VICTORIA–While discussing the “mega trends” currently unfolding in information technology and how they relate to security, Sean Doherty warned the game has changed in terms of how we should be dealing with information security.
The vice-president & chief technology officer for Symantec Corp.’s enterprise strategy group pointed to the Stuxnet malware and the need to shift corporate security emphasis from solely protecting the organization to also protecting its data internally and externally during his keynote speech last month at the12th Annual Privacy & Security Conference. The event, held in Victoria, B.C., and themed “Security and Privacy: Is There an App for That?”, brought together hundreds of information security and privacy professionals in both public and private sectors to discuss policies, programs and technology.
The cybercrime industry is adapting and utilizing the same technologies that legitimate businesses are. In fact, they’re doing it in advance of many of us, he said. Take for instance, cloud-enabled services and consider the botnet — networks of machines controlled to do a specific task such as spamming or distributed denial-of-service attacks.
“If you know where to go, you can rent a botnet of whatever size you need for a specific period of time,” he said. “You pay for what you use, when you’re finished, it’s useable by someone else. These are all the attributes of a cloud service.
“Organized crime is an interesting business and they love using the cloud. They’ll use Software-as-a-Service malware factories . . . and we’re seeing much more creative uses of virtualization.”
On the subject of malware on mobile devices, Doherty said Symantec has seen very little of it happening to date. “That’s because the phone in your pocket, the tablet, it has a very modern operating system. It’s been designed to be pretty difficult to interfere with.”
What Symantec is seeing though is human error. For example, on a weekly basis an estimated 6,000 personal mobile devices are lost or go missing at the Los Angeles International Airport alone. “A lot of the issues around security for mobility are more to do with managing that device’s capabilities, the applications on it, and making sure you don’t lose it.”
The game has indeed changed for IT security admins. When asked for a general comment on the subject, John Stewart, Chief Security Officer, Cisco Systems, cited the consumerization of IT, the explosion of collaboration software, and the virtualization of data centres; mix all of that with the threat of cybercrime and you’ve got significant security stress to say the least.
“We’ve got more technology shift happening now than I personally have ever lived through,” he remarked. “With all of these things happening at exactly the same time a whole bunch of security practices are no longer as effective as they used to be.
“Criminality and the ability to [steal] information off of the Internet have turned into a full blown business.”
Moreover, Stewart said the way security is addressed and implemented must change.
“As technologists, when we have a problem; we fix it with new technology. That doesn’t scale. Eventually, we need simplify that, make it elegant and make it easy,” he said. “But technology can’t solve human behaviour . . . treat your corporation’s information like it’s your own money or your own personal information.”
It was with the emergence of the Stuxnet malware on July 13, 2010 that opened a new and frightening chapter in the continuing online war between valid business and crime. Symantec’s Doherty cautioned this type of malware could become more prevalent in future days.
“It changed our industry,” he said. “It was unique to date in that it was attacking physical infrastructure. That’s a big move. Previously, all malware had attacked was data.”
Yet there are fewer resources available to those charged with that task to safeguard against such attacks. To make matters worse, cybercrime is a growth industry.
“The most optimistic estimate will come in at about $600 billion (US) per year, the most pessimistic at $920 billion per year, giving a growth of between 15 per cent to 25 per cent year-on-year; that is the value of cybercrime to the global economy,” he said. “To give you some scale, mid-$500 billion is the global narcotics trade.”
Rob Enderle, principal analyst, The Enderle Group, said Stuxnet was an attack by one government on another and it wasn’t contained. “The threat it represented has been discussed for some time,” he acknowledged. “The nature of this game is that attacks may come from unexpected directions and flexibility in both identification and response are critical.”
When asked how IT security can keep pace with cybercrime when the latter is better funded than the former, Enderle responded that it can’t.
“It can only contain and direct the threat but it is likely we’ll have a massive outbreak and the world’s response will likely be just as massive and punitive with extreme prejudice,” he said. “The power exists in the world at large, the risk isn’t just to us but, in a catastrophe, all hackers could be painted as terrorists and there will likely be a witch hunt that would make the current hunt for terrorists and the last hunt for communists look relatively benign in comparison.”
So where do we go from here?
For starters, Doherty said Symantec believes what’s required is the development and enforcement of effective security policies. “We as an industry have got to do better at setting policies that are effective, easily understood and (enforced).”
He encouraged the audience to volunteer their time and knowledge to schools in their locality to help educate children in the 11- to 14-year-old age bracket as to why data, privacy, and smart computing practices are important. “Seed with them the expectations for later in life so when they see a (security) policy that relates to information in the workplace, they read it and they actually buy into it.”
Doherty also said organizations need to get better at protecting information. For too long now, in information security the emphasis has been on protecting the organization. “We’ve ‘firewalled’ the organization to stop the bad guys from getting in; we now need to switch to protecting the data inside and outside our organization.”
Equally important is the authentication of online identities, of citizens, employees, devices. “We need to understand who and what is accessing our data,” and he advised managing information on computer systems throughout their entire lifecycle including exposing of the hardware in a responsible way. Above all, continue to protect the corporate infrastructure.
“Infrastructure protection has not dropped off the agenda it is an absolutely fundamental underpinning,” he said. “We just have to find ways of doing it more cost-effectively, using less people to administer it, bringing diverse technologies together into one point; consolidating consoles, enabling one person to do the work of more. Those are the areas you will see Symantec innovate around.”
— Lahey is an online community manager for Partnerpedia.com in Vancouver. Follow him on Twitter: @LiamLahey