Q&A: Assessing Cybersecurity's Past, Planning for the Future
Where is cybersecurity headed? We look at how regulation, social networking, and popular technologies (such as cloud computing) will impact your enterprise’s security management.
Where is cybersecurity headed? Security managers have many competing demands, from regulation to guarding against cyberwar. Throw in popular technologies such as social networking and cloud computing and the complexity grows. To assess the impact and sort out where security managers should spend their time, we contacted Mandeep Khera, chief marketing officer at security products provider Cenzic.
Enterprise Strategies: What were the cybersecurity highlights of the last decade?
Mandeep Khera: The year 2000 began with much concern over Y2K and the near paranoia this caused made it clear just how important computers and the Internet were to our daily lives. Early on, hackers focused on the network, creating worms and viruses that caused millions of dollars in damage. During the second half of the decade, however, there was a shift and a major rise in the number of attacks through the Web application layer.
In the last couple of years, application-related vulnerabilities have been hovering around 75 to 80 percent of total published vulnerabilities. About 75 percent of attacks have been occurring at the application layer, including many attacks against the government infrastructure, notable attacks surrounding TJX and Heartland payment systems, and social networking sites.
What can we learn from these events?
Our awareness has begun to increase as more cyber attacks make news headlines. The government, enterprise, and consumers all notice that cybersecurity is a real issue and now they are struggling with how to address it. Although billions of dollars have been invested at the network layer, of the over 100 million Web sites in existence, most are insecure and primed for hacker attacks. Hackers continue to become more sophisticated and organized but the thing that remains the same is their main motivation, which is either financial or political.
Recently we’ve seen an increased awareness around cyber warfare. What is the impact of cyber warfare on enterprises and enterprise IT? How will government organizations address this?
Cyber warfare has been dismissed or swept under the rug in the past, but now that it is becoming more mainstream, I believe cyberwar has truly arrived and will only intensify in the coming months and years. The latest incident between Google and China shows that China has been getting organized around their cyberwar capabilities. Although most of the attacks have been in a stealth mode, we are starting to see an increasing number of leaks. The government is behind the eight ball and needs to move quickly in solidifying our cyberborder.
Do you see the government’s role in cybersecurity increasing? For example, can we expect more regulations such as PCI in the next decade?
Yes, we definitely predict that there’ll be many more regulations at the federal level and even stricter guidelines for the government agencies themselves. First, we believe that government will pass a privacy regulation to protect consumers that will have a significant impact on all Web sites taking information online from consumers. Many states already have a regulation about privacy.
Second, government agencies that have had to comply with regulations such as Federal Information Security Management Act (FISMA) will be scrutinized more closely. We will see tighter guidelines about Web application security, either through an expansion of the existing standards or creation of new regulations.
We are also expecting more significant enhancements in the Payment Card Industry (PCI) standard to include more requirements and more clarification around Web application security. In addition, more merchants will be required to comply with regulations. Visa and MasterCard will soon impose more penalties down to Tier-4 merchants, which are the very small businesses. In other words, most retailers will be required to comply with PCI standards.
We also expect additional regulations in other industries such as health care. HIPAA has been around for a while but we believe that there will be additional provisions in the regulation and enforcement will increase.
How will social networking change cybersecurity? What impact will networks such as Facebook and Twitter have on enterprise security?
Social networking sites are leading more people than ever to disclose all sorts of personal information on the internet. Although social networks such as Facebook and Twitter may not house Social Security and credit card numbers, the wealth of personal data they do store (including addresses, phone numbers, and passwords) should not be taken lightly.
Data from social networks will also give rise to increased identity theft as hackers sort through social networks to gather clues to unlock passwords and steal identities. As more new social networking applications emerge, new security challenges will undoubtedly rise.
What security issues will enterprises face as they move to the cloud, and how should they address these issues?
Over the past year we have seen a wave of organizations moving their infrastructure or applications to the cloud. Although this may seem like a good strategy from a financial perspective, there are major security issues that must be addressed to avoid disaster. As cloud computing continues to gain popularity, as with any trend, hackers will look for new ways to exploit vulnerabilities.
Most recently, in Google’s official statement regarding the decision to stop censorship in China, the company addresses that trust is paramount as corporations move to adopt the cloud. One of the key issues will center on legal liability -- i.e., who owns the responsibility, the enterprise or the cloud provider -- in case of a breach. We expect that there will be cases of breaches that will bring this issue to the forefront and we’ll see a resolution with joint responsibility between the enterprise and the cloud provider.
What are the biggest security mistakes enterprises make when moving to the cloud, and what should they do to avoid such problems?
The biggest mistake an enterprise can make is that it assumes that the cloud provider has taken care of security issues. Large cloud infrastructure providers may have taken care of some security issues. However, application security is usually ignored. Enterprises need to understand that in case of a breach, they are still responsible, not the cloud provider.
How can we prepare for the next decade in cybersecurity? What education is needed to arm ourselves?
Although we can not predict exactly what will happen in the next decade, we can say without a doubt that cybersecurity is an issue that is not going to go away and is only going to get bigger. It is no longer only large enterprises and e-commerce organizations that must combat cybersecurity -- organizations of all sizes and types (as well as consumers) will need to adopt technologies to secure themselves.
When we look at where to begin when addressing cybersecurity, it is easy to see that security should be built into the development process. Just recently, several major universities have created programs focused solely on cybersecurity. From a legal perspective, I anticipate more regulations, similar to those of PCI, will be established around cybersecurity. I expect to see increases in fines for organizations that do not comply, as well as criminal punishment for hackers. As I mentioned before, hackers will continue to become more organized and sophisticated.
What role does Cenzic have in cybersecurity?
Cenzic is helping companies and government agencies secure their Web sites that support trillions of dollars in e-commerce. With a range of solutions from software to cloud, Cenzic is helping companies large and small to protect their Web sites from hackers. In addition, Cenzic’s “No Website Left Behind” program offers free products to universities (for use in their computer science curriculum) and charities. Cenzic is actively involved with associations such as OWASP, SANS, MITRE, ISSA, and ISACA, helping provide organizations guidelines for security processes. We work with NIST, PCI, Tech America, and other agencies to help develop policies to secure an infrastructure -- both private and public.