Managing the security of critical information has proven a challenge for businesses and organizations of all sizes. Even companies that invest in the latest security infrastructure and tools soon discover that these technology-based "solutions" are short-lived.
Carl Herberger is Vice President, Information Security and Compliance Services, for managed technology provider Evolve IP.
From antivirus software to firewalls and intrusion detection systems, these solutions are, in fact, merely the most effective strategies at the time of implementation. In other words, as soon as businesses build or strengthen a protective barrier, the "bad guys" find another way to get in. Attackers are constantly changing their tactics and strategies to make their attacks and scams as damaging as possible.
The following areas are of particular concern as you begin planning for 2010:
- Pandemic Continuity Planning. Planning for an epidemic is very different from typical business continuity or technical recovery planning exercises. In fact, in an advisory issued last year by the Federal Financial Institutions Examiner's Council (FFIEC), it stressed the need for these planning exercises, and detailed the differences between these efforts. Lending more credibility, in April of this year, The Gartner Group weighed in with an advisory of its own and said enterprises shouldn't overreact to media reports about the swine flu, but should take the event as a wake-up call for reviewing and testing their pandemic response plans.
- Readdressing Malware Variants. Malware is morphing in scale, scope and delivery payloads. Attackers have shifted away from mass distribution of a small number of threats and moved toward micro distribution of large families of threats. These new strains of malware consist of millions of distinct threats that mutate as they spread rapidly.
- Addressing Social Networking and Web 2.0 Threats. Trusted Web sites are the focus of a large portion of malicious activity. As more and more users go online to take advantage of Web 2.0 applications, such as social-networking sites, blogs and wikis, malware authors are right behind them, opening yet another front in the constant cat-and-mouse game between security defenses and hackers. These threats will become increasingly important and relevant to younger workforces who are proficient with these tools.
- Re-Architecting the Technical Security Perimeter. The continued high volume of data breaches underscores the importance of internal data loss prevention technologies, and exposes business' over-reliance on the perimeter model. The "layered approach" to information security is a term used by professionals to describe the practice of weaving together comprehensive policies and manual procedures to several different point security solutions, filtering systems, and monitoring strategies to protect information technology resources and data. As data loss prevention becomes increasingly important in these layered defense models, the more likely a risk-adjusted re-deployment of security perimeter resources will occur.
- Incident Response/"Get to the Bottom of It." When a compromise of information security is suspected, it's important that steps are taken immediately to ensure the protection of data. Virtually every organization faces the ongoing risk of security incidents, data handling breaches, disasters, or other events. Meanwhile, most have too few human resources, tools, and too little time to develop and maintain an effective incident response program. 2010 will be the year to improve on these capabilities.
- Unmanaged Mobile Devices (cell phones/iPods/USBs, etc). Mobile devices used by employees for business without IT oversight can expose employers to unacceptable risk. From sloppy configuration to dangerous connections, many unmanaged devices - and the business assets they contain - are ripe for attack. Numerous businesses are rushing to reengineer solutions to solve the risks associated with the huge number of unmanaged mobile devices.
- Growth of Social Engineering Techniques. Always bear in mind that security does not stop or start with the technology alone. The simple reality of the world in which we live is that it is and always will be we humans who use, control, implement, regulate, maintain, modify, repair or add to the technology's base functionalities and capabilities. As an example, phishing continued to be an incredibly active threat in 2008 and 2009. Today, attackers are using current events such as the mortgage crisis, stimulus spending packages, and various "bailout" schemes to make their "bait" more convincing, and are employing more efficient attacking techniques and automations. Moreover, social engineering fraud techniques, such as phishing and pharming, are expanding, highlighting the need for companies to be proactive in addressing these vulnerabilities.
- Cryptographic Key Management. In the rush to encrypt a variety of confidential information, businesses have generated heaps of cryptographic keys that need to be managed and controlled. The resulting management issue is a daunting task and one that should not be taken lightly. Successful key management is critical to the security of a cryptosystem and, arguably, is the most difficult protection to deploy because it involves system policy, user training, organizational and departmental interactions, and coordination.
- Virtual Machine (VM) Security. To date, virtualization technology has been a relatively secure platform. However, the huge adoption and deployment rate of this technology has spurred numerous efforts to learn how to subvert and otherwise uncover configuration vulnerabilities. In fact, there recently have been a number of formally published vulnerabilities and acknowledgements by major VM vendors that lab-hacking scenarios are plausible in the "real world." Moreover, there are many insurmountable management concerns of how to properly remedy detected vulnerabilities because visibility of where this technology actually resides within an organization is often poor.
- The Ability to "Prove" Appropriate Levels of Deployed Security. Evaluating security risks is further complicated by the growing practice of outsourcing. Knowledge of your business partners' security is paramount to a successful relationship. In fact, numerous regulations such as GLBA and HIPAA require every covered organization to evaluate their key business partners and outsourcing risks. However, the release of too much information on internal security controls can also be a liability. Balancing this mix appropriately will be a crucial skill in 2010.
Budgets might be tight moving into 2010, but businesses still will have to comply to regulations, react to new and low-cost virtualization technologies, and adapt to the growing trend of using outsourced business partners to accomplish key business tasks.
Keeping things secure will be an ever-daunting task, and many will seek external expertise to augment their internal staff. Those who have established an efficient system will reap the rewards, while others will find an ad-hoc method of system security to be nearly impossible to maintain.
Also see my follow-up article, which explains how to protect your organizations from these vulnerabilities and establish a comprehensive information security program for the coming year.