Aujas US

An IDG Ventures Company

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Advertisements

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Stuxnet Accelerates Exponential Decay!

Exponential-decayOften, change within the technology arena is seen through the lens of Moore’s Law; computer power doubles every eighteen months.  Many predictions of the Law’s demise have come and gone.  As technology approaches the physical limitations inherent in Moore’s Law, innovation has accelerated.  Moore’s Law was convenient for expressing technology’s exponential growth.

However, the Law’s converse – exponential decay – has eclipsed the “Law” and is unrestrained.  The broader concept of exponential decay operates unreservedly.  Exponential decay spurs innovation, is unrestrained by the present, and arises from the half-life of earlier developments. 

Information Security solutions are following a similar construct: exponential decay.  The perimeter defense built to address external threats has degraded to also-ran status.  Expanding business needs and active circumventing the perimeter, rendering it less-and-less effective.

The progression of security threats, similarly, follows an exponential decay model.  Hacking has given way to monetization attacks and espionage; sophistication grows, barriers to entry decrease, and specialization rises.  Exponential decay, also, produces geometric increases in records and funds lost in breaches.

Stuxnet’s introduction to the world represents the next stage of exponential decay.  It epitomizes a militant threat capable of incapacitating industrial production.  However, such a sophisticated cyber capability encourages derivatives. 

Stuxnet’s independent mutation ability and intra-communication has profound considerations.  An enterprise (military, government, academic, industrial, etc.) should consider themself compromised, irrespectively, by some form of cyber-malice capable of harvesting or destroying value.  Intra-communication is difficult to detect.

One enterprise defense from mutation and intra-communication within the enterprise is layered protection (versus layered defense).  While the enterprise perimeter an anachronism, externally, it has value inside the enterprise.  Tightly controlling access by limiting access gives the protection and time to address such attacks. 

Emerging technologies that allow enterprise to build layered, trusted perimeters, a ring-within-rings, are the exponential decay’s response to these new threats.  Watch for DLP, SIEM, and GRC applications to add layered perimeter capabilities and tracking of intra-communication.  Include intra-communication monitoring within perimeters as a required feature in product selection or expansion.

Authored by Charles King, CISSP – King Information Security, LLC

November 4, 2010 Posted by | Access control, identity and access management, Risk management | , , | Leave a comment