In the last few years security has shifted from being an issue that organizations only deal with when a crisis occurs to one with which they must now daily confront. This is putting pressure on organizations to stop taking a knee jerk reaction as their means of ongoing security management and instead adopt a systematic approach to effectively deal with both external and internal threats. The problems that internal threats present and why they are so difficult to detect were openly discussed this past Wednesday morning during that morning’s keynote at Symantec Vision 2013.
I have worked for organizations of all sizes (small, medium and large) in both the public and private sectors. If there is anything I learned over that period of time, security tended to (and still too often does) play second fiddle to other business priorities.
This approach is driven in large part by the sensationalized nature of security breaches. Incidents where companies such as Sony are hacked and credit card information taken almost always resulted in other organizations scrambling to make they were not susceptible to the same type of threat and then taking action if they were.
But over time the resolve to stay ahead of potential threats tended to fade. After the first wave of action was taken, focus on security tended to shift to maintenance mode with any future substantial security updates then driven by another external crisis. Thus the cycle became a crisis would occur, security enhanced if needed, the crisis passes, the public forgets, the system (hopefully) survives and other projects compete for dollars needed to enhance the corporate security infrastructure resilient.
Thankfully that mindset seems to have eroded in recent years – at least in larger enterprises. While security enhancements and purchases are still too often reactions to data breaches after they have already occurred, the Internet and the growing cyber security threat has forced larger organizations to maintain a proactive posture when maintaining their corporate infrastructures to ensure data breaches never occur.
Yet as anyone knows security is only as good as the weakest link or links as the case may be. Today those weak links are finding their way into today’s most secure infrastructures making them vulnerable to attack in ways that are not easily to detect. As individuals increase the number of mobile devices (phones, laptops, tablets and even thumb drives) that they use and bring to work, it renders useless traditional methods that organizations use to protect their intranet “perimeter.”
These devices may be hostile in two ways. First, they may contain software that the individual does not even know presents a threat to his or her company. In these cases, it is incumbent upon the organization to have defenses in place to detect this malicious software and then protect the company from the havoc that it can potentially create.
More troubling are those individuals (employees or otherwise) that enter a premises with a malicious intent. This could spell trouble in two possible ways. They could have a mobile wireless device that they use to hack the network. Alternatively, they may present themselves as a trusted individual carrying one of today’s small portable storage devices with tens or even hundreds of GBs of storage. In this case, they may not even need network access. Using it they can potentially copy and carry offsite unprecedented amounts of data without anyone knowing it ever occurred.
It is this new type of security threat that companies need to step up and address as it requires them to detect this threat from inside the firewall. This is an angle of data security that enterprises are often ill-equipped to handle. While every corporation expects attacks to come from the Internet (and Symantec even used the term ‘Cyberwar‘ to describe this segment of the keynote,) these internal attacks may present an even larger risk of data loss or compromise than from those that now originate from the Internet.
More disconcerting, the data accessed or compromised by these attacks may never be detected or discovered. During the keynote presentation, Adventist Health System’s Corporate Data Security Officer, Sharon Finney, made the observation, “No offense to my DBAs but they present my biggest security risk since they have access to all data in an unencrypted format.”
Aggravating the situation in terms of detecting such data breaches, no benchmarks yet exist as to what constitutes “normal” patterns of data access. Even if an organization did detect that a large amount of data was being accessed and then copied from one storage device to another, the rules governing such data movement are yet to be defined. As a result, a detection of such data access and movement may still not prevent a data breach from occurring since there is no sense if this activity is normal, especially if it is being initiated by a “trusted” source inside the corporate network.
Yet a third problem that Symantec has seen is the existence of malware that sits dormant inside of organizations for up to a year or more before carrying out its evil intentions. These are often almost impossible to detect because, as HP’s VP of Enterprise World Security Services Sam Chun points out, “Highly sophisticated organizations are developing this software.“
The world of security has changed significantly in the last few years. While most large organizations understand and recognize the threat that the Internet presents to their business and have put in place measures to counter those threats, they are still ill-prepared to deal with and manage the threats that originate from within. Yet it is these threats that may be ultimately prove to be far more dangerous than anything that they have dealt with to date and which the tools that they need to adequately protect themselves are still in their infancy.