Subscribe

Security on the Spot Series

ITWeb Security Summit 2013: 7-9 May, Sandton Convention Centre, www.securitysummit.co.za.


Johannesburg, 05 Apr 2013

Expert participants in the forthcoming ITWeb Security Summit present their views on the current IT security landscape, risks and opportunities, in this exclusive Security on the Spot Series.

DRS Security Enabling Business - Jayson O'Reilly: Director: Sales & Innovation

1) What do you see as the single the biggest information security risk this year?

DRS Security Enabling Business - Jayson O'Reilly: Director: Sales & Innovation
DRS Security Enabling Business - Jayson O'Reilly: Director: Sales & Innovation

The single biggest risk I see to businesses is not paying attention to the cautions of cyber crime lessons learnt globally every day. The risk has moved on from being simple malicious intent to now being motivated by profitability. "Return on investment" is no longer a term used just in our everyday business, it's a term being used by the underground community of cyber criminals, who have realised that it's easier to focus on targeting less protected businesses than breaking into a heavily guarded organisations because it's equally rewarding.

2013 will become about the information and no one can afford to believe they are "safe" because they have made basic security investments. It's about taking a real look at the "crown jewels" and ensuring that security access, leakage prevention, and encryption address the key requirements of protecting the business' intellectual property. Moving to a risk-based approach is required in 2013, as a "risk-based" approach to security assumes a prevention mentality, taking a proactive approach by interconnecting otherwise silo-based security and IT tools and continuously monitoring and assessing the data. This allows organisations to achieve a closed-loop, automated remediation process that is based on risk.

2) What is the one key risk mitigation step enterprises need to take this year?
The rising tide of insider and advanced persistent threats, mounting regulatory pressure, and the impact of big security data on an organisation's operational efficiency have led many progressive organisations to adopt a "risk-based" or "business-oriented" approach to security. Becoming proactive, utilising existing investments and mitigating against critical security incidents will enable organisations and IT departments to spend less on technology and more on business enablement, and embracing IT governance will ensure value is realised quickly and risk is mitigated according to the organisation's risk appetite. This ensures companies remain competitive and are able to compete effectively in a demanding business climate.

3) What, in your view, was the biggest security breach of the past year?
Yahoo:
One major breach that occurred in 2012 managed to fly under the radar, despite happening to one of the larger online companies. Hackers broke into a Yahoo sub-domain by sending commands through an inadequately secured URL and managed to steal files from Yahoo's Contributor Network. In total, the files stolen contained about 450 000 user names and passwords. Shockingly, these files were not encrypted and were instead stored in plain text. The hackers involved made a statement claiming that this incident was isolated and that there had "been many security holes exploited in Web servers belonging to Yahoo! Inc".

Since the user information released was older, the incident didn't cause much damage. What it did do, however, is serve as a reminder to users and companies alike that older files and data needs to be guarded as vigilantly as new user information. Additionally, companies need to revisit and update security practices to ensure that all data is properly protected.

Lessons learnt from these security breaches? We can't always trust that others are doing the work that they should be doing in order to keep our personal data safe.

4) What is the biggest information security weak spot in the enterprise?
* The ability to deal with all the events generated from technology investments and remediating effectively.
* Making sense of incidents through proper analysis.
* Focusing on the most critical events.
* Moving up the security maturity stack.
* Assisting the business to clearly understand the value of information security.

5) In a nutshell, how has cyber crime changed in the past year?
The motivation for attack has dramatically changed. Cyber crime has become about the threat to intellectual property - whether personal or business, and the access to that information. The breaches we have seen through social networks or mobile devices are a clear sign that cyber criminals are starting to focus their efforts on these increasingly popular platforms. One in five adults online (21%) has been a victim of either social or mobile cyber crime, and 39% of social network users have been victims of social cyber crime, specifically:
* Fifteen percent of social network users reported someone had hacked into their profile and pretended to be them.
* One in 10 social network users said they'd fallen victim to a scam or fake link on social network platforms.
* While 75% believe that cyber criminals are setting their sights on social networks, less than half (44%) actually use a security solution which protects them from social network threats, and only 49% use the privacy settings to control what information they share, and with whom.
* Nearly one-third (31%) of mobile users received a text message from someone they didn't know requesting that they click on an embedded link or dial an unknown number to retrieve a "voicemail".

Cyber criminals are changing their tactics to target fast-growing mobile platforms and social networks where consumers are less aware of security risks. One only needs read the latest threat predictions to understand that the threat is only going to become more challenging with the increased consumerisation of IT.

6) What are cyber criminals targeting now, and what will they target in future?
* Criminals will benefit from the unintended consequences of espionage.
* Attackers will increasingly use apps, movies and music to install malware.
* Drive-by attacks and cross-site scripting attacks will be attacker favourites.

* ERPScan - Alexander Polyakov, chief technical officer

1) What do you see as the single the biggest information security risk this year?

ERPScan - Alexander Polyakov, chief technical officer
ERPScan - Alexander Polyakov, chief technical officer

There will be many answers about mobile, cloud and SCADA from other experts, and they are right. But I predict that there will be a shift to targeted attacks on business-critical applications and systems of large organisations.

2) What is the one key risk mitigation step enterprises need to take this year?
Take a look at the most critical resource, such as business applications, and monitor the security of those resources daily, as well as the source code of custom-developed applications.

3) What, in your view, was the biggest security breach of the past year?
I think that the biggest breach is not known and there will be many more breaches that will be unknown in the future. Think about corporate espionage or playing on stocks knowing corporate secrets before publication. The risk and consequences of this kind of breach can be much bigger than all current breaches, such as LinkedIn password exposure, which in fact, had no impact on the company.

4) What is the biggest information security weak spot in the enterprise?
Their key business systems that store and process all valuable data such as ERPs, and the systems that process data like Enterprise Service Bus. They are much less secure than other systems such as Web sites because they were closed for real attacks for many years, but now they are more and more known and exposed to the Internet.

5) In a nutshell, how has cyber crime changed in the past year?
I don't think I can say anything new here. As a lot of people know, it has become more professional.

6) What are cyber criminals targeting now, and what will they target in future?
Now, it is mostly financial organisations, but in the future, I think, they will also target large corporations from every business field, and there will be attacks from competitors. Like cyber war between countries, so too will cyber war unfold between large organisations that have real power.

* Mimecast - Heino Gevers, Senior Sales Engineer with specialisation in information security

Mimecast - Heino Gevers, Senior Sales Engineer with specialisation in information security
Mimecast - Heino Gevers, Senior Sales Engineer with specialisation in information security

1) What do you see as the single the biggest information security risk this year?

In the age of BYOD and the continued consumerisation of IT, enterprise organisations are having to accommodate end-user requirements to access company IP remotely from their personal tablets and/or smartphones. This trend, while mostly positive in relation to productivity, can bring some serious security concerns into the enterprise. Providing training to employees will be essential to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity. Once you've embraced BYOD, promote it.

2) What is the one key risk mitigation step enterprises need to take this year?
Adoption to cloud has increased among enterprise organisations. However, organisations need to be reminded that not all cloud providers are made equal when it comes to security. They are encouraged to do their own due diligence by checking what efforts the cloud provider has gone to as far as publishing and independently auditing their security processes and control. They also need to request the provider's security certificates and documentation and take their time to review the material. Ask questions and discuss where there are concerns.

3) What, in your view, was the biggest security breach of the past year?
The Twitter security breach where millions of usernames and passwords were leaked; an example of a sophisticated cyber attack which all organisations should be wary of.

4) What is the biggest information security weak spot in the enterprise?
Not being able to accommodate end-user requirements to access company IP remotely from their personal devices, which forces them to use alternative platforms which the company has no control over in order to either share company IP or allow them to access the content remotely.

5) In a nutshell, how has cyber crime changed in the past year?
With the widespread adoption of mobile devices among end-users, the focus of cyber criminals has moved to the end-users and targeting them through various platforms like Internet banking, e-commerce and social media sites.

6) What are cyber criminals targeting now, and what will they target in future?
Accessibility to the Internet has become easier for the end-user through the adoption of smart mobile devices, and with no proper education process in place, it makes end-users more vulnerable to phishing scams and identity theft. Cyber criminals will continue to exploit end-users as social sites continue to evolve to comprise more end-user personal information.

Heino Gevers has over 10 years' experience in the IT security industry. He joined Mimecast SouthAfricain 2008 where he took on the role of Senior Sales Engineer with specialisation in information security. In this role, Gevers helps clients map their business objectives and technical requirements to Mimecast's product suite to ensure seamless, easy and uninterrupted communications.

* Simon Hunt - McAfee (in partnership with Event sponsor Performanta)

1) What do you see as the single the biggest information security risk this year?

McAfee - Simon Hunt VP and Chief Technology Officer, Endpoint Security, M&A, Patents and IP & Innovation (in partnership with event sponsor Performanta).
McAfee - Simon Hunt VP and Chief Technology Officer, Endpoint Security, M&A, Patents and IP & Innovation (in partnership with event sponsor Performanta).

The normal - monetisable IP and data theft. Attacks are getting bigger and bolder. We expect to see far more activity around the mobile space.

2) What is the one key risk mitigation step enterprises need to take this year?
Know you're being attacked and losing information which requires a real-time understanding of the global threat landscape by leveraging immediate access to information on events, users, systems, data, risks, and countermeasures within your environment for actionable situational awareness. This rich understanding of risks within your environment reduces time to respond and provides intelligently prioritised security actions you can take to protect your organisation.

3) What, in your view, was the biggest security breach of the past year?
Without a doubt the most devastating attack was the Shamoon attack on Saudi Aramco that impacted 30 000 machines. The biggest security breach in the last year was not a single breach, but the combined theft of companies' and government trade and sensitive secrets from across the globe. This is an issue that is concerning governments and large corporations around the world.

4) What is the biggest information security weak spot in the enterprise?
Visibility and knowing you have an issue. There have been numerous public examples of attacks from Stuxnet through to Flame and Duqu where the network attacked has been compromised and data has been leaking from the organisation for several years in some instances. In many incident response engagements we see that the organisation attacked did not know they had any issue, and in many cases they did not know what was lost.

5) In a nutshell, how has cyber crime changed in the past year?
No great revolution, but the sophistication of malware "toolkits" is now extremely worrying. These advance malware development kits, and the supporting infrastructure, are so advanced that the barrier of entry is lower than ever - with a significant portion of the global compute estate not having any reasonable protection - it's easy to be a successful cyber criminal.

6) What are cyber criminals targeting now, and what will they target in future?
Mostly they are still targeting you and I, as it's easier to make money from hacking our bank accounts, and stealing our identity, than it is to hack a dedicated corporation and sell company confidential information. In the near future, I don't see that changing, though I expect more successful malware on mobile devices because most people have no protection for their smartphone, yet the trend is to do more and more banking and financial transactions via them.

In the future, if generally PCs and phones become resistant to attack, we'll see the focus move onto different aspects of "the Internet of things" - for example, smart TVs, routers, game consoles, etc - other devices which have access to the content feeds with valuable data, devices we use to do banking and surfing, etc.

Of course, the dedicated, focused attacks on corporations and governments will continue to occur and evolve in sophistication.

Share

Editorial contacts

Leigh Angelo
ITP Communications
leigh@tradeprojects.co.za