EITN SECURITY ROUNDTABLE II: Securing Moving Targets

Just a decade ago, all end users had to remember was to install antiviruses, firewalls, anti-spams, set strong passwords and ensure that these would hold up against the Big Bad Web. These days, those solutions would be deemed just ‘basic’ and ‘baseline’ as too many workers start to slowly expect their work and personal machines (and activities!) to be one and the same.

It’s not like their work places and IT administrators are caving in and willy-nilly allowing them to merge the two. But if the unlikeliest of devices, for example the ultra-trendy iPad, has found its way into the board room, you can be sure the rest of the organisation from top down would be following suit.

What IT departments start to have on their corporate networks is a barrage of unsecured mobile devices, being used in ways that the manufacturers intended them to be used in the first place – constantly connected and communicating with the Internet while shining like a big red siren-y beacon for cybercriminals.

 An EITN roundtable themed around trying to find balance between productivity and security entitled “The Security G-Spot: Where art thou, sweet spot?” gathered experts one day in late July, to weigh in with their opinions.

Also, no organisation is an island

This has necessitated the use for example, of electronic data interchanges (EDI) or data communications between enterprises, which has become managed file transfer (MFT) as we know it today. James Hatcher, Seeburger managing director said that with MFT, what vendors like Seeburger do internally is integrate to enterprise applications at the backend, have global-grade B2B connectivity and enable support for any and all kinds of data.

In fact, no matter what industry jargon or slang that is being used by all the different industries involved, the burning question that it all boils down to is this: How do you move all this data from system to human, human to human or system to human, and keep track of all the movement?

True enough, Cybersecurity Malaysia’s vice president of Cybersecurity Response Services, Adli Wahid said it is not just data in the corporate perimeter that needs to be secured; data in transit also has to be protected. But considering the increasing sophistication with which we are using our laptops, tablets, PCs and whatnot, that corporate perimeter isn’t static anymore, and is constantly at the mercy of curious users who stumble upon brand new security-threatening ways of accessing data on the Internet, on a regular basis.

Everybody has a role to play

Maybe as a result, more and more IT solution vendors are finding themselves in the best position to be able to secure it; WAN optimisation providers, APM solution vendors, CDN specialists … as long as they offer solutions that have to do with data on the Internet, they would have enough insight into how to do it fairly well. 

Malaysia and Indonesia country manager of top security provider McAfee, Alagesan Alagappan said, “We provide security from the endpoint right to the gateway” but he added that an issue may not be wholly solved by McAfee, so they have to look at third-party vendors too. It’s not a single-vendor game anymore and we see increasingly more IT vendors having to collaborate and integrate their solutions.

 Even processor makers Intel, whose chips can be found in a huge majority of PC machines today, realised that they had a role to play and have elevated priority for security, making it a company-wide strategy focus, next to energy-efficiency and Internet connectivity.  To underline that focus, they acquired McAfee with the view of integrating McAfee’s security technologies into their hardware.

The local security scene

Adli observed that the Malaysia government has been focusing on security for the last couple of years and that, “We have seen interesting progress.”

Cyber Security Malaysia also handles security incidents and Adli admits that the numbers have been increasing; the gloomier part is that these are just the detected and reported incidents.

However, among the many government efforts, the main big concerted push comes in the form of the ISMS or Information Security Management System, an ISO 27001 certification. It focuses on critical national information infrastructures (CNII); of which 11 sectors are involved; and getting the respective regulators to look at global standards, what other regulators are doing and what can be pushed down to other organisations in terms of improving security. The deadline for CNII organisations to comply with ISO27001 is next year 2013.

Adli rightly observed, “There is lot of concern in this area, because when security is in place, Malaysia becomes a good place to do business. When there are laws, and something bad happens, bad guys can be caught. The government is looking from that perspective.”

Proactive and compliant?

The security industry has been brisk as well. Alagesan shared, “We believe that security is something that is growing very quickly today compared to ten years ago. In any country, most organisations would most probably already have a security department.”

But not all countries or organisations are at the same level of maturity. Alagesan cites Gartner’s four types of security models: reactive, proactive, compliant and matured.

The main difference between reactive and proactive is that resolution of a security issue could take 24 hours for proactive models as opposed to two to three days for reactive organisations.  Reactive organisations typically spend 3-percent of their IT budget on security.

Alagesan also observed that in Malaysia, organisations are typically proactive and compliant; organisations and especially regulated industries most probably have certain systems implemented in compliance with rules and regulations by their respective regulators.  “About 8-percent of an IT budget could go into meeting compliance.” He added also, “There is only an increase of 1-percent in terms of security spending from the reactive model, but security becomes better.”

Hatcher noted how companies are being proactive. “More and more public companies of any industry are saying, ‘Wow I need to be more proactive (about security), there is actually risk to me as a CIO. If I don’t do something, I could lose my job if it destroys the company.’ FSIs are constantly looking at ‘How can we improve our data security?”

 Hatcher also observed that their partners like Time Engineering are now providing security audit services, and that companies are actually skilling up to be able to do this. “It’s because these national strategic companies are aware that they’ve got to be ready.”

An estimated 10- to 20-percent of organisations are still in reactive mode, and Adli also gave illustrations of how a few are still in denial mode: why should we spend money on something that hasn’t happened and most likely never will?

The human factor

There is a reason why phishing sites, email spam and well,… social engineering in general, are still main ways for malware and security threats to spread. Adli commented, “In a lot of instances, we see organisations feel safe, because they spent a lot of money on security,… but they forgot about their employees.”

There are solutions which limit the involvement of employee decisions by way of policies and every device and machine being tightly controlled by IT administrators.

But recently, there have been user trends that cause IT administrators to slowly lose control of access to the network. Rather than increase costs of trying to manage everything, now there are solutions where employees are allowed to provision applications by themselves to their devices. Some vendors also have begun to entertain the idea of mobile device management via a self-service Web portal.

Hatcher said, “A list of what’s approved has become part of the corporate security policy. There are still master rights. If it’s a corporate-issued device, before you get it, IT is going to lock out certain things. You are not going to have user rights, you are not going to be able to access and configure, you’re only going to be allowed to configure what they allow you to configure ie. desktop wallpaper. ‘Here’s the whole list, but guess what, there’s another part and you can’t even touch that part because you can’t see it because it’s not allowed!’”

More liberal mobile device management could ultimately put a corporate network at greater security risk. Alagesan said, “Personally, we think it’s a bad idea.” This is especially for unrestricted personal devices which come into organisations. “You could end up self-provisioning your endpoint device with some embedded malware, and it ends up in your enterprise. We wouldn’t know what is secure.

“Because people’s usage of technology is getting more sophisticated, and there is enough motivation for hackers to find a way or a vulnerability to exploit.” Add in that uncertain element of human nature and the risk multiplies many times more.

Adli echoed that sentiment, “The thing about security is the bad guys have to get it right only once. We have to get it right all the time.”

Social media has also started to make its way into organisations, and for global multinationals like McAfee, Alagesan opined, “Big corporations want to create a great place to work. If you block so many things, you can’t.  So we are simultaneously giving freedom that is limited. We can access Facebook and Youtube… with policies of course.”

Adli jokingly added, “Policies are meant to prevent abuse and problems basically. So if you don’t like our policy, you can go elsewhere! We can’t afford to trust you!”

Finding balance for an ever-moving target

McAfee’s Alagesan said, “Most companies prioritise what they need because all CIOs know they are not safe. But they are prioritising based on business need. Integration (of different security solutions) is key. I won’t say it’s secure 100-percent, but it minimises the risk.”

His gloomy outlook that five years later, security would never be 100-percent secure, was also echoed by Seeburger’s Hatcher. “Security is a moving target.”

It’s still a holy grail, getting balance between productivity and security. The technologies are all available and the challenge comes from trying to balance budgets, criticality, access, and so on… that’s where regulators have to come in and enforce the whole market to reach a certain standard of best practices.

Enterprise owners will have to make informed decisions, on how to tackle threats and realise that there is no one solution for all security woes…cybercriminals are more motivated than ever, with vast resources at their fingertips and seemingly inexhaustible ingenuity when it comes to infiltrating security barriers and tools.

We haven’t seen the last of the types of malwares and attacks that cybercriminals are going to dish out at us. What we have seen is also just what’s been detected or reported.

All the security mishaps that happen that are reported about, are just a tip of a much bigger teeming mass of vulnerabilities “iceberg”. That’s a very pessimistic view. But, can we afford not to be?

Said Adli, “It’s a global trend. Security is a big problem worldwide. We are here to help people and organisations manage the situation. So, whatever that is important when it comes to security and preserving confidentiality, integrity and availability (CIA), is there all the time.

“This is so that when something bad happens, you know what to do… you have an action plan.”