The old adage says: "keep your friends close, but your enemies closer". In this day and age, the IT department of your organization does not have to worry about the second part. The enemies are already at the gates. And keeping them out is an increasingly challenging task.
A recent study sponsored by Juniper Networks showed that not only there has been a dramatic rise in the number of security breaches in the past year, but the targets have also gotten bigger. The CIA, the FBI, the U.S. Senate, and various state police agencies had their systems under attack. In the first half of 2011 security and data breaches have cost U.S. enterprises almost $96 billion. At this rate the cost for the whole 2011 will be almost twice as much as it was in all of 2010. Consider the fact that 2010 saw 90% of businesses compromised with least one security breach. More than 50% of the compromised businesses had at least two breaches.
Another problem is that "the gates", where the enemies are trying to get through, are everywhere now. The entry points are in the software used by employees. They are in files, emails, web apps, web sites, databases, in everything that is on the information highway. The number of incidents related to malware went up from 4 million in the first quarter of 2010 to 6 million in the first quarter of 2011. It is expected that last year's record $63 billion that companies spent on security will be $75.6 billion in 2011.
As the study showed, the enemies get smarter and the attacks get more complicated in every year. Throw all your defenses up, get every firewall ready, the host and network intrusion protection and detection system, anti-virus, anti-malware, application firewalls and it will still be not enough, because the enemies are a step ahead. The solution? "Know yourself and know your enemy" (Sun Zhu, "Art of War"). Get the right security talent on board and use the right strategy.
The correct strategy, rooted in the governance, risk management and compliance methodology can go a long way. Consider the governance, a system by which an organization controls and directs security development, as a backbone of the approach to managing security and how it relates to the business (http://www.cert.org/governance/ges.html). Then, focus on the compliance and regulations, a key to proactive defenses and enforced regulations of a company's behavior as it pertains to security for a specific nature of the business. Governance is strategic, while compliance is tactical and specific. Addressing compliance and security regulations allows business to focus on particular challenges and vulnerabilities specific to the business type and the vertical it operates in. Finally, adjust risk management, a set of technologies that address day-to-day security work, and include mature components of security such as penetration testing, application security analysis, firewalls and intrusion prevention systems. The success of the security strategy depends on the attention to all three components.
The talent is a different thing. With the increase in the demand for the security experts, in response to the increased attacks, the security talent is becoming more expensive and harder to find. So far, the number of college students with who focus on cyber-security has not been keeping up with the demand. There are even less opportunities in finding experienced security consultants who are up to par with the criminal masterminds of the security underground. Security may be on the radar for around 1.9 million people, but there are only around 346,000 fully dedicated security professionals.
There are, however, security consulting firms, like Prolifics Security Practice (http://www.prolifics.com/business-solutions-security.htm) that can help you both with the talent and the strategy. They bring the best and the brightest security personnel on site to analyze, architect, develop and implement proper defenses and policies to address modern security threats. They help set up proper strategy, so you protect the flanks, tie up the loose ends and govern smartly.
With the increasing number and the caliber of the security breaches you cannot afford to sit around and wait. Find what others are doing, go to conferences, ask consultants, bring help, but do something, because enemies are at the gate.
If you want to read more on the recent rise of the cyber attacks look here: http://articles.latimes.com/2011/jul/05/business/la-fi-hacking-security-20110705
Prolifics will be discussing cyber security in greater depth as a sponsor and speaker at the upcoming Cyber Security for Energy Delivery Conference on September 27-28. The event takes place in San Jose, CA and brings together major utility and asset owners and key government agencies from across North America. I will be co-speaking with IBM at this conference. With experience providing security solutions for the energy and utilities industry, we will be sharing our security solutions and recent case studies around ID and password management, single sign-on, directory services, Web-based authorization, federation and other areas. For more information on the Cyber Security for Energy Delivery conference, please click here.
Alex Ivkin is a senior IT Security Architect with a focus in Identity and Access Management at Prolifics. Mr. Ivkin has worked with executive stakeholders in large and small organizations to help drive security initiatives. He has helped companies succeed in attaining regulatory compliance, improving business operations and securing enterprise infrastructure. Mr. Ivkin has achieved the highest levels of certification with several major Identity Management vendors and holds the CISSP designation. He is also a speaker at various conferences and an active member of several user communities.