MediaBUZZ - ePublisher of Asian Channels and Asian eMarketing

Friday
Mar 12th
Text size
  • Increase font size
  • Default font size
  • Decrease font size
Home Asian Channels June 2009 RSA study reveals increasing security risks as adoption of web and mobile technologies spike

RSA study reveals increasing security risks as adoption of web and mobile technologies spike

E-mail Print

RSA, The Security Division of EMC has released two new studies this month that examine the far-reaching security implications of promising technologies such as cloud computing, virtualization, social networking and mobile communications, and explore the pivotal business risks and rewards they represent to organizations worldwide.

The first research study - conducted by IDG Research Services - reveals a significant gap between the speed at which organizations are adopting new connectivity, collaboration and communication technologies and their readiness to deploy them securely. The second study, from RSA's Security for Business Innovation Council, outlines how companies can capitalize on the significant business advantages these new technologies represent without putting their organizations at risk.

"Businesses are becoming 'hyper-extended enterprises,' exchanging information with more constituencies in more ways and in more places than ever before," expands Art Coviello, executive vice president, EMC Corporation and President, RSA, The Security Division of EMC. "The rapid adoption of nascent web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organizations and information assets. Security strategies must shift dramatically to ensure companies can achieve their goals to cut costs and meet revenue targets without creating dangerous new business vulnerabilities."

The enterprise is drastically changing, not just who we connect to or how we connect to them or who has access to what information, but the basic premise that our enterprise or corporate operating environment is now migrating outside of our basic operational control infrastructure,” adds Roland Cloutier, vice president, Chief Security Officer.

IDG Report Shows Many Companies Leaping Without Looking

Commissioned by RSA, a 2009 IDG Research Services survey of 100 top security executives at companies with revenues of $1 billion or more showed that some companies are so enthusiastic about the potential of new web and mobile technologies, they are deploying them without adequately securing critical processes and data.

The threats: faster than ever and more unpredictable

The report zooms in on a few striking examples that characterize today’s threats and demonstrate how rapidly they are evolving.

The pace of malware has reached staggering levels. Security professionals are actually getting used to numbers such as: a new infected web page is discovered every 4.5 seconds; there are over 20,000 new samples of malware every day13; and botnets change their malware signatures every 10 minutes.14

Malware is infecting not only traditional operating systems, but also mobile devices. Web sites are the new favorite vector and malware is also being spread through social networking. So it’s no wonder current defenses against malware are no longer effective. For example, a recent study shows some signature-based anti-virus technology, a major part of security infrastructure, now only detects 30 percent of all malware.

 Beyond malware, security professionals also have to deal with an alarming number of data breaches and identity thefts, with incidents affecting organizations of all sizes and types, including governments and companies. These events, in which thousands or even millions of records have been compromised, are regularly featured in the headlines. They are the work of insiders and external hackers, or both working together.

It is now a common mantra in security that the nature of the threats has changed. Gone are the days of script kiddies looking for fame and notoriety; now enterprises face a very sophisticated worldwide fraud machine run by organized crime; with many players, each having their own niche. This system is very adaptable, changing tactics quickly to outwit any attempt to foil their operations.

The end result is that there are more threats coming faster than ever before and they are changing all the time. It is no wonder that some security professionals feel outpaced. What security professionals are expected to absorb on a day-to-day basis has reached near impossible levels. And the evolution of the threats is constant. The threats are more significant today than they were six months ago or last year, and they will be more significant six months or a year from now.

There is also the unpredictability of today’s attacks. Zero-day (or zero-hour) attacks and viruses, which work to exploit unknown, undisclosed or patch-free computer application vulnerabilities, are now commonplace. Vulnerabilities have also increased through the proliferation of information on social networking sites. Although social media is great for collaboration, it’s also a great way for the bad guys to learn all about the company and its personnel, including real-time location updates. This potentially paves the way for novel types of social engineering attacks or even blended attacks. These attacks could use data obtained electronically to commit crimes against information assets, physical property or people. It’s hard to keep up with the possibilities for new attacks.

In addition, when enterprises are operating in geographies and cultures that they have never done business in before, such as new locations for outsourcing or off-shoring, it’s a lot harder to predict behaviors or develop possible scenarios. Globalization increases the complexity of risk assessment. It requires factoring in different norms and ethics, which may not be fully understood.

The increasing skill set of the bad guys

It is well-known that countries and corporations use cyberspace to spy on each other for political and commercial gain. Even cyber-warfare has transcended the realm of best-selling novels to become reality. Nation states may believe developing information warfare capabilities is critical, but the downside of this strategy is that not everyone who gains these capabilities stays within the control of the nation state under which they’ve trained. It’s a relatively recent skill set. Over the last 20 years or so, militaries and intelligence agencies all over the world have trained agents in cyber-warfare activities. At some point, some of the people with these skills start leaching out into the criminal economy. This is increasingly putting the global economy at risk.

High levels of risk tolerance

Today’s economic conditions are creating an atmosphere in which business people may be much more willing to take on potentially dangerous levels of risk. Many cash-strapped business units are rushing ahead and “leaping before they look,” rapidly entering relationships with cloud vendors and/or outsourcers. With the intention of squeezing timelines, decreasing costs, and/or making their quarterly numbers, they may forgo thorough due diligence or comprehensive security reviews. All the while, enterprise data is spinning out of enterprise control. An added dimension to the problem is that service providers often sub-contract the work or elements of it to other service providers, who then push it off to their own subcontractors.

Ultimately, there can be many layers between the original client and the organization that is actually handling the information.

Cloud computing is a relatively new concept. According to Forrester Research’s glossary, cloud computing is, "a pool of abstracted, highly scalable, and managed compute infrastructure capable of hosting end-customer applications and billed by consumption." It creates a new category of service providers and a new set of risks. Because the cost savings are so compelling and it is very easy to start using cloud computing in stealth mode, many businesses may be lured in before all of the security issues have been addressed.

For example, it is now possible for developers to do production scale tests without even having to involve IT. Infrastructure services in the cloud are built on the notion of renting virtualized machines so that infinite capacity is available on very short time scales. The customer can acquire and release resources on demand, and only get charged for what they use. Previously, developers needed to work with IT to configure hundreds of servers for an architectural experiment which would take several months and a huge capital expenditure to complete. Now developers can use their credit cards to rent cloud  services and get the required computing power for US$10–US$50, and get it all done in one afternoon. Computing power is now very accessible but it is also no longer exclusively under the control of the enterprise.

The newness of cloud services means that enterprise customers have not yet defined all of their security, privacy and compliance requirements and that cloud vendors have not adequately addressed all the related issues; and there are many.

Just to name a few: If cloud services are processing data from multiple enterprises, how will the cloud vendors ensure the integrity of co-mingled data? How is it segregated from other customers’ data? If a business process moves to the cloud, how does an enterprise meet compliance obligations? How does it meet requirements for detailed security assessments or penetration testing? In addition, cloud vendors are reluctant to reveal the details of their security as they consider it proprietary information. Many of today’s privacy regulations mandate where information must be stored or processed. How will customers know the geographic location of their data as it is moves around the globe using available capacity in the cloud? This is all still unclear. But despite this lack of clarity, many enterprises might just decide to take the risk in an effort to tap the enormous cost savings, flexibility and other benefits that cloud computing promises.

Business process outsourcing (BPO) is another area where enterprises might just take the risk. As cost pressures mount, enterprises looking to remain competitive may be forced to follow other enterprises as they move more business processes to service providers and new on- shore and off-shore locations. Service providers may be able to entice a few Global 1000 customers with extremely low-cost contracts. To make their offerings look attractive, some BPO companies try to present an a la carte menu instead of a full meal deal. Beyond their very low-cost core services, they offer a menu of options, including security controls. The problem is that companies often put together their business case based on the initial sticker price. All the rest is additive cost, including security controls. Blinded by the initial promised savings, customers may accept untested security assurances or forgo the more expensive security “options.” The service providers may then use these brand names as proof of the level of trust they have earned to entice other Global 1000 customers.

The significant issue of service provider risk has faced large enterprises for years now; it is not a new concern. The sheer volume of service providers and the increasing number of business areas they touch were already making it very difficult to manage the security, privacy and compliance issues. In the new economy, the proliferating number of service providers and their deep reach into enterprise business processes may be kicked into overdrive.

The shifting moral compass

In desperate times, people do desperate things. In a tough economy, disgruntled and laid-off employees and contractors may be much more willing to pursue malicious acts that are outside the realm of their normal behavior. The reality is that desperation can trigger otherwise law-abiding and rule-following people to engage in criminal activities. For example, according to a recent survey 9 out of 10 IT administrators would take company secrets and remote access credentials with them if they were fired.

Adding to the dangers, security departments are becoming resource-constrained. This environment opens up increased opportunities for people to take advantage of gaps in security. By way of analogy, when you can no longer afford to have a security guard at the door 24/7, people will determine when the guard is not around and target that timeframe to gain entry.

Today’s enterprises are operating in an environment with unprecedented levels of uncertainty. This kind of setting may make “Black Swan” events more conceivable. Most security professionals are familiar with so-called Black Swan events, which are defined as large-impact, hard-to-predict, and rare events that go beyond the realm of normal expectations. How do you realistically anticipate these types of events in a risk assessment? In a rapidly-changing world, the value of using historical data to predict possible scenarios, impacts and losses is called into question.

Key findings of the study include:

  1. More than 70 percent of survey respondents believe escalating levels of connectivity and information exchange powered by new web and communication technologies are transforming their organizations into hyper-extended enterprises.
  2. The majority of organizations have increased their use of virtualization, mobility and social networking over the past 12-24 months, with more than one -third reporting an increase in cloud computing.
  3. However, many of the responding companies do not have adequate strategies to assess the risks involved in adopting these new technologies. In some organizations, the corporate security department is only brought in when problems occur and in others, security is not even informed before these new technologies are used.
  4. Less than half of respondents have developed policies for employees to guide the use of social networking tools and sites.
  5. More than 30 percent of the responding companies already have at least some enterprise applications or business processes running in the cloud, with another 16 percent planning to begin migration within the next 12 months. Among these, two -thirds do not yet have a security strategy in place for cloud computing.
  6. More than 8 of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks. More than 7 in 10 have experienced a security incident in the last 18 months.
  7. The majority of respondents agree they need to change and improve their approach to enterprise security strategy to accommodate the realities of the hyper-extended enterprise.

Hyper-Extended Enterprise Requires New Security Approach, Say Top Security Officers

RSA has also released the results of its fourth Security for Business Innovation Council report, "Charting the Path: Enabling the "Hyper-Extended" Enterprise in the Face of Unprecedented Risk." In this report, top security leaders from around the globe explore how security strategies must transform in a world in which well-intentioned actions to drive new business value could open up disastrous risk exposures.

According to RSA, the current security model is ill-equipped for a hyper-extended enterprise operating in an unprecedented risk environment. Security teams are often still fighting yesterday’s battles and focused on tactics like securing the perimeter with firewalls, updating anti-virus signatures, pushing out patches, and encrypting laptops. All of these things may still be necessary, but they are not sufficient to match today’s world.

The company warns that if we do not figure out a better information security model and fast, there could be devastating consequences. The possible worse-case scenarios are actually nothing new to security professionals. They have outlined these types of events for ages. What is new is the likelihood of these kinds of incidents occurring and the magnitude of their potential impact.

"At this particular point in time, when we have such a rapidly-changing environment, we need to absolutely cry, 'Time out!' We need to step away from it, and we need to examine if our program has all the right gears," comments Council member Dr. Claudia Natanson, Chief Information Security Officer, Diageo. "Is your program road-ready for the rough ride that you may be about to embark on? Because only the most agile, only the fittest, only the most flexible will make it to the end."

“One of the challenges for security professionals is to be able to make informed triage choices that are necessary when you’re dealing with such a fast-paced, dynamic, global set of threats, challenges, risks and domains. So you have to develop this ability,” adds Bill Boni, corporate vice president, Information security and Protection, Motorola and a member of the Security for Business Innovation Council.

RSA's prior study, "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy" highlighted the importance of not pulling back on innovation in the face of budget and resource constraints. This new report demonstrates how top security leaders simultaneously grapple with the need to promote innovation while protecting information in an increasingly risky environment.

Report Offers Seven Steps to Build New Enterprise Security Model

Based on in-depth conversations with the Security for Business Innovation Council, whose members are some of the world's top security officers, this report looks at where information security is headed. It offers specific recommendations for developing an updated information security model that reflects the emerging opportunities and dangers at hand. Council members outline why today's threat environment is particularly treacherous and share advice on how to securely tap the hyper-extended enterprise for business advantage. Specific guidance includes:

  • Rein in the Protection Environment: Identify ways to use resources more efficiently by taking a risk management approach to the existing security environment. For example, the Council outlines strategies for how to curtail the use of security resources that protect extraneous information assets, stored data, and devices. By reining in the protection environment, enterprises can simultaneously cut costs, reduce risk and free up resources for high-priority projects.
  • Get Competitive: In challenging economic times, if business leaders perceive they are not getting what they need from the internal security organization, they may increase overall risk to the enterprise by turning to external service providers without involving corporate security. The Council explains how security teams must focus on the quality and efficiency of their services and be able to effectively articulate the value they provide for the price.
  • Proactively Embrace Technology on Your Terms: Information security departments must accept that it is not feasible to block the use of new web and communications technologies; instead they must enable their secure use. Council members share guidance on moving from reactive to preventive security, and establishing a roadmap for the business to adopt new technologies.
  • Shift from Protecting the Container to Protecting the Data: In the era of the hyper-extended enterprise, more and more enterprise data is processed and stored in containers not controlled by the business. For instance, the data may be processed by service providers or held in a personal PDA used by an employee or in a laptop owned by a contractor who may have multiple enterprise clients. Within this environment, the Council provides guidance on shifting from protecting the container to protecting the data.
  • Adopt Advanced Security Monitoring Techniques: In today's threat environment, security teams must update their approach to monitoring for abnormal and malicious events. Council members share advice on moving away from techniques such as signature-based anti-virus and blacklisting to more accurate techniques such as behavior-based monitoring and whitelisting.
  • Collaborate to Create Industry Standards: Council members explore why the need for uniform standards for security professionals, third-party providers and emerging technologies has reached a critical juncture.
  • Share Risk Intelligence: To help enterprises defend against international attackers and an increasingly sophisticated fraudster network, the Council recommends more robust and collaborative intelligence-sharing-spanning enterprises, law enforcement and government.

Condensed from a whitepaper ‘Charting the Path: Enabling the “Hyper-Extended” Enterprise in the Face of Unprecedented Risk’

We are unfortunately living in a world where data theft, piracy and malicious employees put IP at risk everyday. However, danger is not just lurking on the outside – many don’t realize that some of the greatest threats to their data and IP come from the most reliable staff members. Accidents and seemingly trivial errors are causing more IP loss than malicious hackers or even angry employees. In this shifting landscape, the battlefront in security is rapidly changing from securing the perimeter to protecting the information itself.  To find out how we can better protect our confidential company data and IP, join MediaBUZZ for an intense half-day seminar on August 13th 2009 from 2p.m. – 5.30 p.m. More details and complimentary subscription are available here: http://www.mediabuzz.com.sg/events/mediabuzz-events/204-data-loss-prevention

 

< Prev   Next >
 

e-Publication


Contents (Jun 2009)