Security is dumb

Security is everywhere, and it is spreading. As oxymoronic as that sounds, it is true – as networks become more valuable, for hackers and enterprises alike, areas which were never considered security priorities in the past have suddenly come under scrutiny.

  • E-Mail
By  Eliot Beer Published  June 25, 2006

|~||~||~|Security is everywhere, and it is spreading. As oxymoronic as that sounds, it is true – as networks become more valuable, for hackers and enterprises alike, areas which were never considered security priorities in the past have suddenly come under scrutiny. The ingenuity of the various people and organisations intent on compromising or co-opting is ever on the increase, and the search for vulnerabilities in hardware, software and end users is accelerating; at the same time, vendors and network managers are struggling to keep up with the onslaught. Software can be patched, hardware can be augmented – but people are more of a problem. The problem comes with multi-vector attacks, where malware writers target a range of vulnerabilities – some of them human – simultaneously. Whatever form this comes in – a phishing email that also plants a keylogging Trojan; a ‘ransom note’ virus which also spreads itself via email and instant messaging programs; or a network attack which works its way across a massive range of ports until it finds one which is incorrectly secured – the principle relies on a mixture of human weakness at the point of entry and technical weakness in an associated system. At the moment, a range of security silos exist throughout the network; authentication, perimeter security, anti-virus, VPN, internet logins. And, at the moment, there is very little communication between them – they are largely ‘dumb’ systems. Malware and hackers can deal with each silo in isolation, either compromising or circumventing each in turn until they reach their goal. The only thing linking all the systems are the – all too human – users and network managers. This silo effect extends even to management structures; the Deloitte 2006 Global Security Survey of financial services companies notes: “[Historically] most organisations have addressed security concerns from the perspective of a number of different functions within the organisation and, typically, in a non-integrated fashion. “This approach is due, in part, to the fact that IT security has been primarily viewed as an IT issue and that physical or corporate security has been concerned mostly with the process of keeping the ‘bad guys’ out… Only recently has the marketplace become aware of the possible benefits… of bringing together these two areas of the organisation.” The survey’s authors go on to say that this convergence trend is still in its infancy; 24% of respondents have implemented some form of convergence, with 7% planning to tackle the issue within the next two years. They also note that it is “cultural and structural elements”, rather than a lack of rationale, that is holding back convergence in security. So what is the solution? Certainly there is no easy answer; on the one hand, asking the wide range of security systems to cooperate is not something that will happen overnight, if it can happen at all; on the other, training end users, and network managers, to recognise and avoid security threats is never going to be 100% effective. At the same time, the Deloitte survey paints a picture of management structures talking at cross purposes. This month we look at intrusion detection as part of our security focus; next month NME will be examining issues around authentication. If you have an opinion on these subjects, or an experience with them you want to share, please email me on eliot.beer@itp.com - I’ll be happy to hear from you. The Deloitte survey is available here.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code