Scott Laliberte, a co-author of the new book Defend IT: Security by Example, gives readers war stories from the digital battlefield. The director of Protiviti, Inc., a global risk consultancy, Laliberte says IT professionals need to suit up because the fight over the safety -- and control -- of the corporate network is just heating up.
In a one-on-one interview with eSecurityPlanet, the author talks about what is holding IT back in this on-going fight; how the environment that needs protecting is constantly shifting, and what new battles are looming ahead.
Q: In your book, you talk about the battle between IT and malicious
Internet users. How much is this battle growing in size and scale?
I'd say the battle is definitely increasing. If you look at statistics, like the FBI and CSI survey, and the CERT stats, the number of attacks continue to grow. But we're starting to see more headway made in the battle against the attacks. There's more awareness. And security spending is starting to rise. With the regulatory issues emerging... companies and boards of directors are being forced to look at security in a much more serious light and they are putting more resources into it. That's helping us gain some ground in the battle.
It's always evolving. As security professionals make advances in one area, the attackers respond by developing smarter attacks. As the perimeter started to be brought under control and people started to block up ports, hackers developed more sophisticated Web attacks over http and email. There's starting to be more worms and viruses out there. And the window between the find of a vulnerability and the time it took someone to exploit it used to be weeks. Now, it's days. So today, IT has to patch every few hours instead of every few days. The battle is speeding up.
Q: Is one side winning at this point?
That's tough to say. I wouldn't say one group is ahead of the other. As an IT professional, you try forecasting ahead. You need to be forecasting two to three moves ahead if you're going to win the battle.
Q: So when you forecast two to three moves ahead, what do you
I see companies putting together more formal structures and basically having to have good frameworks. People are starting to put in better frameworks and in-depth defense, some tighter controls -- like tokens and digital certificates. We'll have to come around to those to get good security. Passwords are just not good security. People understand that but it's too expensive to go to another solution.
Q: What is holding IT back? What is keeping them from doing better in
this war on hackers?
It's budgets and management-level commitment. As most people in this profession know, security is looked at as a cost center. It's like buying insurance. You don't see ROI until an incident happens. And hopefully incidents don't happen, so they don't see the problems that you're preventing. Showing that ROI and showing the return on investment and getting the support necessary is a huge hurdle that security professionals have to overcome right now... And they have to keep up with the technologies and the attacks. It's constantly changing. The new technology you're putting in place today is not going to be as practical or work as well a year down the road. You can't look at it as a process that has a start and a finish. You have to look at it as a life cycle model.
Q: What are IT's strengths today?
I think there's a lot more awareness of security issues and there's a lot more training out there. There's a lot more resources out there, like SANS and the trade publications and numerous books. And they're starting to get more recognition and support from management, but that still has a ways to go.
Q: What are the biggest security concerns that are plaguing IT?
Regulatory concerns -- making sure they're not violating any laws. Availability concerns -- making sure there's not going to be an incident bringing the company down for any amount of time. In today's world, being down an hour could cost a million dollars, along with the loss of reputation and customer good will. Another big headache they have is educating users. You can put the greatest technical controls in place, but if you have users who will give their passwords to anybody who calls them on the phone, you're still defeated.
Q: What kind of an effect are mobile workers and wireless devices
having on security efforts?
The tech environment is changing. It used to be that you had a very well-defined perimeter. You had a firewall and a building where somebody had to bypass a guard. Now you have wireless network and numerous Web applications. You have people who work from home via a VPN. You have partners connected to you online. You can't just rely on perimeter controls anymore. Your whole idea of perimeter control has changed. Now you have all these entities that may easily bypass perimeter controls. This is forcing us to change the way we think about security and enforce new controls.
Q: What new problems do you see coming down the road?
The challenge I see coming down the road is managing all the controls you have in place with limited resources. Monitoring is a major control and you need to have a place for it in the organization. It's one of the most poorly managed controls out there. They try to monitor too much. They need to figure out what are the highest risk areas they need to guard, and then they need to design manageable solutions to do that. You can't protect everything at the same level. You have to make some hard decisions about what you're going to protect and how you're doing to do it.