Which of securitys many headaches is the most pressing in the next year? The experts gave their opinions to the organisers of the Infosecurity Europe 2005 Show and we decided some of them were worth publishing and commenting on.
Take your choice form the following responses: organised subversion of companies from within; organised crime; the shortage of trained security experts; overselling by vendors of inappropriate products; mobile technology is often not well secured; ineffectiveness of governments and the law to deal with the spike in computer crime; botnets; phishing; the difficulty of securing new technologies such as VoIP.
Security is a troubled realm, but lets not worry overly right now. As ever in human affairs, were still a few beers away from utter disaster.
Andrew Yeomans, Dresdner Kleinwort Wasserstein
The biggest security problem in the next 12 months is understanding the real business value of the many security "solutions" in the marketplace. The vendor's problem isn't necessarily yours. The one piece of advice I would give to Infosecurity professionals faced with this problem to mitigate the danger is:
Invest in success, not failure. Spend the most money on provably-strong primary security solutions, rather than on products that mitigate the failure of other products. For example, if email attachments cannot be run, it reduces the dependence on anti-virus products. If spyware cannot be installed, it reduces the need for anti-spyware and personal firewalls. The Jericho Forum is working towards provably-strong interoperable solutions.
Techworld comment: A long-winded but interesting way of saying something that will be obvious to any Infosecurity visitor with money to spend: dont buy products just because they are there. Many security products perhaps most of them in a way are there to patch over failures of past technologies to consider misuse or bad intentions.
Stuart Okin, Accenture
The biggest security problem that organisations will face in the next 12 months is securing organisational data on the move. There will continue to be demand for more and more convenient access to data, email and other applications to support new business processes and working methods. This has spawned the enormous growth of mobile devices such as PDAs, Blackberrys, Smart Phones etc.
These devices have grown out of the consumer market and as such do not fit within existing security architectures, technologies and processes. The problem for information security professionals is how to support the new business models whilst ensuring the security of confidential company assets.
Information Security Professionals will need to focus on ensuring that the use of these devices is secure. Why would you attempt to break through secured network infrastructure when you can simply steal the CEOs PDA?
Techworld comment: Agreed, mobile technology is still a shocking security oversight. But what do companies expect in an age where most surveys tell us employees still see mobile computers, including laptops, as unofficial personal property? Few companies seem to have any policies to formalise these affairs let alone technology to cope with its abuse, inadvertent or otherwise.
Cyber-crime is growing faster than the police or courts ability to deal with it. Traditionally cyber-crime involves breaching a company's security barriers in order to steal data or services from the company. Unfortunately, this classic model is changing. Organizations must now deal quickly with problems that are not under their direct span of control such as criminals who:
1. Destroy the company's reputation by phishing attacks on their customers. Because these attacks emulate a legitimate business in order to elicit personal information from customers, the customer looses money and faith in on-line transactions, and the business looses customers.
2. Impersonate legitimate customers by way of identity fraud. The business completes a transaction and only when the customer is billed for the transaction is the identity theft recognized.
Techworld comment: Wed go along with his general observation but point out that the cyber-criminals are starting at last to feel some retribution form the law. Legislation is starting to bite, particularly in the cyber-crime capital of the world, the US. Making further headway will require a large amount of global cooperation that could be a decade off coming into existence.
Professor Brian Collins, Cranfield University
Keeping all their security solutions, mainly technical, up to date and compatible with each other, in the face of increases in identity theft, phishing and spyware. This will be compounded by a lack of professionally qualified people to manage both the security technology and the policies and procedures that govern them.
Techworld comment: Now theres an issue to secretly gladden the heart of anybody who happens to have security know-how already. There arent enough of you around. What makes you a security techie over an above any other form of computing expertise? Nobody knows or at least nobody agrees. Experience mostly.
Bryan K Fite, Reed Elsevier Information Security
The biggest security problem facing companies in the next 12 months will be disruptive technology; personal media players, USB hard drives, camera phones, WiFi/Bluetooth enabled peripherals, P2P and "FREE" 3rd party services. These technologies currently exist in most enterprises but few of them are "officially" supported. Therefore they don't exist.
By thinking strategically, you can avoid all the little fires you face on a daily basis by preventing them in the first place. A way to start moving in that direction is to avoid describing security challenges in highly technical terms but rather why these "bad outcomes" could be harmful to the business. Decision makers are much more responsive when you speak their native language.
Techworld comment: Employees love all this digital detritus as much as most security managers hate it. But if you deny theyre a problem, then youre safe, no?
Chris Potter, Partner, PricewaterhouseCoopers LLP
The biggest security issue I foresee over the next year isn't about the technology. It's all about how businesses work. If you ask management what priority they put on information security, they agree that it's important and rising in importance. Yet, at the same time, in many businesses, this is not translating into action. There's always been a communication gap between business people and IT professionals, and nowhere is this truer than for information security. To be successful, information security professionals need to be able to understand the technical risks, assess how these can be solved, but then, most importantly, translate this analysis into commercial terms.
Techworld comment: Technology was great fun in the 1990s; now it has to earn its keep. And somebody has to explain why philosophers dont write sales literature and why IT comes at a cost.
David Lacey, Royal Mail Group
The biggest problem security problem we will encounter in the next year will be the business demand for Voice over IP. VOIP is hard to secure and can drive a coach and horses through traditional network security controls. The convergence of voice and data presents a step change in the number of points in the network for unauthorised access and denial of service. In short, when VOIP arrives we will all have rethink our whole approach to network security.
Techworld comment: Using VoIP sounds logical. But If you start running phone calls across an infrastructure designed to meet Internet-era security levels then you will have to deal with Internet-era security problems.
Fred Cohen, Burton Group
The same as they have faced for the last 50 years - or longer. Insider threats. You need to clearly understand the information protection field as a profession in order to be effective. Take courses, stay up to date, study the issues, seek expert advice, and become an expert of the next 20 years.
Techworld comment: This is a corporate variation of the Red under the bed world view. Nobody has yet explained how security systems can possibly overcome sheer human deviousness and ingenuity. How many companies really suspect card-carrying employees of trying to rip them off in a big way?
George M Thompson, KPMG
The attacks on internet services resulting in fraud using stolen credentials will continue to increase and spread from financial applications such as online banking and money transfer applications to online retail and data services. Criminals obtain credentials using phishing and Trojan techniques exploiting weaknesses in customer behaviour (social engineering) or weaknesses in the security of customers personal computers (viruses and Trojans).
Techworld comment: Why have some of the richest institutions in the world banks - done so little to stop a problem that many warned was coming? The traditional answer is that they didnt want to upset conservative user base with security barriers when they were, supposedly, struggling even to turn on their PCs. Expect big changes here in the next year. But lets remind ourselves how pathetic the banks have been, especially those in the UK.
Richard Starnes, ISSA UK
In the coming year, internationally, the biggest threat that companies face in the area of information security will be from government. I believe there is a growing tide of frustration among government officials and legislators with regard to company's sluggishness to comply with legislation in any meaningful manner. That frustration will manifest itself in the application of some of the more Machiavellian clauses in regulatory compliance legislation. Companies will be sought out to be made examples, putting the rest of us on notice that governments are now taking the issue of information security, privacy and regulatory compliance seriously.
Techworld comment: We agree - and disagree. Increased government looks inevitable given how little intervention there has been in the past in IT policy. But government has no right to be frustrated with business. Compliance does not in itself make the world more secure, it only makes it more compliant.