• TechnologyInnovator
• NextInnovator
• EnterpriseInnovator
• SecurityInnovator
• DefenseInnovator
• WirelessInnovator 
• HPinnovator
• EnergyInnovator
• TransportationInnovator
• SMBinnovator (beta)

• NextInnovator(at)Live.com

• Ghost City
• Frontline Sentinel
• Innovation Insights
• WebInno
• Over the River
• Enderle Group
• Security Insights Blog 
• McAfee Audio Parasitics
• Rethinking Security
• Ovum
• iSuppli
• Canalys
• eMarketer 
• CRM Help Desk SW 
• Rethink Research
• The Gadgeteer
• Master the Moment

 

The most worrying issue for C-level security professionals, and the thing that often keeps them awake at night, is the fear of the unknown. The chief information security officer (CISO) is the person in direct line of fire when security breaches occur, and given the deteriorating state of information security, taking overall responsibility for security-related issues is a perilous role.

During the last 12 months several leading organisations have admitted to serious data breaches. As a result, organizations are being advised by security industry experts that defense in depth will not keep everything safe, and no matter how secure you think you are all organizations are potential victims. Business organizations are being told to act as though they have already been breached. The emphasis is now on the need to identify data breaches at the earliest opportunity and deal with the impact as quickly as possible.

The CISO community recognizes that there is a clear difference between professional hackers that use stealth tactics to attack organisations in order to steal information and use it for financial gain, and “hacktivists” who target organizations because they hold a personal or idealistic grudge and want to see it held to account. Previously these groups were seen by CISOs as activists or in some cases vandals, but in the last few years they have become more organized and more focused on the levels of press coverage that successful attacks generate.

There are three distinct groups responsible for most malware attacks

The fact that cybercrime is on the increase is reflected in the views of most leading CISOs. Many believe that both criminality and malicious acts are on the rise. There is a general acceptance that three distinct groups are involved and each group has its own agenda.

Nation state sponsored attacks are seen as targeted, well-resourced, and well-organized. But realistically their attack methodologies don’t have to be mega-advanced with a zero day payload to get past the base-line defenses that exist across most sectors of government and industry. The CIOs and CISOs we have spoken to accept that organizations are often breached by fairly simple approaches that only need to be advanced enough to get past a Maginot line of static defenses and at state level have the support of a sponsor who is interested in the information on offer.

Traditional financially-motivated cybercriminals continue to silently hoover up sensitive business, customer, and account information in order to make a profit. These attacks are generally opportunistic, not necessarily well resourced or targeted, but often successful. Like their state-sponsored counterparts, the objective is to break in unobserved and silently go about the collection of data for as long as their presence remains undetected.

The third element is significantly different. It involves groups who are motivated by the prospect of publicity and are now organized to the extent that hacktivism is known to have stolen more data in the last year than the traditional models. CISOs accept that a kudos element remains to some hacktivist-led attacks, but recognize that this is overshadowed by the top secret information that is stolen, and then published online for the world to see.

Hacking tools are consumables but basic viruses remain a problem

Each organization faces a diverse range of security problems. Very few are unique, but at the same time it is difficult to imagine two more diverse ends of the security spectrum than the business requirement for basic antivirus protection and the latest consumer-led initiatives. Yet both continue to have a significant influence. Malware products that can form part of a malware attack can be bought online, with successful breach models consisting of a combination of social engineering and a supporting cast of pre-built malware tools. Other areas, particularly in the not-for-profit sector, continue to suffer from old fashioned virus attacks. This happens because users share information across a variety of locations often with insufficient antivirus software in place. This can be a user issue as people still don’t have the security awareness required to protect the organisations they work for. In this context the problem for the CISO is about basic education issues and the struggle to get antivirus protection for the type of basic network connections that continue to be in use. For example, there are serious concerns about how long it takes these organizations and their users to do the basics such as patching and updating virus protection software.

When considering the majority of successful security attacks last year there was a common theme. Most were basic standard sequel injection attacks that have stayed in top-ten lists for the best part of last 15 years. Whereas some of the big players such as Microsoft have made significant security improvements, with most software products (including those developed for new mobile devices) there is little or no control.

Consumerization adds an extra degree of complexity

The consumerization of IT and the bring-your-own-device (BYOD) culture are making a lot of headlines, but for many CISOs this is just part of a larger data management issue. Consumer applications and BYOD add an extra degree of complexity, but are generally seen as just another thing to worry about. CISO concerns were more about the management of data and an inability to classify it effectively.

Most organisations struggle to identify their critical data; the supporting classification disciplines are not mature enough. It is too hard and users continue to store data on their C or D drives or personal devices, where lack of backup is also an issue. There are also said to be more problems that need to be addressed with the fixed devices in corporate networks which are assumed to be secure and well managed than with the next generation of mobile devices.

The user demand for access to corporate networks is seen as being out of line with the real need. Users demand access on a 24×7 basis, whereas in reality the business requirement only demands extended access in emergency situations. CISOs believe that if there was better access control the issue of unwanted and unwarranted access could be controlled. Potentially there could be benefits from changing from role-based access to rule-based access controls. Overall there is a belief that whatever improvements are made to the way that we approach the security problem in the future, they have to be cost justified. It isn’t worth spending significantly larger sums than we are already on fraud protection without clear business benefits.