The battle for control over corporate networks is raging. And as IT
professionals and hackers both pick up more weapons and take on new
partners, the fight is only increasing in intensity… as it increases
in importance.
Scott Laliberte, a co-author of the new book Defend IT: Security by
Example, gives readers war stories from the digital battlefield. The
director of Protiviti, Inc., a global risk consultancy, Laliberte says
IT professionals need to suit up because the fight over the safety —
and control — of the corporate network is just heating up.
In a one-on-one interview with eSecurityPlanet, the author talks
about what is holding IT back in this on-going fight; how the
environment that needs protecting is constantly shifting, and what new
battles are looming ahead.
Q: In your book, you talk about the battle between IT and malicious
Internet users. How much is this battle growing in size and scale?
I’d say the battle is definitely increasing. If you look at statistics,
like the FBI and CSI survey, and the CERT stats, the number of attacks
continue to grow. But we’re starting to see more headway made in the
battle against the attacks. There’s more awareness. And security
spending is starting to rise. With the regulatory issues emerging…
companies and boards of directors are being forced to look at security
in a much more serious light and they are putting more resources into
it. That’s helping us gain some ground in the battle.
Q: How is the battlefield evolving?
It’s always evolving. As security professionals make advances in one
area, the attackers respond by developing smarter attacks. As the
perimeter started to be brought under control and people started to
block up ports, hackers developed more sophisticated Web attacks over
http and email. There’s starting to be more worms and viruses out there.
And the window between the find of a vulnerability and the time it took
someone to exploit it used to be weeks. Now, it’s days. So today, IT has
to patch every few hours instead of every few days. The battle is
speeding up.
Q: Is one side winning at this point?
That’s tough to say. I wouldn’t say one group is ahead of the other. As
an IT professional, you try forecasting ahead. You need to be
forecasting two to three moves ahead if you’re going to win the battle.
Q: So when you forecast two to three moves ahead, what do you
see?
I see companies putting together more formal structures and basically
having to have good frameworks. People are starting to put in better
frameworks and in-depth defense, some tighter controls — like tokens
and digital certificates. We’ll have to come around to those to get good
security. Passwords are just not good security. People understand that
but it’s too expensive to go to another solution.
Q: What is holding IT back? What is keeping them from doing better in
this war on hackers?
It’s budgets and management-level commitment. As most people in this
profession know, security is looked at as a cost center. It’s like
buying insurance. You don’t see ROI until an incident happens. And
hopefully incidents don’t happen, so they don’t see the problems that
you’re preventing. Showing that ROI and showing the return on investment
and getting the support necessary is a huge hurdle that security
professionals have to overcome right now… And they have to keep up
with the technologies and the attacks. It’s constantly changing. The new
technology you’re putting in place today is not going to be as practical
or work as well a year down the road. You can’t look at it as a process
that has a start and a finish. You have to look at it as a life cycle
model.
Q: What are IT’s strengths today?
I think there’s a lot more awareness of security issues and there’s a
lot more training out there. There’s a lot more resources out there,
like SANS and the trade publications and numerous books. And they’re
starting to get more recognition and support from management, but that
still has a ways to go.
Q: What are the biggest security concerns that are plaguing IT?
Regulatory concerns — making sure they’re not violating any laws.
Availability concerns — making sure there’s not going to be an incident
bringing the company down for any amount of time. In today’s world,
being down an hour could cost a million dollars, along with the loss of
reputation and customer good will. Another big headache they have is
educating users. You can put the greatest technical controls in place,
but if you have users who will give their passwords to anybody who calls
them on the phone, you’re still defeated.
Q: What kind of an effect are mobile workers and wireless devices
having on security efforts?
The tech environment is changing. It used to be that you had a very
well-defined perimeter. You had a firewall and a building where somebody
had to bypass a guard. Now you have wireless network and numerous Web
applications. You have people who work from home via a VPN. You have
partners connected to you online. You can’t just rely on perimeter
controls anymore. Your whole idea of perimeter control has changed. Now
you have all these entities that may easily bypass perimeter controls.
This is forcing us to change the way we think about security and enforce
new controls.
Q: What new problems do you see coming down the road?
The challenge I see coming down the road is managing all the controls
you have in place with limited resources. Monitoring is a major control
and you need to have a place for it in the organization. It’s one of the
most poorly managed controls out there. They try to monitor too much.
They need to figure out what are the highest risk areas they need to
guard, and then they need to design manageable solutions to do that. You
can’t protect everything at the same level. You have to make some hard
decisions about what you’re going to protect and how you’re doing to do
it.