Security Focus in 2010: Internal Threats, Cloud Computing, and Mobile Devices
CA’s chief security architect discusses the three key areas for security professional’s attention this year.
By Tim Brown
Long before 2009 started to wind down, IT security professionals, vendors, and analysts were thinking about the biggest security threats the industry would face in 2010. IT security professionals started prioritizing and performing risk analysis on what threats needed the most attention and greatest resources. Vendors continued preparing products and services to help customers combat those threats. Analysts started to plan their research and predict the impact that particular threats will have on an organization.
Many views of 2010’s biggest threats overlap. Among them, the most common include cloud computing, cybercrime, and mobile devices. Differences in these viewpoints lie in the “why” each threat is an important red flag this year.
Here are three top areas that warrant the attention of security professionals in 2010.
Cloud computing has emerged as the next step in technology evolution following the path of mainframe, client/server and Web applications. Like the platforms before it, cloud computing has its own set of security concerns. However, just as we saw with other technologies, business needs will win out and cloud models will be deployed as companies continue to seek ways to cut costs and enhance productivity. Therefore, ensuring security of data and applications residing in the various cloud platforms is critical.
Although security duties may be shared between cloud providers and cloud consumers, today the ultimate responsibility for the security of data in the cloud falls on the organization collecting the information. This will drive more detailed and specific customer/vendor agreements as legal implications are sure to come to the forefront.
As cloud computing adoption continues, compliance -- another security-related issue -- must be managed. IT workers will need to develop their skills to think like auditors and testers. Some regulations are specific about how and where data is stored. This, too, will drive contractual issues and may go directly against some cloud models.
In addition to cloud vendors and cloud providers are vendors focusing on providing technology to support and enable the cloud environment – security software included. The security industry has spent the last 20 years developing Intrusion detection software, identity management systems, firewalls, anti-virus systems, data leakage protection, advanced warning systems, and many other technologies focused on securing the non-cloud world. Some of these solutions transfer directly to secure the cloud, but others need to be adapted and developed for the cloud.
Internal threats have steadily grown every year, and 2010 will be no different thanks to several industry phenomena.
First, consider global economic conditions. Employees who fear a layoff will stockpile data and corporate information they feel will help them if they are a victim of downsizing. Several proof-of-concept demonstrations of CA’s data loss prevention technology showed that in the weeks before an employee left a company, he or she was e-mailing company confidential data to their home e-mail address. Although probably not a malicious act, the data was sensitive and included customer lists, e-mail archives, and other data that would make the employee more marketable or effective in a new job. In addition, a study conducted earlier this year by Ponemon Institute showed that 59 percent of former employees admitted to stealing confidential company data.
Just as businesses are adapting to economic conditions, cybercriminals will adapt. In the past, attacks and hacks were often “loud” in an attempt to gain attention. Now they are more “invisible,” with cybercriminals working hard to remain under the radar to steal data and identities for profit. In the future, cybercriminals will have to find new ways to circumvent the improved defenses on operating systems, networks, and applications. This will include hiring “moles” to locate weaknesses and using employees willing to siphon data for a profit.
The bottom line is that cybercriminals are well organized and will use all methods possible to maintain and grow their business. IT departments need to take appropriate steps to control access to sensitive data, monitor activity, and educate employees.
Today, mobile devices are used inside most corporations -- sometimes without the IT department’s knowledge. And up until now, there have been few successful attacks upon mobile devices. However, as the power and flexibility of mobile devices has grown, their risk to the business also has grown.
Some devices have more than 30 gigabytes of storage. They have enough storage to hold a virtual image of many HR systems and can store e-mail history and attachments for years without corporate IT knowledge. This presents the potential for data leakage of personally identifiable information.
On the malware side, devices can connect to 3G/4G WiFi networks and wireless networks at broadband speed and do not go through a corporation’s existing intrusion detection systems. This means they operate unmonitored and have the power to run multiple applications that are easily downloaded, not corporate certified, and potentially malicious.
Until today, a cybercriminal’s most effective method of stealing data was to create malicious code for the Windows platform. As defenses improve and the Windows platform continues to be hardened, new targets and methodologies become more attractive and organizations need to prepare for those attacks.
Tim Brown is a distinguished engineer and chief security architect for the Security and Compliance business unit at CA, Inc. He has worked with many companies and government agencies to implement sound and practical security policies and solutions. Recently he provided expert testimony at the Cyber Security R&D hearing before the (U.S.) House Committee on Science and Technology, Subcommittee on Research and Science Education. Prior to joining CA, Tim spent 12 years at Symantec. He is an avid inventor with 14 patents on file in the security field.