Modernizing Authentication — What It Takes to Transform Secure Access
Scott Laliberte, a co-author of the new book Defend IT: Security byExample, gives readers war stories from the digital battlefield. Thedirector of Protiviti, Inc., a global risk consultancy, Laliberte saysIT professionals need to suit up because the fight over the safety --and control -- of the corporate network is just heating up.
In a one-on-one interview with eSecurityPlanet, the author talksabout what is holding IT back in this on-going fight; how theenvironment that needs protecting is constantly shifting, and what newbattles are looming ahead.
Q: In your book, you talk about the battle between IT and maliciousInternet users. How much is this battle growing in size and scale?
I'd say the battle is definitely increasing. If you look at statistics,like the FBI and CSI survey, and the CERT stats, the number of attackscontinue to grow. But we're starting to see more headway made in thebattle against the attacks. There's more awareness. And securityspending is starting to rise. With the regulatory issues emerging...companies and boards of directors are being forced to look at securityin a much more serious light and they are putting more resources intoit. That's helping us gain some ground in the battle.
It's always evolving. As security professionals make advances in onearea, the attackers respond by developing smarter attacks. As theperimeter started to be brought under control and people started toblock up ports, hackers developed more sophisticated Web attacks overhttp and email. There's starting to be more worms and viruses out there.And the window between the find of a vulnerability and the time it tooksomeone to exploit it used to be weeks. Now, it's days. So today, IT hasto patch every few hours instead of every few days. The battle isspeeding up.
Q: Is one side winning at this point?
That's tough to say. I wouldn't say one group is ahead of the other. Asan IT professional, you try forecasting ahead. You need to beforecasting two to three moves ahead if you're going to win the battle.
Q: So when you forecast two to three moves ahead, what do yousee?
I see companies putting together more formal structures and basicallyhaving to have good frameworks. People are starting to put in betterframeworks and in-depth defense, some tighter controls -- like tokensand digital certificates. We'll have to come around to those to get goodsecurity. Passwords are just not good security. People understand thatbut it's too expensive to go to another solution.
Q: What is holding IT back? What is keeping them from doing better inthis war on hackers?
It's budgets and management-level commitment. As most people in thisprofession know, security is looked at as a cost center. It's likebuying insurance. You don't see ROI until an incident happens. Andhopefully incidents don't happen, so they don't see the problems thatyou're preventing. Showing that ROI and showing the return on investmentand getting the support necessary is a huge hurdle that securityprofessionals have to overcome right now... And they have to keep upwith the technologies and the attacks. It's constantly changing. The newtechnology you're putting in place today is not going to be as practicalor work as well a year down the road. You can't look at it as a processthat has a start and a finish. You have to look at it as a life cyclemodel.
Q: What are IT's strengths today?
I think there's a lot more awareness of security issues and there's alot more training out there. There's a lot more resources out there,like SANS and the trade publications and numerous books. And they'restarting to get more recognition and support from management, but thatstill has a ways to go.
Q: What are the biggest security concerns that are plaguing IT?
Regulatory concerns -- making sure they're not violating any laws.Availability concerns -- making sure there's not going to be an incidentbringing the company down for any amount of time. In today's world,being down an hour could cost a million dollars, along with the loss ofreputation and customer good will. Another big headache they have iseducating users. You can put the greatest technical controls in place,but if you have users who will give their passwords to anybody who callsthem on the phone, you're still defeated.
Q: What kind of an effect are mobile workers and wireless deviceshaving on security efforts?
The tech environment is changing. It used to be that you had a verywell-defined perimeter. You had a firewall and a building where somebodyhad to bypass a guard. Now you have wireless network and numerous Webapplications. You have people who work from home via a VPN. You havepartners connected to you online. You can't just rely on perimetercontrols anymore. Your whole idea of perimeter control has changed. Nowyou have all these entities that may easily bypass perimeter controls.This is forcing us to change the way we think about security and enforcenew controls.
Q: What new problems do you see coming down the road?
The challenge I see coming down the road is managing all the controlsyou have in place with limited resources. Monitoring is a major controland you need to have a place for it in the organization. It's one of themost poorly managed controls out there. They try to monitor too much.They need to figure out what are the highest risk areas they need toguard, and then they need to design manageable solutions to do that. Youcan't protect everything at the same level. You have to make some harddecisions about what you're going to protect and how you're doing to doit.