Network security threats abound, and news of data breaches are constantly made public. Are information security
professionals doing something wrong? Where are enterprises most vulnerable? And what can network pros do to keep a company more secure? in order to solve security issues, we need to think of information security as risk management, says Interop IT security track chair John Pironti, who is president of IP Architects, LLC. Here's why:
In just the past few weeks, hackers stole data on the Pentagon's newest fighter jet, a hard drive containing top secret missile defense data was sold on eBay, while the state of Virginia's prescription monitoring program lost 8 million medical records from hackers (who are now demanding a $10 million ransom for it). And the list goes on.
Is it that more network security threats and breaches are happening this year, or are more people becoming aware of these attacks?
John Pironti: It actually happens to be both. There's more regulation on data disclosure. Companies now have to step forward and report a data breach. So there's more knowledge out in the community.
Once California's Notice of Security Breach law came out, more people from other states wanted to know whether their information was protected. That concern paved the way for more data disclosure laws to be passed.
So the way that information is available now, plus the rise of customer-self-service applications, we're enabling customers to do more … over the Internet, and we haven't thought through all of the ways to protect ourselves on those applications.
Why are these applications creating more network security threats? Is it because they are new and information security professionals don't know how to secure them yet?
Pironti: New technologies available, like Web 2.0, are a lot of the problem -- file-sharing programs especially.
There are a lot of people trying to search for sensitive files, and they find them in these file-sharing programs. It's no longer a single hacker after data, either. There are now organized factions that have a whole new level of access available to them.
Also, many end users are unaware of the impact of what they install on their computers …
Hackers have been getting people to download applications to get key stroke data. So whatever passwords people are putting down are getting recorded by these applications.
Then another part of the problem is that end users don't ask for help on how to secure themselves.
What are the biggest network security threats that are more prevalent this year than in any other?
The biggest problem -- in the last 18 years of my information security career -- is not going to be the newest attack. That's always going to be there -- that's what makes my job exciting. [Knowing] where my data [is] today -- the lack of data identification and classification -- is the biggest problem today.
In Smartphones and BlackBerry devices, for example, whenever you're emailing on that device, emails always get lost … When the security guys don't know where the data has gone, no one can secure it if they don't know where it is.
More this year than in other years, data usually ends up in areas that it wasn't ever supposed to be in the first place.
To write in a policy that your end users shouldn't transfer business-sensitive data on certain applications or devices isn't going to stop them from doing it. Policies are not enough. We need to back them up with guidelines, procedures, standards and sometimes technology.
If someone doesn't follow a policy, there should be consequence management that goes along with it … That may mean you'll have to pay fees, or you can't do certain tasks until you are in alignment with the policy … But ask yourself: How do I assist my populations? That may mean educating your users so that they comply.
Most people tend to react to a network security threat after it's too late rather than take the proper preventative measures to avoid these follies in the first place. What is it that enterprises don't count on happening or don't plan for?
Pironti: We think of the worst-case scenarios, but we don't think of the high-probability and high-impact scenarios.
Take passwords, for example. We ask our users to come up with 10 to 15-character passwords that have to be changed every 30 to 60 days; that have to have numbers, letters and symbols; that can't be words in the dictionary; can't be the last three passwords that we've used, and then we say that [our end users] can't write those passwords down. That's ludicrous!
The truth of the matter is that most of us do write our passwords down on a sticky note and post it right onto our monitors.
Some people envision these Mission-Impossible-going-down-through-an-office-ceiling scenarios … when in reality all I have to do is dress as a cleaning person and walk into an office building over to somebody's monitor with a sticky note on it [to get someone's password and data].
The thing about security geeks is that they've solved the technological side but not the [end-user] side.
In your IT Security Track description you said that these "challenges all lead to the requirement for more intelligent threat-driven investments in information security." How might enterprises develop more intelligent threat-driven investments? What are the threat-driven investments that people aren't doing intelligently?
Pironti: Threat and vulnerability analysis that's not technical. Talk about what's [a] really probable [threat] … But the more people are spending time looking at their processes, they say, "That's going to take a lot more time and effort than I can afford. Can't I just buy that box?" But that box doesn't have the right solution for that business's specific needs.
There's an antivirus (AV) lab that does testing on current tools, and they found that 40% of attacks are not being caught by the virus scanners. Because, for an antivirus company to turn a profit, they need to see thousands upon thousands of the same problem before they write a signature for it, because it takes a lot of time and effort to put one together. They have to cover a widespread [field of] security rather than a smaller one, which leaves many known issues wide open.
A lot of the smarter hackers are writing attacks that are specific to an organization and keeping it quiet. With cases like TJX and Hannaford, that's exactly what happened … These were attacks that were well-crafted.
In a tough economy, where many businesses are failing to make ends meet, what recommendations do you have to help enterprises stay on top of network security threats?
Pironti: The guidance I [have to] give … [is to do] business process mapping: Understand how data goes from Point A to Point B … Then find your data. Once you find it, classify it; ask whether or not it needs to be more secure than other data … because not all data is created equal … Do this by [using] threat and vulnerability techniques.
Once that is complete, find where the high-probability and high-impact areas [are]. That's where you're going to spend your time.
The thing that keeps me awake at night is this conversation about compliance -- essentially giving enterprises checklists to go through … which is a paint-by-numbers approach to security, instead of doing security by risk assessment.
People think of security as a stopping point and not as a helping point -- that's why I've changed [the term] from "security" to "risk management."
Most companies are looking to cut costs. How can companies find a way to spend more on security?
Pironti: In previous downturns, security was the first thing to go. [Information security is] risk management … so people would throw away risk.
In this economic downturn, security is the last thing to go because there's actually more cost tied to risk. It costs a company more to have an incident than it does to take the preventative measures to avoid it.
But in an economic downturn, people aren't putting more money into security … Security can drive value, if you're able to demonstrate it.
How can you demonstrate the need to put more money into security when a common complaint from network managers is that they can't convince upper management to listen to them?
Pironti: The reality is that [network managers are] still talking about the technology instead of the human element.
They need to invest in being a business person, and get business skills so they can stop speaking geek and get CIOs and CFOs to understand how the technology aligns with their business processes.
Most of the senior leadership is concerned about profit, so you need to ask, "How will this security solution affect profit?" and explain yourself in those terms.
What do you think will be the biggest security-related trend or news coming out of Interop this year?
Pironti: The one thing I think that all of the vendors are trying to do is to turn information security into a risk management conversation -- which is a good thing. Instead of assuming that what we [as vendors] know is best, we're going to look at what the businesses are doing to see how to secure their information accordingly.