Firewalls, antivirus software, intrusion detection devices: most businesses possess a well-defined information security toolset that allows them to feel that they have done what is required to protect their information assets from viruses and hackers.
And, for the most part, those tools have provided adequate protection, given the kind of software environment in which most businesses operated, and the kind of threat to which they were exposed.
Both of these, however, are now undergoing radical change, as delegates at Information Age’s Enterprise Security event heard. Threats are today produced by a cybercriminal underground that is organised and financially motivated, while enterprise systems are increasingly built in such a way that they cross organisational and national barriers. That calls for a more mature, and perhaps more vigilant, approach to information security.
As Adrian Davis, senior research consultant at the International Security Forum, told delegates, the community of people that produces information security threats is staggeringly sophisticated. So that they might catch a glimpse of that sophistication, Davis advised delegates to visit the website of the cybercriminal organisation the Russian Business Network.
“You have to go there, but tell the people who watch your IT first,” he said. “You can get anything you want from it. You can get a credit card with a £5,000 limit for $3. A 24-hour distributed denial of service attack on a competitor will cost you $10,000. They’ll sell you malware and a guarantee that it won’t be caught by at least two antivirus companies, plus they’ll throw in 24/7 help desk support.”
For another example of the growing sophistication of cybercriminals, Davis pointed to a recent case of cash machine theft in Latvia.
“A group of hackers broke into a Latvian bank, reset all the PINs, then employed 400 people to go to all ATMs in the capital and withdraw the maximum amount of money, walking off with a cool £1.5 million,” he explained.
“These guys are thinking in a very sophisticated way, and they are getting quicker and more agile. They’re breaking up syndicates, so somebody in Brazil will do the money laundering, someone in Russia will write the code and somebody in America will send the email.
“People say: ‘we’ll trap the criminals’,” he added. “Yeah right.”
Though not overwhelmingly positive, Davis’s comments underlined the fact that businesses can ill afford to be complacent when it comes to information security.
Securing the cloud
Cloud computing is unquestionably the most significant trend reshaping business software design. The widespread scepticism that met software-as-service propositions when they first emerged is now thawing, as the potential benefits of sourcing IT functions on a utility basis, often from third parties, becomes better understood.
However, security remains a sticking point for many organisations, as Dr Guy Bunker, security consultant and member of security advocacy group the Jericho Forum, explained. Once data has been handed over to a third party, how can business ensure the kind of security and availability to which they have grown used?
IT managers need to appreciate that cloud computing “is a natural evolution of what we already do today and is here to stay”, Bunker said, but they “also need to understand the consequences, and make sure that the people up the chain of command understand them as well”.
End-user organisations mulling cloud adoption must ask some tough questions of their prospective suppliers. A good question to ask early in the process is: how do I move my data to another provider?, Bunker advised. “Are the APIs open? If you’re using a proprietary system – which is fine – but you want to change providers and there aren’t open APIs to extract the data, what do you do then? Understand that the risks are not the same.”
The location of that data is also important: you might store your data in the UK, “but where is the cloud computing provider going to store it, and what are the legislative, compliance and governance issues around this?”
Asking such questions of cloud providers was critical, Bunker emphasised. “If you don’t ask, it could be anywhere.” Moreover, “what happens if they lose it? Or outsource the work further?”
Authentication also remains a challenge for those adopting cloud computing: “Chances are, if you go down the cloud route, you won’t have a single provider, and managing IDs across these things is very difficult,” Bunker warned.
Cloud offerings remain a tremendous means to obtain expertise that a business could not otherwise afford, Bunker said, “although if you start to think seriously about it, you need to think about whether latency is going to be a killer. Email is fine, but if you start to do transactional stuff, that has latency implications.”
Of course, the advent of cloud computing does not mean enterprise organisations will be shedding their data centre operations any time soon. And according to Alex Rabbetts, managing director of data centre advisory firm Migration Solutions, data centres are often highly insecure from a physical security point of view.
“There is not one major data centre in London that has not suffered a breach in the past 18 months,” he said.
Despite investment in technologies such as biometric identification systems, many data centres can be breached simply by approaching the back door with a clipboard and a fake badge. “The staff are one of the biggest threats to the data centre, but not because they intend to cause harm,” Rabbetts explained. “More often than not, it’s a process that falls down.”
Clearly, the job of protecting corporate information stretches beyond installing a checklist of software solutions. The solutions to emerging threats are themselves only emerging. However, thinking holistically about information security, rather than relying blindly upon traditional methods, is as good a start as any.
Addressing the human factor in security
It is surprising that the role that human behaviour plays in information security is only now beginning to be understood and addressed. The reason it has at last become a pressing issue, according to veteran chief security officer and author David Lacey, is that employees are more empowered from an information access point of view than ever before.
“Power is moving downward to people through social networks, which is leading to the death of institutional authority,” he said at the Enterprise Security event. “People are networking horizontally and make their own decisions about how they want to think. For the security director writing diktats, that’s not going to work any more.”
Given security’s reputation as an inconvenience, “the real art is now getting hundreds of thousands of people to do things they don’t want to do”, Lacey suggested. And to do that, he argues, businesses must leverage the same networks and relationships that many see as disruptive, along with a “a lot of persistence and charm”.
Organisational security must move away from a culture of blame, fear, suspicion and punishment, Lacey argued, “because a Cold War approach doesn’t work.
Unfortunately, lots of people like to do it that way because a lot of organisations are run by sociopaths – the ruthless, competitive and charming people who make your best sales directors and CEOs, but also like to be kind of brutal.”
Instead, companies should create an ‘enabling’ culture that avoids blame and moves towards “education, empowerment and trust”.
“At the moment, we wait for a great big accident to happen, then we find a scapegoat to hang,” Lacey explained. “You wouldn’t do aviation safety like that. People in aviation safety know that 90% to 95% of incidents are blameless, and that if someone did something wrong, there’s probably a good reason.”
In fact, Lacey noted, “you find it’s your best staff who commit the worst breaches. They work longer, work harder and are more empowered, so they’re more likely to do something wrong. You’ve got to encourage the reporting of mistakes, and you won’t get that if you have a blame culture.”
Unfortunately, the current emphasis on compliance tends to derail this process, Lacey said, as it results in long and impenetrable policy documents. “Nobody reads 30 pages of legal statements – that’s just the CISO covering his back.”
See also: The human factor: top tips to strengthen the weakest link in the information security chain – When it comes to education and awareness, employers aren’t doing as much as they should be right now