Expect chaos and catastrophes in security landscape

Websense has some statistics to confirm the imperative to get on top of the security conundrum. For example: 70.9% of websites with malicious code were legitimate sites that have been compromised; 4% of Facebook status updates have links that are spam or malicious code; 89.9% of all unwanted emails in circulation at a certain period contained links to either spam or malicious websites; and 52% of data stealing attacks occurred over the web.

“The enterprise soft egg shell just got even softer. The landscape has dramatically changed over the last 3 to 4 years, where the security defence needed now is more in depth from the days of server, to the gateway, to the desktop security,” said Chris Poulos, General Manager, Enterprise Security Products, HP South Pacific

“It is not just external threat that security managers have to worry about, but there are more internal threats with theft of data and breaches of information security,” Poulos said.

John Reeman, founder and CTO at VMinformer, cites the case, this year, involving virtualisation, which saw a disgruntled former employee use a wireless network to delete more than 80 virtual servers, while sitting in a McDonald’s store.

“There are more wider reaching security issues involved in this particular story, but virtualisation made this breach a whole lot easier,” says Reeman.

Reeman says that every CIO and CFO should ask themselves a simple question: when was the last time your virtual infrastructure was audited?

“There are thousands of things to consider - too much for one person - but the audit and assurances have never been more important because of the central role virtualisation plays in today’s IT environment,” he said.

Reeman urges people to go back to basics, let common sense prevail and start monitoring and auditing what is going on in their organisation.

“I believe organisations that are complacent will be part of the most catastrophic system failures we have ever seen. I don’t know on what scale yet, but the warning signs are clear. We have seen them already. It is inevitable,” he said.

“Security executives in a recent HP survey said that security breaches by unauthorised internal personnel amounted to 30 percent. But it's not easy to know who is exactly responsible for the internal threats, because contractors often share their user IDs around, because user IDs are expensive,” said Poulos.

Logs are critical to understand how many failed password attempts there were.

Scott Robertson, Vice President for Channels and Alliances APAC, WatchGuard Technologies, believes that social networks will pose the biggest threat to a network for years to come, as most businesses still don’t do a good job of defending against basic social network and web threats, largely because they lack the necessary security controls.

So how are they meant to get in control?

Companies should be rewriting Acceptable Use Policy (AUP) and using technology as a means of compliance. The AUP should be designed to accomplish two important objectives: maintain employees’ high productivity levels and protect an organisation’s information bank from hackers and malware.

“Social media is the number one security threat in 2011 and moving forward. Social media in the corporate world is all about the culture of trust,” said Robertson.

Adam Bradley, ANZ Country Manager for Websense, says cyber-security is the most pressing concern for organisations of any size, with Advanced Persistent Threat (APT) techniques moving down the malware food chain to common cyber criminals.

“You need to examine the content in both inbound and outbound traffic to minimise risk. If you combine exploits with some well-crafted social engineering, organisations will be easy prey. It’s time to examine, in real time, the substance of each website visited and in each email to effectively battle this malware lifecycle.

“Put simply, the status quo is not acceptable,” said Bradley.