Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada
March 03, 2011Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management.
When asked if the only true hope for a secure Internet and the elimination of corporate data leakage begins with our children since the current generation’s track record speaks for itself, Dean Turner, the director for Symantec Security Response’s global intelligence network, smiles and responds: “We’re probably the first generation to have grown up in the analog and digital world. That digital world has changed us. Your analog-self would never go down to the community centre and post pictures of yourself half-naked and then publicly declare you’re going on vacation.”
Not to make light of what is a serious issue, but if the answer to improved cyber security is generational, Turner admits his younger 20-something brother has already said to him ‘this isn’t your Internet anymore’.
“Yes, there is a generational component to this. But not all information should be protected,” he insisted. “That’s where we’re headed. We have to make a conscious decision about what information we’re prepared to lose. You have to assume that people are crawling all over your computer right now . . . you need to assume that you are always under attack.”
He said to identify the business’s crown jewels, put strong, enforceable security policies in place, and restrict the flow of information between different classifications of individuals. Turner also discussed the Stuxnet malware and data security in general with ComputerWorld Canada while attending the 12th Annual Privacy & Security Conference in Victoria, B.C., in February. When asked if he thought Stuxnet and its impact is well understood he responded instantly, “In no way, shape or form.” “We’re talking about a threat here that was designed to target critical infrastructures. If we’re talking about most businesses in Canada, most of their focus is not going to be on something that would affect critical infrastructure,” he said. Large industrial-based sectors, such as oil and gas, have certainly sat up and taken notice, but by and large, individuals “are a little confused” by it all. Charles King, principal analyst with Pund-IT Inc. agrees the ramifications of Stuxnet remains largely misunderstood.
“While security admins are certainly aware of Stuxnet, full understanding of it is still evolving. Due to the apparent political intentions related to its development, the entire story may never be known,” he said. “Not sure I’d call it a game-changer but Stuxnet did arrive as it’s becoming increasingly clear that governments around the world are attempting to surreptitiously leverage the Internet both for their own economic and political gain and to attack or inhibit those they consider rivals and enemies.”
Turner added as individuals, we must also assume our information is continuously under assault. If you do that, you’re likely to be more cautious about what personal data you share online.
People should understand that the information they consider their own is of interest and value to others and in many more ways than they might imagine, King said. “A file or account that you might consider a black velvet rendition of Elvis may, to the right (or wrong) people, qualify as a valuable masterpiece.” David Senf, director of IDC Canada Ltd.’s infrastructure solutions group in Toronto, agreed that an organization’s data is always under attack.
“Security admins and those on the front line have a good understanding of the scope of the threats that their organization is under. But as you go up the ladder in that organization to find those holding the purse strings that could release money and buy more security solutions, they’re understanding is very limited,” he said. “They’ll believe they’re under one-tenth of the number of threats that those lower down in the organization believe that they’re under. The flipside to that is, only 15 per cent of organizations in this country believe they’re highly likely to lose data from such an attack.” Later, during a panel discussion at the conference, Turner repeated his message of establishing a selective data protection strategy by protecting only what is worth safekeeping. “What is game over for you in a business sense if that information gets out? You have to think about that because we’re all inter-connected at this point and it all has an impact on the bottom line of your business.”
Senf said the policies most firms have in place as it pertains to security is not related to the sensitivity of its data. “Very few firms do data classification,” he remarked. “They need to be doing security risk management to understand what their assets are and what the vulnerabilities are.”
Prioritization seems the logical approach because most organizations’ data resources are so vast and complex, King agreed. “However, effective prioritization requires a comprehensive approach to information management, and despite the best intentions, valuable or critical information may still slip through the net,” he added.
-- Lahey is an online community manager at Partnerpedia.com in Vancouver OR Lahey is a Vancouver-based freelance writer. Follow him on Twitter: @LiamLahey