Enterprise security and the new threat landscape.

Up until a few years back companies did not have any role called CISO – chief information security officer – a lot of companies do not yet today. Most think that all this is part of the CTO’s look out. That is one of the more succinct indications of what has changed and the fact that things have changed and it is not business as usual.Ever since the first ever self replicating viruses came onto the scene several years back information security has been a concept whose need seems to be today recognized a bit more widely than anyone would have thought they would. A large part of the requirement is now mandated by law and part of the huge compliance bill that companies need to pay. The cost of data breaches and the ensuing mayhem has reached considerable numbers and it is seems only natural that governments have enacted regulations that keep data security on every one’s minds and budgetary allocations. It wasn’t long before the ever useful though often embattled CTO found it necessary to have in his team a CISO. One of the key reasons was the ever changing threat landscape and the ever changing, maturing and developing technologies and the security concerns that they create. It hasn’t been al that long since Virtualization was the cause célèbre in the IT town and yet today the cause for concern are the new emerging trends in vulnerabilities in the virtual systems and the opportunities to be attacked that they represent. Before you know it and all systems and subsystems that form an intrinsic part of the life cycle of the industrially manufactured   products and customer experience can become and has the inherent capacity to become a security breach.

 

The risks today are in terms of infecting and utilizing just about any and everyday mechanism that have been relegated to the background of our existence like elevators, video cameras out in the street, escalators can be remotely accessed, hacked and changed to work on a new logic than what it may have been meant for. In far industrialized nations of the west for example even a simple tax as opening and starting your car is controlled by a network sand computer people at different locations through something called Lo Jack – essentially a telemetry set up that enables M2M (machine to machine) communications and control through satellite and cellular networks. Up until a few years back virus outages involved code that would use your mail servers as spam servers to further distribute the infected email as a wide and easy to replicate vector. Things started getting complicated with malware and worms with messier payloads that could replicate and mutate and foil the best antivirus engine’s threat detection mechanisms with command and control structures operating large and widely distributed network of infected computers called the botnets. Your average IT guy was soon swamped trying to stay ahead of an ever changing and evolving threat landscape that he could not make any kind of sense of unless they spent hours and years staying abreast of the technologies that the attackers used and the safety and foil mechanisms that the corporate defender had at his disposal. Things got complicated pretty fast and the bad guys were no more content on just erasing your hard drive or make it unusable but focused on how they could steal important financial information like credit card logs in and identification data.

 

Companies storing key identification details of their customers and their financial information that could be misused soon became the targets of smart minded hackers that were always looking for a chink in the IT armors to exploit and steal the important and sensitive data. Soon markets developed out of vulnerabilities in systems that could be sold to the highest bidder there who would then find means of exploiting and monetizing it further! White papers have been published looking at the business size and the economic impact it has on the enterprises. The new kind of internet security attack is aimed like all attacking maneuvers to disable and fatally strike down an enemy’s core systems. A few years back the state of Lithuania was similarly blockaded by an orchestrated distributed denial of service attack that totally slowed and brought down there internet
access and  their ability therefore to conduct any kind of business on the internet including disbursing financial credit through cards etc. Enterprises operate in such war like circumstances with the added advantage as it were (cynically) of a whole vast supply of internal threats and weak spots – the users and internal employees of the company, guests, contractors etc that come into the network and often create in their wake their own breaches or infections from poorly patched and maintained machines. One of the worst attacks of the last few months has not yet totally abated is the Conficker Worm that was spread by nothing more that the auorun.inf enabled by default for all USB drives. Poorly patched machines and disregard for the software upgrade process further enhanced the wider pandemic kind of infection vicious cycles that helped it grow to the gargantuan proportions it has today.

 

Corporate networks operate under two kind of rather differing circumstances in that they have to be partially open to allow for the influx of hu ans who will be suing the systems and the networks and the resources and also at the same time have or are repositories of information and fundamentals that represent a very large dis proportionate risk in their breach or compromise. The weakest link in corporate networks has always been study after study pointing to one major aspect or vulnerability and that was the human element that either by plain stupidity and carelessness as well as willfully and mischievously caused and has the capacity to cause the most harm and disruption. Today just securing your network against virus is not the end of the story for a lot of technology organizations; they need to consider another layer of security with DLP or data loss prevention systems. This is that change in the threat landscape such that no one solution or silver bullet exists to put everything under one manageable control. The natures of threats today are so various and constantly changing so as to effectively defy capture and detection through signature based mechanisms. Just as one vulnerability gets patched and other one is added more or less simultaneously and it seems to the un initiated like a never ending arms race – which probably is what it is! But organizations cannot just roll over and play dead – they have to on occasion by legal requirements and acts of law and at other times due to the unimaginable harm that such breaches can cause pursue an attempt to securitize and guard against breaches. But at more often than not business instances are full of organizations that thought this was a one time effort that could fix it all, guard and secure all doors and walls and windows. But information technology security is rarely like that or as easy as physical world security  – there are situations here where one is trying to guard against vulnerabilities that have not yet been found using only tools and signature based heuristics of known ones.

 

A certain class of paranoid or security super conscious organizations take things to next kevels and have their own, army of certified ethical hackers that are perpetually and manually trying to find out the next hack or chink in the software application. The deeper integration and coming together in terms of shared platforms or address books and core databases like telecom applications with email application and unified communications have also added to the various new ways that corporate systems and networks add to their list of vulnerabilities that already exist. A few years back a hack was discovered that could allow ordinary Polycom video conferencing systems connected to the corporate LAN for videoconferencing on IP (at that time the new technology glimmer and have to have product) become an entry point to the LAN and wreak havoc if needed be. Vendors in that space including one that I was working with at that time immediately moved to change their platforms and their operating systems, board architecture, chip designs etc. to accommodate more and more security – which in an already heavy codec was only adding overhead. These hardware refresh programs in the middle of 2005 by the videoconferencing makers actually brought out systems able to work with several more instruction sets per second and vastly helped performance and also allowed for a steady growth plan to accommodate more features on higher definition and higher security.

 

Security is expensive in more ways than one and at several systems it is a function of the hardware as it is the software applications that provide security. Modern day development tools for software focus on the amount of security and self healing capabilities that they can bring to the system and these need faster and better hardware and chip I/Os to work with. Vendors are pushing their envelopes and bringing to market bigger and better and today a lot of that bus bandwidth and the chip set cores go towards enabling a higher and higher level of security that now needs to be built in and authentication systems that now need to be enabled from biometric to simple mathematical passkeys. Even now computers get by with simple alphanumeric passwords as the identity management tool of choice – but soon this will become more and more irrelevant and face recognition, biometric, mathematical passkey generators will be the newer level of complication that will bring to the entire authentication process more simplicity and a higher degree of non compromise ability. Most organizations today concerned with information security or where information security is a government mandated compliance issue – two factors to three factors in and out of band authentication is today  the norm. The Reserve bank of India recently implemented PGP pass key based multi factor authentication for transactions in their organization. Vendors and analysts have called it the layered defense the only truly credible defense strategy that one can expect to have in the current corporate network security threat landscape. The multiple layers mean multiple vendors and a passing around of all the goodies and enhance complexity and drives more sales of hardware and software because you can never be sure if you have all the hatches closed.

 

Bureau and standards institutes and certifications exist that companies can strive to be lauded with after fulfilling several requirements  and after a sizeable cost and compliance exercises, but as these places they say this is a running exercise kind of an activity – there is no one shot and one size that fits and ends it all. The strategic organization takes all standards and fine tunes a standard of their own that often enhances and exceeds what is available thereby hoping to be a better standard, others create their own teams to comprehensively and continually test their defenses and in this continual process testing and strengthening their networks.

Advertisements

About Soumya
A technology enthusiast, forever enamored by all that it hath wrought and of course here is an attempt at making sense of it all and perhaps simplifying it!

2 Responses to Enterprise security and the new threat landscape.

  1. Jeremy says:

    Good point well made & the need for being secure takes precedence over all else or is it ? Perhaps we are not yet doing enough?!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: