Security can be useless when people still open dodgy e-mails and visit sites they should not
THIS YEAR has seen spectacular security breaches, with Sony, Google and national governments among the highest profile victims of a new wave of cybercrime.
Even RSA, a stalwart of internet security, has had its sophisticated authentication protocols compromised, highlighting how the bad guys are ahead of the game in the internet equivalent of the arms race. They may have different motives, but the hackers, “hackivists” and cyber criminals are definitely winning.
“They are a collective reminder that conventional security is either not effective or not enough,” said Art Coviello, executive vice-president of EMC, parent company of RSA. “We will never keep up with individual attacks but we can create systems with the resiliency to withstand any attack.”
He was speaking at the opening of the RSA security conference in London last week, setting the tone for three days of discussion where the recurring themes were about knowing your enemy, understanding what they might want from you, and monitoring networks more effectively to respond to an attack after it happens.
This is an industry that openly admits to being on the back foot, with the get-out clause that employees rather than their solutions are the weakest link. “People have become the new perimeter,” warned Coviello. RSA’s own experience proves the point.
Company president Thomas Heiser picked through the bones of the “advanced persistent threat” (APT) that compromised RSA. It started with a “phishing” e-mail carrying a malicious Excel attachment that an employee opened because it appeared to come from a trusted source. It was the first phase of a planned attack that RSA believes was cyber espionage on a grand scale, the work of two groups acting on behalf of a nation state looking to steal secrets from defence contractors.
Smaller firms may take comfort from knowing APTs employ sophisticated criminal techniques unlikely to be turned on them, but there is still plenty to worry about. Security vendors will refute the suggestion they spread fear to sell more products, but it’s hard not to be afraid when they tell you what’s coming down the line – literally.
Things have moved on a long way from begging letters from African princes. Phishing e-mails that appear to have been sent by legitimate institutions, trying to trick us into disclosing user names and passwords, are about to get a lot more sophisticated.
“There are tools out there already that threaten to tip us into crisis,” warned Hugh Thompson, a security guru and chief strategist with US firm People Security. He is talking about hyper-personalised e-mails with names and information captured by tools that trawl social network sites, creating detailed profiles of people.
“You can map someone’s life out from social networking sites. When phishers are able to automate e-mails that contain this level of personal information, then we’ve got a big problem,” he warned.
The number of people that inadvertently open and respond to malicious e-mails will rise dramatically when the details are more personalised, when it contains a name and some personal information rather than “dear customer”.
People are the weakest link. They download e-mails they should not, go to insecure websites, and tell the world too much about themselves (and their company) on social networking sites.
So why not lock down employee activity and throw away the key?
“That may be an approach, but I don’t know if it’s going to be effective. People have tried to lock down firewalls and block sites but it still doesn’t prevent an e-mail with a zero-day vulnerability getting through. And it’s very difficult to maintain that kind of environment,” said Eddie Schwarz, chief security officer at RSA.
Even if you throw more money at the problem? “You can’t solve anything with money, but you can make it a little better. The prevention piece will stop some of the stuff at the door, but it’s inevitable that one or two people will click on something that gets past the defences.”
The cloud is being touted as a cure-all for every other information technology problem, so will small businesses be able to use it to leverage best-in-class security to filter out unwanted e-mail?
“No, it’s not naturally going to do that. But as organisations move to the cloud they need to think about creating innovative solutions that approach security problems differently,” he said. “You can take virtualisation concepts and apply them to malware and other security problems. Good things can come out of the cloud if people re-engineer processes. The problem today is that people are just taking broken security infrastructure and throwing it up there.”
So what can a company do?
Schwarz talks about setting up highly secure enclaves within a business, away from the parts of the network where employees enjoy more relaxed internet privileges. He argues for a tougher type of end-user training, more like a fire drill than the traditional “dos and don’ts” lists. “Basically, you present them with doomsday scenarios that show them how something they did could bankrupt the company with everyone around them losing their jobs,” he said.
Pushed again, he conceded there could be some restrictions on web access. “It should be a little tougher, you shouldn’t be allowed to go to just any website you want,” he said. “But people also need a break during the day, to contact their children or do their online banking. You have to create an environment that allows them to do it in a safe way that doesn’t harm the corporate networks.”
Quite whether cash-strapped companies have the appetite or the money to prioritise security investment in the current climate was a discussion that barely registered at the conference.
