Monday, October 17, 2016

Fatigue is setting in on Information Security scares, a darker future ahead ?

Another site hacked, millions of user credentials compromised !
Zero day attack discovered, patch on the way !
Ransomware is getting smarter, stay alert !

Everything having an embedded computer or chip is vulnerable to potential attack especially if connected to the Internet. Compromised software, backdoors, unchanged admin passwords, shared identities, complex every changing passwords written down on pieces of paper, the number of ways in which we are being exposed is increasing every day. The information security bogey is breathing down our neck every minute while we wonder where the next attack with emerge from to compromise our identity or steal from us.

Every company going Digital is exposing information to the Internet; strategy varies by company and implementation, but the fact is that now information is available on servers that are facing the public and thus will be targeted. IT organizations and vendors tend to live in their self-proclaimed paradise, smug that they have taken adequate steps to protect themselves. Most of believe that if there is no evidence of leakage or compromise, then I am protected and do not need to worry about the changing threat landscape.

IT departments are under constant pressure to keep the information assets of the company secure and ensure safety of data residing in various machines, removable media, data in motion, and also address phishing attacks on customers using their domains, as well as employees clicking through on spam. Protect the gullible, irresponsible, and naïve who refuse to learn from training programs and past mistakes; at the same time provide access to information on mobiles, via internet cafes, and public wireless hotspots.

Device management, network management, VAPT (Vulnerability Assessment & Penetration Testing), firewalls, anti-virus, DLP (Data Leakage Protection), log management, SIEM (Security Information & Event Management), patch management, hardened devices, VPN (Virtual Private Network), multi-factor authentication, identity management, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), Automatic malware detection and analysis, Anti-adware, WAF (Web Application Firewall), the list of tools is almost endless.

All these pieces or combination have to work together to make the enterprise safe and protect the extended ecosystem and staff. The information security organization struggles to educate and protect the digital assets of the company while consumerization of IT keeps creating holes in the fabric. Everyone wants email access on phones and enterprise apps on the go; the same phones have all kinds of apps downloaded from public app stores snooping around; containerization is still new though evolving.

Employees, especially senior management desire flexibility to additionally access corporate applications from their home computers which are not under the corporate security programs. Increasing touch points increase susceptibility; the CISO has to work hard keeping under control the complex jigsaw which threatens to collapse regularly. Organizations are reaching a break point wherein they are now working on acceptable risk models rather than fix every piece that is broken or likely to be threatened. Let some fires burn !

Most companies live in the perception that targets are normally the visible and high profile companies rather than the small, relatively unknown, obscure or insignificant websites and portals. DDOS attacks are launched only when there is commensurate gain; hacking attempts are made only on digital assets of value or high visibility. While this may be relative truth, reality is that no one can afford to be slack in their preparedness or live in a fool’s paradise that as a low profile non-entity they are safe.

In most large enterprises, security budgets have been steadily increasing to the point that they are now being managed independent of IT. Business expects periodic feedback on information asset security and action being taken by competitors; Boards want answers on risks to business, market, and reputation in the digital world. The bogey of security is no longer adequate to get budgets sanctioned, they need clearly outlined business case, risk profiling, regulatory compliance for some industries, ROI, and connect to business outcomes.

News of breaches today have become less sensational with people accepting the fact that some will get compromised while the majority will stay safe and a few will not disclose. In most cases the root cause analysis indicates human oversight, error or not following the basics resulted in successful attacks with majority being internally motivated. Complex and high tech attacks target (pun not intended) easy pickings on financial and personal data that can be used for monetary gain, or are orchestrated by state actors.

Don’t let fatigue defeat you, stay awake and alert, the complex digital world increases dependence on technology and there are no choices to make !

No comments:

Post a Comment