The security challenge is growing on other fronts, too. The tide of consumerisation continues to sweep through our organisations and workers are increasingly seeking access to business systems and information via ever-more-powerful mobile devices that often do not come under the remit of an organisation’s security policies. Users also want to use social media, web applications and cloud services, which introduce yet more problems for those tasked with maintaining information security. There are now so many ways to bypass standard defences that a growing number of people think many organisations need to rethink their entire approach to security.
Advanced threats and evasion techniques
At last month’s Infosecurity Show, much of the talk was around advanced persistent threats and advanced evasion techniques (APT/AET). APT refers to the continual probing of a target company’s defences using multiple vectors and ever-changing techniques and technologies until a point of entry is found, usually by organised groups such as foreign governments or criminal gangs.
The techniques involved can vary from automated scanning to social engineering to finding a way in via the extended supply chain. AET, meanwhile, is about the tactics attackers use to hide their presence once they have access to an organisation’s systems. In his keynote address, Spencer Mott, chief information security office (CISO) of videogames developer Electronic Arts, said: “Eventually this will pose a threat to any significant business, although the big global brands with the most ‘interesting’ things to steal are going to be affected most.”
Vendors of security technologies have responded by aggressively marketing solutions that they claim can protect against APT/AET. But while the threats may be real, most seasoned information security professionals see the profusion of proffered “silver bullet” solutions as little more than the latest round of industry hype. No technology can blast away all the threats.
Process, people, technology
Effective security is, as it always has been, about a combination of solid risk assessment, rigorous design (and continual review) of policies and processes, thorough technical security when designing and testing systems and websites, ongoing programmes to ensure users understand their role in minimising threats and, yes, judicious use of appropriate security technologies including anti-malware, access controls, event logging, authentication, encryption and others (but only as part of that broader strategy).
One way that many organisations seek to guarantee that they have struck the right balance of process, people and technology is by working to become accredited in a formal security standard, such as ISO 27001. In the case of some sectors, these are mandatory, such as the PCI-DSS standard for the payments card industry. Yet many of the organisations hit by breaches have been certified in one or more of these standards.
Professor John Walker is an independent cybersecurity consultant and academic who has advised countless corporations and government organisations, including such bastions of security as GCHQ and the CIA. “Where one encounters ISO 27001 certifications being issued to organisations whose information security is based more on smoke and mirrors than robust strategy, one starts to understand why attacks are so rife and successful,” he says.
“Likewise, PCI-DSS was born for the right reasons, to provide security to the card-using public. However, over the years, use of the standard has evolved into a science of tick-box security focused on dashboard reporting rather than on underpinning robust technical security. This is evidenced by the multiple failures in PCI-DSS-compliant organisations, such as the recent debacle of Barclays deploying insecure contactless payment cards.”