Listen to or download the 7:41 minute podcast below:
What follows is the transcript of my podcast with Mike Paquette, Chief Strategy Officer of Top Layer Networks. Mike has over 23 years in computer networking and security experience, and in this podcast we discuss how companies must be more proactive with their security.
First -- can you just tell me what type of attacks companies need to be most concerned with today?
Yes. One of the major concerns is the compromised computer. The compromised computer meaning a computer that's been infected with some software other than what the user or the administrators intended it to run. This is at the root of many of today's cyberthreats. So I think that organizations should be taking steps to protect against the Malware, which is this undesired software by keeping the systems patched. By using technology like intrusion prevention systems. And educated users to protect against the targeted attacks which are prevalent today in 2007 and I expect these targeted attacks to be prevalent going into 2008, as well.
How can companies become more proactive in solving their security problems?
Well, I guess the simplest way to say this is by investing in IT security infrastructure and policies before a significant security incident takes place.
In saying this, are we saying that most companies now are typically reactive when it comes to security?
Well, somewhat. There is actually a couple of ways to look at this. Today, many organizations are investing in IT infrastructure but they are motivated by regulatory compliance. And I always wonder, "is that proactive or reactive?" It's proactive because it's actually ahead of an incident taking place, but they are being pushed a little bit by an audit or some other regulatory pressure. So -- I think proactive means that IT security infrastructure is improved on a regular basis and for the purposes of enabling business, first of all. But also, to ensure using a reasonable level of care in protecting the systems and the data on which the business operates. So, I would have to summarize that by saying that I think there are indeed some organizations that are being proactive, but there are still quite a few organizations that are being reactive.
So much of security is what we don’t know with the unknown threats, and things that haven't been discovered yet. So, how is it possible to be proactive against basically the unknown?
That's a good question. It is true that the actual vulnerabilities that enable some of these new attacks are not known yet. That's a fact. However, the general vectors or the methods over which these attacks will occur are known. Compromised computers, you know, will continue to be at the heart of the cyberthreat risk. Stolen laptops. Lost USB memory sticks. These types of methods or avenues through which these threats and attacks can take place are known today.
So organizations that take proactive steps today to secure these items, they can actually get real risk reduction both in the reduced likelihood of physical loss and the reduced liability because they've at least taken reasonable care using existing technology to reduce those risks. So to summarize my answer to that question: yes, indeed, some of the actual attacks are not known yet, but the general categories in which they will take place are known and we can make proactive investments in those categories today, to reduce risk.
Are there any mistakes a company might make in trying to almost be too proactive?
Yes, there are some mistakes that can be made. And a typical one gets back to the comment I made just a little bit earlier about if compliance, regulatory compliance, is the driver and an organization thinks, "yes, I'm being proactive because I'm going off and meeting this regulation," -- you've maybe heard the term of compliance for compliance's sake? Well, I think this is a mistake that some companies are making. They're implementing the bare minimum, the letter of the law, to meet some regulatory compliance.
For example, the payment card industry data security standard. There are ways you can meet that specification by implementing bare bones techniques and technologies that just barely meet the specification. Organizations that do that are missing a huge opportunity because most of those regulatory compliance guidelines are done for good common sense reasons to help reduce risk. So one mistake is compliance for compliance's sake. I suppose there are some organizations that make another mistake, which is implementing so much IT security, so much process and technology, that they actually impede their organization's ability to do what they need to get done. So, I don't see that too often but sometimes you see the security team going overboard and implementing password policies that are so complex, that they actually backfire and everyone writing down their passwords on a little sticky and putting it next to the monitor.
What do you see for the future of security threats in this proactive approach?
I think we're in an era where the lure of easy money is going to be a primary motivator for, you know, as far out as I can see with regard to the threat landscape. Whether it's in the physical realm of stealing laptops, whether it's in a little more intelligent realm of stealing data to be used for subsequent exploit, like identity theft. I think that's going to be the primary motivator.
And, so what that means -- when I try to answer this question, I like to look at what are the IT trends that are taking place, and how does those IT trends layer on top of them, there's the greed factor and the lure of easy money for people are so inclined to take illegal steps to get there. And I can see a few things. I think compromised computers, and again, those are computers operating software that was not intended to be put on there by the user or by the administrator -- that would remain a primary vehicle for these threats.
And by computers, I think we're going to expand our scope beyond the desktops and the laptops, but certainly into our PDAs and our smartphones. I think we'll continue to see phishing attacks where email messages and IMs that go to end users are luring them, you know, I call it the tempt-to-click email and the tempt-to-click IM because once the user is lured into clicking on one of these links, then it's actually quite straight forward to download this Malware to their computer and start the whole cycle.
And from the software side, remember -- there's generally vulnerabilities in commercially deployed software that allow these remote exploits. Unfortunately, there doesn't appear to be any slowdown in the discovery of vulnerabilities in software. What we are seeing, as a trend, is that vulnerabilities that are discovered in software are found deeper and deeper into application software that processes certain file types. It's less common to find the vulnerabilities in the operating system or the communication layers, but they are really found deeper into applications.
So, long-term, this is good news because it means ultimately, software will be wrung out from, you know, sort of from bottom to top. But in the short-term, there's no shortage of vulnerabilities in place. So I think the threat landscape will continue to be motivated by financial gain. Compromised computers are not going away any time soon and there's a good supply of vulnerabilities that are going to allow this to take place.
Leave a comment