Guy Golan

If cyber criminals have breached trusted technologies, trusted vendors, even your own common sense, can you trust anyone with your corporate IP?

The technologies that have been trusted to protect corporate IP for years have been breached in several high-profile cases in recent years. Internet protocols have been found to be flawed. Operating systems prove riddled with holes. And hackers and cyber criminals are getting better at what they do.

Trust is failing, and it’s time for the industry to step up to revise its approach and reinvent information security, say key players who will address this year’s annual ITWeb Security Summit in Sandton in May.

Executive VP of EMC and executive chairman of the RSA division, Art Coviello, is on record as saying conventional data security cannot beat cyber criminals. “We need something more from IT security,” he said.

A major problem is that the modern cyber criminal is clever, and has advanced tools easily accessible to him. Anyone who is determined enough can penetrate virtually anything, even IT security vendors concede.

Adding to the challenge of securing information is the fact that Internet audiences have grown exponentially, myriad social media channels penetrate to the heart of the enterprise, and the modern workforce is mobile – whether enterprises like it or not. So a proliferation of new devices and applications is being introduced into the company IT domain.

PEOPLE POWER

Determined con artists, or social engineers, are seeing benefits in this easy access to a massive audience.

Raj Samani, VP and CTO of McAfee EMEA, says social engineering has been a problem for decades. The difference in the information era is that there are a lot more channels and a far wider target for it.

“Because clever social engineering can deliver a cyber criminal into the heart of a company’s information, enterprises need to approach the problem though a number of controls,” Samani says. Samani notes that anyone is susceptible to momentary lapses in judgment, and anyone can be taken in by confidence tricksters. The problem today, he says, is that the Internet and social media deliver a far higher number of targets for social engineering attacks. “Even if the success rate of a spam campaign is as low as 0.1%, that isn’t bad if you’ve spammed millions of people,” he points out. “If a cyber criminal manages to defraud only 10 or 20 people, but gets millions out of each, that’s worth their while.”

“There’s no silver bullet, and it isn’t just about the technologies in place,” he says. “Companies need to have a culture in which employees feel comfortable telling their colleagues and superiors that they may have been targeted in a social engineering attack, so that steps can be taken immediately to counter potential damage.”

Cyber criminals aren’t the only threat. A rising wave of hackivists, who feel they have just cause in hacking into companies, defacing their Web sites and exposing their company data, may be an even bigger threat.

Bevan Lane, director of Infosec Consulting, says the dangerous new trend shows there is little to stop a determined hacker from accessing whatever he wants to.

“The worrying thing about this is that it’s increasingly widespread, and that hacktivist groups appear to have succeeded in accessing all their targets,” says Lane.

Lane says hacktivist groups may number hundreds of individuals working together around the world, and have scores of sympathisers. So tracking them down and stopping them is complicated.

Because they usually succeed in breaching their targets’ security, more needs to be done to guard against such attacks, and mitigate damage, says Lane.

And external threats are not the only ones to be concerned about. Performanta Group CEO Guy Golan points out that internal threats are as great – if not greater than – external threats.

“The temptation factor should not be under-estimated,” he says. “Data is money, and anyone with access to that data will be tempted to misuse it, under the right circumstances.”

Mobile

Another real challenge to IT security is the exponential growth in enterprise mobility, particularly the proliferation of device types.

While Performanta Solutions director Enlin Neveling points out that the risks and security threats facing the mobile enterprise will not be vastly different from those in existence in the past, he does feel mobility will “throw a curve ball to IT managers”.

“The processes and principles remain more important than the technologies,” he says. Charl van der Walt, co-founder and MD of SensePost, says: “The massive scope and volume of mobile computing is posing some ‘interesting’ new security challenges.

“This is not so much because mobile is inherently less secure, but rather because of the massive uptake of mobile and the unprecedented degree of connectivity involved.”

Bennie Labuschagne, director of cyber forensics at Cyanre, the Computer Forensic Lab, says too many devices are unsecured and there is a general lack of control over how they access enterprise information. He says: “Companies may go to great lengths to secure their networks, but once they allow unmanaged mobile access to these networks, existing security is rendered pointless.”

What now?

Key Security Summit speakers agree that the industry as a whole needs to revisit its approach. In light of new threats, a new technology landscape and new cyber crime techniques, the old ways just won’t work anymore.

Performanta notes that business management has to see information security as an enterprise issue, not an IT problem. People, processes and technology have to work together to mitigate risk, the consultancy says.

SensePost Security consultant and member of the ITWeb IT Security Summit 2012 advisory committee, Dominic White, says more effort needs to be put into IT security. White says more “political will” is needed to fix technologies known to be broken.