Thursday, 16 August 2012

Potential Security Risks You Can't Ignore



Information security is not just about privacy, secrecy, and confidentiality. With cyber criminals taking over the malspace, law makers also need to be closely involved. Steve Durbin, the Global VP of Information Security Forum Ltd, describes the potential security risks that might cost a lot if overlooked -Hiren Mehta Thursday, August 16, 2012

Given the way security threats are evolving, there can exist only two kinds of organisations in cyberspace: Those who have already been attacked; and those who WILL be attacked. Hence, the question to ask is not whether you will be attacked but WHEN you will be attacked next. We attended Threat Horizon 2014, an event aimed to help CISOs understand the security threats landscape and what should be done about it. It was conducted by the Information Security Forum Ltd in Mumbai in July. Here are the major findings.

Most Malware is Coming from Malspace

Cybercrime is a typical external security threat. The Information Security Forum calls it Malspace, to denote the realm of cyber criminals, their network, malware, methods, tools and data. Phishing and spamming are only indicative examples of the methodologies that they use. The malspace is maturing very rapidly and the coordination, planning and determination seen between cyber criminal networks and gangs these days is unmatched even by the discipline of the most revered law enforcement agencies. Crowd-sourcing is a rising phenomenon used in malspace.

To combat malspace, organizations need to implement a baseline security model as their first line of defence. Further, organisations need to improve their cyber resilience. Since malspace has cyber criminals involved, they must also connect with law enforcement agencies to share information and work better rather than plan defences in an isolated manner.
Increased Governance a Must to Combat InfoSecurity

The problem with the recently proposed legislations in some countries is that there is too much focus on privacy. Law makers need to understand that privacy/secrecy/confidentiality is NOT everything that there is to security as a whole. Law makers therefore need to gain a better understanding of the functioning of information systems today and the manner of control over them.

Actions recommended include increasing governance. Organisations should allow for a provision for external reporting to help with audits and compliance. They should prepare and test security incident response procedures to aim for consistency and be well prepared rather than being caught off guard. During the course of any such procedure, all affected departments must be involved in the process. Awareness is a must. Across the perimeter, organisations must also strengthen their security assurance requirements from partners.

Mobile Security Threats Need Serious Monitoring

It would be wrong to say that organisations have total control over the cause of such threats. The rapid evolution of IT has led to organisations failing to change in tune with technologies that employees use. It is beyond doubt that mobile is king AND that it is not fading anytime soon. A growing number of people access the internet on-the-move both for personal as well as official reasons. (It would be worth quoting here that a press release issued by TRAI on 1st August 2012 mentions that as of 31 Mar. 2012, 448.89 million wireless subscribers in India had also subscribed to data services. Now, to get an idea of the scale we are talking about, this figure, is more than the combined population of the continents of South America and Australia!).

Therefore, organisations must understand and evaluate the information security implications of any policy being drafted before implementing the same. They must also be proactive and not reactive. For this, continuous monitoring and assessment is a must.

Put Additional Resources to Allow 'BYOD' to Happen

Information security is about people, applications and governance too, and not just about devices/technologies being used. Differences have been seen between the responses of employees and employers when asked about the level of enforcement of consumerisation policies that are put into place. This indicates a serious mistake in the understanding of security requirements. The ownership of devices needs to be clarified and agreed upon by the employee and employer very clearly. Two trends are noted here: One is bring-your-own-device, where the device is employee-owned and carried to work. The device is then configured to access workplace resources. The other trend is bring-your-own-data, where the employer owns the device, supplies it to the employee and allows the employee to make personal use of the same. Organisations must also keep in mind that blacklisting applications is NOT feasible because it is too exhaustive to keep up with the pace of new applications being available every day. When supporting BYOD, organisations must also keep in mind that while doing so, the result will be that the technical capabilities across different employees will differ widely. Organisations may, if they choose (provided they have the necessary resources), develop and distribute applications in-house. (It would be worth quoting here that Apple has such a program called as iOS Enterprise Developer Program). SMBs are at a greater risk than large enterprises because if they rely on BYOD totally to run their business, they might not have the necessary resources to keep a fall-back system in place, in case supporting BYOD turns out to be too risky compared to the benefits obtained.

In Conclusion

The above information should be used for roadmaps, planning, education/training and such other awareness purposes. The audience needs to be engaged. Whosoever should be involved, MUST be involved. Security should be included as a parameter to be considered right from the beginning in business processes rather than as a secondary objective. Organisations should be ready to support BYOD, Big Data, etc. because they are here to stay. There can be an unforeseen scale of consequences of security lapses, beyond total disruption of systems, which may not be clear at the outset or even at the time of deployment of systems. Multiple combinations of threats can be used, each of which could be targeted to take advantage of a specific vulnerability. Organisations need to find the sweet spot between costs of undertaking resilience activities and the cost of impact (by attacks) on business. It may be noted here that uncertainty as well as risks, BOTH are cyber threats. Organisations need to build their cyber resilience into the supply chain. Information such as warnings should be shared with suppliers as well as resellers.

Source-PCQUEST

No comments:

Post a Comment