An information security blueprint, part 1

Symantec's Francis deSouza lays out the requirements for a more practical way of addressing information security threats

The recent the Hydraq attacks were the latest example of just how radically the Internet threat landscape has changed over the past few years, and how vulnerable companies and their information stores are to cyber attacks. The attackers were not hackers, they were criminals attempting to steal intellectual property. Hydraq is an example of how cybercrime has evolved from hackers simply pursuing public notoriety to covert, well-organized attacks that leverage insidious malware and social engineering tactics to target key individuals and penetrate corporate networks. Many of today's attacks are highly sophisticated espionage campaigns attempting to silently steal confidential information. This should raise the alarm for companies of all sizes and across all industries, as information is a business' most valuable asset. Information not only supports business, it also enables and helps drive it in a global marketplace in which having the right information at the right time can mean the difference between profitability and loss.

Also see Information Security Management: The Basics

However, while information security has never been more important, it has also never been more challenging. Businesses have more information to protect at more points against more threats than ever before. In such an environment, businesses can build an effective defense only after they first understand the peculiarities of today's threat landscape and then identify their own specific areas of vulnerability. Armed with this information, organizations can then develop an information security blueprint that is right for them--one that is comprehensive, proactive, enforceable, and manageable.

More Threats, More Complexity

Today's headlines are rife with accounts of information security threats and data breaches, and this alarming trend is clearly borne out in statistics as well. For example, in 2009, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.

However, viruses, worms and other types of malicious code are not the only threats to information today. Businesses now are also at risk from botnets, phishing attacks, and spam. Sixty percent of all data breaches that exposed identities were the result of hacking. In a sign that this issue is not limited to a few larger enterprises, the 2010 Symantec State of Enterprise Security Report found that 75 percent of enterprises surveyed experienced some form of cyber attack in 2009. And spam made up 88 percent of all email observed by Symantec. Of the 107 billion spam messages distributed globally per day on average, 85 percent were from botnets, according to the Symantec Internet Security Threat Report.

Protecting against security threats has also become more challenging as businesses deploy a greater variety of devices throughout their infrastructure. The laptops and desktops of yesterday are now complemented by smart phones, USB drives, and even portable entertainment devices that employees routinely bring into the workplace and connect to the company network. The corporate information infrastructure has also become more complex with the introduction of cloud computing, virtualization, and other important technologies that offer significant business benefits but must also be protected.

At the same time, the volume of information in the average company is doubling every two years, even as more and more people--from employees to suppliers, contractors, customers, and others--have access to corporate network resources and company information.

New Attackers

Not only are threats increasing in number and sophistication and information infrastructures becoming more complex, but security breaches are also being driven by different forces today. Too often, well-meaning employees who have legitimate access to corporate information lose their laptops or USB drives, and organizations follow broken business processes that put critical information at risk. Security breaches may also be launched by malicious insiders who have access to corporate information and resources and leverage their authorized status to deliberately cause a breach.

Perhaps the most dramatic development in the threat landscape is that external attacks are no longer being conducted primarily by hackers who want to bring systems down but by organized cybercriminals who operate in a well-organized and thriving global underground economy where stolen information and fraud-related tools and services are bought and sold around the clock.

In this professionalized environment, cybercriminals launch attacks in four stages, often using dedicated teams that specialize in a specific stage. The attack begins with an incursion phase, in which cybercriminals try to gain access to their potential victim's network by using a variety of malicious programs and tools. Once in, the attackers move to the discovery phase where they map out the assets of the company in order to find vulnerabilities in the company's infrastructure or business processes that could be exploited.

Upon discovering company assets, attackers then move into the capture phase where they find and seize information that has a black market value, such as credit card information, identities, customer or patient records, intellectual property, and more. Once this information is found and captured, the cybercriminals look to get that information out in the exfiltration phase of the attack.

Unfortunately, these four-phased attacks have proven to be highly successful when used against organizations of all sizes, from large government agencies, big retailers, and financial services giants to small and mid-sized businesses across the U.S.

Information Security Vulnerabilities and Remediation

While the threat and attack landscapes have become more sophisticated and diverse, the factors that lead to vulnerability to threats and attacks are surprisingly straightforward and simple. Today's security breaches and attacks target companies with poorly enforced IT policies, poorly protected information, poorly managed systems and poorly protected infrastructure.

Poorly enforced IT policies contribute to vulnerability, leaving businesses exposed to broken processes that hinder protection. Businesses can address this vulnerability by prioritizing risks and enforcing strong IT policies that span across their various locations, and by using automation and workflow tools that help them not only remediate incidents but also anticipate them.

Businesses with poorly protected information are vulnerable to security breaches and data loss because they do not know where their information assets are at any point in time or who has access to their information. To address this vulnerability, businesses need to take a more content-aware approach to protecting information so they know where sensitive data resides, who has access to it, and how it is coming in or leaving the company.

Businesses with poorly managed systems are vulnerable to security breaches and attacks because they cannot efficiently manage their IT infrastructure through its lifecycle. In 2008, Symantec documented 5,471 vulnerabilities, 80 percent of which were classified as easily exploitable. To address these vulnerabilities, businesses can leverage toolsets that provide integrated capabilities for managing security as well as provisioning, patching, licensing, workflow, and decommissioning.

Finally, a poorly protected infrastructure leads to increased vulnerability not only because the organization lacks the appropriate protective mechanisms but also because it does not have the visibility across the infrastructure that is required to identify gaps in protection and offer actionable recommendations for remediation. Businesses with a poorly protected infrastructure can address this vulnerability with integrated security technologies that provide insight into their infrastructure, proactive protection across the entire environment, and rapid response to emerging attacks.

Information security today is more challenging than ever. Yet, businesses can improve their security posture through understanding the threats and vulnerabilities of their environment and leveraging processes and tools to mitigate risk, thereby increasing their competitive edge in today's information-driven world.

The next article in this two-part series will examine how companies can put into place a security blueprint that enforces IT policies, protects their infrastructure and information, and manages systems more efficiently.

###

Francis deSouza leads engineering, product management, field enablement, business development, and operations for Symantec's Endpoint Security and Management, Data Loss Prevention, and Information Risk Management businesses.

This story, "An information security blueprint, part 1" was originally published by CSO.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies