"Each incident that I see raises questions to me: how did it happen, why did it happen, what could have been done differently.”
A well-known security firm has had to replace some 40 million SecureID tokens, used in two-factor authentication, after hackers got into the firm’s network and penetrated its authentication server. As a result, a US defence contractor was attacked and at risk of compromise.
Malware specifically targeting mobile devices (tablets and smartphones) soared by over 270% in the first half of this year, compared to the same period in 2010.
The open source software community is in crisis after hackers managed to plant a malware rootkit into the servers at Kernel.org, the distributor for Linux.
Yes, 2011 has been a bad year for cyber security – and those are just a fraction of the risks that are threatening the business community, which can’t function today without computers.
The continuing – and growing – list of IT security issues was the subject of a recent presentation to the NZ Software Association by one of Australasia’s leading cyber security experts, Dean Carter of Lateral Security.
Carter began his presentation, ‘The A to Z of Security in 2011’, by asking everyone attending to stand up, then asked them to sit down if they used any of the following products: a secure ID token, Dropbox, or a Sony, Android or Adobe product. By then, everyone was sitting down again. Carter pointed out that they therefore all had a vested interest in his subject, and he’d only got halfway through his “list of badness”.
Carter has 18 years of experience in IT security for telcos, financial institutions and the media, and prefers prevention to recovery. “I’d rather prevent stuff going wrong than fix it, but I do both, and I’m very fond of words such as ‘pragmatic’ and ‘posture’,” he told his audience. “Security breaches and hackers are all over the news, and each incident that I see raises questions to me: how did it happen, why did it happen, what could have been done differently.”
Carter has been keeping track of security incidents this year, so he can discuss them with clients. However, he found they were occurring so often, he couldn’t keep up, which led him to compile his A to Z from information available “as of 4pm today”.
“Businesses by their nature are about taking risk,” Carter said, “and if a tech runs up to someone and says ‘there’s cross-site scripting and SQL injection on the website!’, that means nothing to the business. Techs don’t talk in business terms, the businesses don’t understand the techs, so there is a mismatch there, and I think it’s a matter of both sides learning to be a bit cleverer.”
ALAS! WHAT TO DO?
Carter concluded his presentation by outlining steps businesses should be taking to improve and/or maintain the security of their computer systems and networks. They're not products, he pointed out, and they're not expensive. (The source for some of these tips was a presentation 'Are We More Secure?' by Simon Burson, Security Consultant for DMZGlobal. Click here for more tips from Burson on network security.)
- Assign security responsibility to someone, no matter what the size of their company.
- Have a written security policy – make it succinct and understandable by everyone.
- Have a security programme, ie: make sure systems and networks are tested regularly, issue regular bulletins to staff about security issues, and keep a tally on security incidents and presentations. If they employ IT developers, encourage them to attend events like OWASP (see below).
- Consider the security implications of every project that they undertake when planning it – not as an afterthought when it’s complete.
- Have a security incidents response plan that is updated and tested regularly.
- Get rid of SQL injection. It’s over 10 years old, the vulnerabilities it exploits are widely known, and there’s no excuse for their continued existence.
- Learn to speak to businesspeople in business terms, not tech terms. Explain the risks of poor security to their finances and reputation. Better communication is crucial.
- Attend security events regularly (see below) to keep abreast of new developments.
A is for Anonymous
A is also for Advanced Persistent Threat
A is also for Adobe
B is for BART (Bay Area Rapid Transit)
B is also for bikies, BlackBerrys and the law
C is for Citi
C is also for Comodo
D is for Diginotar
D is also for Distribute. IT
D is also for Dropbox
E is for Epsilon
F is for Fox News
G is for Gen-I
(CEO Chris Quin’s Twitter account was hacked and mischievous messages were sent to followers.)
H is for HBGary Federal
I is for iPads
J is for Jumio
(Carter points out: “If hackers can get my keystrokes, they can get my camera. But you still have to type the CVV in, so I give them 10 out of 10 for thinking outside the box and trying to come up with something new.”)
J is also for juice-jacking
K is for keylogging
K is also for Kiwicon
K is also for Kernel.org
L is for LulzSec
L is also for Lush
M is for malware and MetService
M is also for mobile malware
N is for NASDAQ
O is for OWASP
P is for Pentagon
Q is for QuickTime
R is for RSA
S is for Stuxnet
S is also for Sony
T is for Tarsnap
U is for unemployed truck driver
V is for Vodafone
W is for WikiLeaks
X is for XenApp
Y is for YouTube
Z is for Zeus
Fresh approach needed to IT security
Quarter of companies feel exposed to cyber crime
A 99.5% accuracy rate in orders wasn’t good enough for Griffiths; with Greentree, errors are now almost zero.Read the full story