When it comes to IT security, delay is no longer an option.
As recent high-profile hacking incidents have demonstrated, it’s now a matter of act swiftly or repent at leisure.
But according to one Canadian expert, warding off threats to enterprise systems is going to be increasingly difficult even for businesses with the will and resources to do so.
That’s because hackers are changing tactics and becoming “much more organized,” said Brian O’Higgins, chief technology officer at Ottawa-based host intrusion prevention solution provider Third Brigade.
The nature of security breaches, he said, is also moving away from mass-market worms and viruses, and towards more subtle attacks that give criminals access to vital personal and financial data.
O’Higgins predicted enterprises would experience security assaults similar to those suffered by ChoicePoint and LexisNexis.
ChoicePoint Inc., the Alpharetta, Ga.-based credit and personal information vendor, was the victim of data theft incident last fall. In a statement issued at the time ChoicePoint blamed the breach on “a small number of very well-organized criminals [who] posed as legitimate companies to gain access to personal information about consumers.”
Hackers also recently compromised databases belonging to Dayton, Ohio LexisNexis and stole information on at least 32,000 people. The cyber thieves purloined passwords, names, addresses, Social Security and drivers license numbers belonging to customers of the company’s Seisint division.
According to O’Higgins, these two incidents are part of a trend of greed-motivated security attacks that cause severe financial damage to companies that are the victims. “Hackers used to put out worms and viruses for bragging purposes, but they’re now doing it for money, and they’re much more organized. You don’t get a financial reward for causing a nuisance.”
As targets become more specific, he said, responsibility for maintaining secure systems will move outside the realm of the security administrator,
“Application owners now have to pay attention to security,” O’Higgins said. “[Previously] IT specialists would take care of everything on the firewall side. But now the operational guys who write the applications will have to realize they are coming under attack.”
The bottomline: more and more people in the organization will have to be aware of security.
There are signs enterprises are starting to pay more attention to security, but O’Higgins said there’s still much to be done. “I don’t think we’ve made any real progress in improving the situation. I don’t think (the security problem) is ever going to be fixed…It’s a never-ending journey – because last year’s solutions don’t solve this year’s problems, and security threats keep moving.”
He said ever-increasing software complexity has added fuel to the fire – as complexity is the enemy of security. “As software [gets] more complex… people find more ways to exploit [vulnerabilities].”
O’Higgins said he was pleased to see Auditor General Sheila Fraser’s recent report on the Canadian government’s lack of diligence in the security realm, because such reports draw greater attention to the need for more stringent security.
According to the report, “two-and-a-half years after revising its Government Security Policy the government has…to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies.”
O’Higgins said the report highlighted several discrepancies between government departments that are shining examples of best practices in security and other departments that are “pathetic.” Releasing such a report will “guarantee that we will get some improvement,” by encouraging the government to take the first step of “getting funding and resources they need and treating (security) as a priority.”
— With files from IDG News Service