, bend over and assume the position while one of our partners puts it to you in the nicest possible way. No, you can't have a feckin' anaesthetic.