Is IT Security Just an Illusion?
Nothing is in IT security is bullet-proof. But you can do much to mitigate cyber threats.
A recent survey by the Ponemon Institute found that the threat from cyber attacks is nearing statistical certainty -- 90 percent of U.S. businesses were hit by at least one security breach in the last 12 months. Almost one in two said there was a significant increase in the frequency of cyber attacks over the past year, and 77 percent said attacks are more severe or difficult to contain.
So is security just an illusion? Is it possible any longer to truly be secure, or is all corporate data only one click away from walking out the door?
Ponemon Institute chairman and founder Larry Ponemon said, basically, yes. “When we think about our endpoints, like cell phones and smartphones and tablets and notebooks, these things are getting very hard to secure completely,” he said.
Similarly, Bob Walder, chief research officer at security research firm NSS Labs, said breaches are all but inevitable. “We have to accept that it’s going to happen, no matter what defenses we put around our network. All the firewalls and IPSes in the world are not going to stop these guys if they really want to get into your network.”
So rather than seeking an impossible level of perfect security, Walder said, the answer lies in active monitoring. “Know what your network traffic should look like, monitor for anomalies, and track those back and figure out exactly what’s going on … good security is about minimizing the risk, realizing what risk you are still exposed to, and monitoring where that risk may be exploited,” he said.
One mistake many companies make, Walder said, is to equate regulatory compliance with security.
“Most smaller businesses will go through the motions of becoming compliant. They’ll install a UTM [unified threat management] or a firewall at the perimeter of their network and then they can just check a box, and they’re certified as complaint. But, compliance doesn’t guarantee security, it just means you’ve got a piece of paper with a few ticks on it.”
Edward Hamilton, head of Information Security and Assurance at research firm Analysys Mason, said the biggest security risk ultimately lies in a company’s employees. “Most security breaches still happen because of your employees doing something silly, like leaving a laptop on a train or accidentally e-mailing the wrong document to the wrong people."
And so, security breaches of some kind are unavoidable. “All you can do is have in place the right technology, processes and training to try and minimize the impact of them, be able to detect when you’re losing data, and have the team in place to rectify that and close down the loophole as quickly as possible,” he said.
Bill Dean, director of Computer Forensics at security service provider Sword & Shield, said too many companies think moving data to the cloud puts the responsibility for security in the cloud provider’s hands. “Companies assume that the hosting company will be just as diligent about the details of security as they would be, and many times that’s just not accurate."
Handling incident response on a client’s behalf, Dean said, is also made far more complicated when the system that was breached is being hosted by a cloud provider.
“If they have a dedicated server, it can be a complicated process to work with that cloud provider to get the forensic evidence that we need to perform our analysis,” he said. “It becomes even more difficult when these cloud providers are providing the information in a shared environment. If you have one Web server that has the information from 15 or 20 different companies, you can’t get all of that information for privacy and confidentiality reasons.”
Companies that leverage cloud technologies need to be just as diligent about their cloud-provided services as they are about their own network by doing penetration tests, application security tests, etc. Scott Emo, head of Endpoint Product Marketing at security provider Check Point Software Technologies, said there are eight key steps any company can and should take to optimize security:
- Deploy preventative network and endpoint protection. "Both of those strategies work together," Emo said.
- Evaluate your assets and protect them accordingly.
- Enforce encryption and data copying policy. " ... so if a laptop gets lost, no one can break in and pull out that data."
- Deploy proactive data loss prevention technology.
- Focus on best practices and impact scenarios so your staff know what to look for in the event of a breach.
- Train users on sensitive information handling.
- Think like a criminal in order to catch one.
- Try to penetrate your own organization. "Actually try it out -- even get a trusted, trained person from outside to help you, to see if your security defenses are up to par … try to break your own bank."
Ultimately, it’s best to see security as an ever-evolving and company-wide challenge. “It has to be thought of more like a business process, where you involve people … it’s no longer just the IT guy’s role to think about security – this is a board room level issue at this point,” said Emo.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org .