No longer happy with just making a name for themselves, hackers have become a highly organised group of criminals, exploiting system vulnerabilities and careless employees for billions in profit. The changes in the landscape are happening every day, with millions of threats identified daily on one hand, and companies taking up to four months to approve a patch on the other. This was the urgency behind a recent executive seminar titled Combating the Digital Threats at the Mandarin Oriental hotel in Kuala Lumpur, organised by MIS Asia magazine and sponsored by Trend Micro.
The session was opened by Danny Siew, senior director, technical support, for Trend Micro APEC. In his opening speech, he spoke on the critical point in the company’s history in the late 1990s where it changed focus from being an anti-virus company. “We came to realise that network security was absolutely essential because it is the networks that propagate the infection,” he said. This fact, he continued, was exacerbated by the dotcom era, when the Web became increasingly important and everybody started logging on.
He then talked about virtualisation and cloud computing. “The reason we have to move to the cloud is that we have 25.4 billion current threats, and without the power of the cloud, it is unlikely we would be able to handle that,” Siew said. He also touched on the new Web 2.0 era, and alerted organisations to the dangers of social networking. He said the threat had gotten to the point that Trend Micro had more than 1,000 servers correlating these threats and getting updates to their customers at any point in time.
State of Security
Up next was the editor of MIS Asia, Ross O. Storey, sharing the results of the State of Enterprise IT Security in Asia 2009 survey. “You could be excused for thinking that with all of today’s sophisticated information and communications technology, the world would’ve long since solved the problem of digital security and cyber crime,” he said. Instead, he added, “whether it be identity theft, bogus websites, data breaches or stolen credit card numbers, cyber crime has become big business”.
Storey proceeded with some grim statistics: an estimated 250 million customer records have been lost or stolen since 2005, with each loss costing about US$202. He cited a few examples, including Heartland Payment Systems, which discovered, after a few weeks, that someone was stealing credit card numbers from their database.
He then presented the findings of the survey, starting with figures that showed local companies spending similar percentages of their budgets on security, compared to their overseas counterparts. Also, the percentage of respondents who viewed enterprise IT security as important had risen sharply from 31.5 per cent in 2008 to 40 per cent last year. This might have been due to the fact that 85 per cent of major enterprises had experienced at least one security attack, and that the bigger the business, the more likely they were to be targeted.
Storey presented statistics from the Global State of Information Security Study 2009 run by CIO magazine, which indicated that growth in this sector was more likely coming from Asia than the West, with China in the lead. Also, out of the 43 per cent who have moved to cloud computing, 48 per cent thought it made things more secure, versus 42 per cent who thought that it didn’t.
Next on the stage was Chin Kah Yi, senior security solution consultant, corp security solution division Asia Pacific, Trend Micro. One of his key points was the importance of visibility. He gave an example of a Filipino company that practised an open policy, with a CEO who allowed staff to use whatever they wanted. They, however, did not know what they were allowing, and when analysed, found that their network was packed with malware and data-mining bots.
Chin talked about three particular areas of concern—equipment theft, data-stealing malware and most crucially, exposure from within. Traditional safeguards, such as anti-virus and software firewalls, were not enough, particularly for extra-sensitive information, such as credit card numbers and customer account data, he said.
This, Chin added, was the starting point for Trend Micro with any company—to analyse and classify what data needed to be protected. Next was to identify the ways in which that data could be leaked. After that, it is analysing usage models to discover how that data is passed. “Once this is done, you need to develop your policies to cater for these usage models, and finally to monitor and improve your system continuously.”
Chin stressed the importance of asking questions such as: What information is sensitive? What does it look like? Where does it live? Where does it sleep? How does it move? Who uses it? “Start small. Do not try to boil the ocean,” Chin cautioned. “Start at the most critical segment, and it will give you an idea for a strategy you can replicate across less critical segments.”
He also advised the audience to involve key players, such as management, early—to give you authority and rally support for the initiative. He ended by sharing the example of a Taiwan chip manufacturer, for whom design secrecy was paramount. In six months of just monitoring their system, they discovered that there were 80,000 instances of USB drive use every month. Unable to monitor that effectively, the company then implemented an education policy.
Every time the user popped in a USB drive, a popup would inform them of the security risks. As a result, the use of USB drives was reduced by 90 per cent, allowing management to see where USBs were used, and to analyse what was necessary.
Wild Wild Web
The next speaker was Edison Yu, industry analyst for ICT practice for Frost & Sullivan Asia Pacific, who highlighted the convergence they are seeing, with a greater marriage between businesses and technology. He said the consumer and business worlds were getting closer, with technologies such as social networking.
On threats, he said there was a fundamental shift from malware, which was untargeted, to crimeware, which was very targeted. “Not only are the numbers of threats rising, but the quality of threats has improved as well. The target audience is very different—not your typical PC user, but Fortune 500 companies. Motivations have moved from proving yourself to your peers, to creating monetary value from these breaches.”
Moving on to social networking, Yu said it was now an integral part of business. He highlighted the dangers, giving the example of hackers using Google employees’ personal information from their social networking profiles to attack their network. The change, Yu said, was also that a lot of the attacks now were under the radar, unlike the showboating threats of yesteryear. In the case of TJMax, customer account information was being leaked for more than two years from an unsecured wi-fi network, without the company’s knowledge. Other examples are criminals using Twitter location data to convince someone that they know you personally.
Yu said the shadow Internet economy was valued at US$105 billion, bigger than the global drugs trade. This was because of its accessibility and lack of barriers to entry. One of the new models was bot networks that would take over your PC and use it as part of an army to mount an even larger attack.He stressed that employees’ awareness of security has increased in importance. “They might be tech-savvy, but are they security-savvy? They need to understand security the way IT folks do,” he said. Companies with a good security system and policies in place were up to 40 per cent more profitable, he added.
Globalisation, he said, also brings control challenges, and a wider variety of threats. Yu also talked about how collaborative tools were difficult to manage, that is, the interactions between voice and data communications. The boundaries between the corporate and public realms have been reduced significantly, which left companies more vulnerable. “If you invite the Web into the corporate landscape, you need to ask yourself—are you ready for the results?” Yu asked.
Finally, he talked about end-users. There was a paradigm shift from parameter security to information-centric security, he said. Keeping everything out was no longer realistic. You need to analyse the data at every channel. He recommended a centralised security management system, and effective monitoring tools. “This change requires a move from threat management to risk management, and moving more into the human element.”
The session ended with a panel discussion and a question and answer session with all the day’s speakers, moderated by Storey. He asked why the threat landscape had changed so much. Yu answered that the key driver was convergence. “I don’t think threats are becoming more complex; they are just getting a higher profile,” he said.
Storey then asked about the standard of adoption of security practices in Asia. Chin said companies are still playing catch up, both in terms of policies and technologies. He added that broadband proliferation was increasing the urgency, allowing for many more opportunities for breaches, with users accessing their notebooks at home, at the airport, and in the office.
Siew then said enterprises across different verticals had different priorities. “For instance, in the financial sector, protection against data loss is paramount. But the industry should also look at itself and see which vectors leak data. Internal threats are probably a bigger issue than external. All you have to do is reveal your password,” he said. He also said a lot of businesses here think only at the surface level. For instance, in the case of a virus, many businesses worry just about cleaning it from their system, and not what data or performance might have been lost.
Storey then asked about education, and if enough was being done by companies today. Yu answered that a lot of people were turning to technology to reduce risk.
“However, they don’t have risk profiles. For instance, the CEO’s notebook should have a much higher risk profile than a HR person’s notebook. This is a cost-saving method. The organisation should spend on more robust security solutions, the higher the risk profile,” he said.
Chin elaborated by adding that the difficulty with risk profiles was the actual implementation. “For example, a customer had data monitoring for a security dashboard, with different colours indicating various risk levels. The problem is that the board was always red, which was considered normal, so no action was typically taken,” he said.
Storey asked what were the common vulnerabilities in Malaysia. Siew answered that certain widely-used security products had vulnerabilities because they would be the most targeted. He also said Malaysian companies had a very long cycle of change management. “You cannot take three months to test a patch, and another two months to deploy it. You probably have to do it in less than a week or you will be vulnerable,” Siew said.
Storey agreed, and gave the example of an MI-5 top operative having his details revealed by his wife on Facebook. Siew said outdated systems were equivalent to hiring an 80-year old man to be your security guard. “If there’s a robbery, what can he possibly do?”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.