"Security is used to be seen as black or white. You are either breached or not breached; you are either secure or not secure. But now, I think we are starting to see security for what it is - it is a constant continuum between these two things," Hugh Thompson, Chief Security Strategist and Senior Vice President of Blue Coat Systems Inc., told members of the media in a roundtable discussion on July 22, 2014.
Held in Singapore in conjunction with the recent RSA Conference Asia Pacific and Japan 2014, Thompson commented that a lot has happened within the security space in recent years; making information security a prominent conversational topic - especially in the corporate setting - as he sees more executives asking more questions about security responsibility and security governance.
Shift in security thinking
Thompson feels that this increased security vigilance is triggered by the spate of data breaches taking place over the last couple of years. Besides data breaches, he noted that there is also a notable increase in hacktivism. Describing hacktivists as "people who see hacking as a means of expression; or as a means of making a statement against political parties or country", he added that the emergence of hacktivism has led to the rise of nation-state attacks.
"While defense is critical, I think that the area of security that is becoming more and more important is the ability to recover after an attack. It's something new in the mindset and ethos of security," he said.
Fellow host of the roundtable discussion, Brian Contos, Blue Coat's VP Threat Intelligence and Security Strategy, added that one trend he's seeing is an increased alignment between technology and business.
"From 2010 to 2014, we witness a shift as business security focuses on operational efficiency. More organisations started having endpoint controls, and network and data and mobile cloud," Contos elaborated.
He went on to cite an example of Thomas Edison's genius innovation of a light bulb: "The light bulb is a great idea, but that by itself does not yield anything. When John Pierpoint (J.P.) Morgan invested in him, it resulted in billions of dollars in sales. That's because they recognised the importance of alignment between technology and business."
"Security needs to be aligned with key business decision-making. Important business decisions should factor in the security element and attempt to reduce risk, while allowing the company to grow the business and drive revenue at the same time. That's a fundamental shift in security thinking," he added.
Unique security trends in Asia
In terms of the security landscape in the Asia Pacific region, Contos noted two prevalent trends. Firstly, he highlighted that mobile security is a key concern.
"According to findings from Blue Coat's research, most people use six devices interchangeably today between business and personal use. A few years ago, it was only two or three. It won't be surprising if the number increases to 10 or more in a few years down the road," he said.
In fact, Contos pointed out that Asia is one of the rapid adopters of mobile technology. He highlighted that such high penetration rate for mobile devices should mean increased mobile security. This includes the mobile device itself, the applications running on those devices, the cloud services they are connected to and more.
Contos also highlighted that Android devices are vulnerable and more prone to security attacks as compared to other mobile operating systems. He advised that we need to look at solutions that are transparent and easier for end users in the organisation to leverage.
"One of the best ways to accomplish that is by leveraging cloud technologies. Additionally, there needs to be an understanding of how users are operating within your environment, such as what's being used, uploaded or downloaded. We need to have a measuring or tracking system for this, or implement policies to control it," Hugh said.
"This does not mean that you will have hundreds of policies for those applications. Instead, these applications can be categorised and you can simply have policies across those," he added.
Secondly, Contos noted SCADA (supervisory control and data acquisition) as another security area to be concerned about. Essentially, SCADA manages Industrial Control Systems (ICS) and monitor for issues such as the heat set point in a boiler being exceeded because of a malfunctioning coil. Additionally, these SCADA systems can house proprietary information regarding system configuration - how long it takes to bake the pizza dough, where to weld the car door, how much light to expose a bacteria to, or what additives to inject into a polymer.
Contos lamented that people do not think about the security in their critical devices and such poor security infrastructure allows them to lose valuable proprietary information.
"These two areas very specific to Asia which I think need a lot of awareness and need to be addressed," he said.
Human factor a big security loophole
When discussing security challenges, Contos quoted an experiment that tests bank users' security awareness. Despite the fact that the common method of credit card authentication is providing the last four digits of the card number, the "bank" asked participants for its first four digits instead. Nevertheless, the participants were not suspicious and simply provided the numbers without a hint of doubt.
"This shows that there is no difference in trust, and that there is a definite gap in human knowledge. If they believe that the other person knows a nugget of information about you, they will believe that you know a lot more," said Contos.
Sharing the same sentiments with Contos, Thompson stressed that there is a huge human factor involved in security.
"I can't emphasise how important it is for people to make good choices. If you look at how most of how advanced persistent threats are being played out, almost always there is a human element to it," he said. "A human who is an insider in the company who has cooperated with the attacker - not willingly, don't want to cause harm to the company, but they have been tricked, cajoled, or fooled - I think they are one of the key battlegrounds in security."
Future security landscape
When asked about some major security threats that they foresee within the next year, Thompson pointed out that there will be a lot more attacks against embedded devices and systems.
"Most of these systems have been around for a very long time. When they were designed, they were never meant to be connected to a network beyond a trusted user. But now, connectivity has slowly crept in but the problem remains that these systems were never built with security in mind," he said.
"Another one that we've already seen is that it has become so cheap and so accessible to customise malware now. For example, if you are a big bank, you might just get a targeted piece of malware that's concentrated only on you. That has become a reality even for mid-sized businesses today. The tooling exists to modify even commodity malware very easily," he added.
Lastly, Thompson mentioned that we share so much of our lives online voluntarily, but there is also a set of information that we share online involuntarily. Since public records are now becoming digitised and searchable, it becomes easier to find out so much about someone without even meeting them in person. In the business context, this is very beneficial, but from the security perspective, this brings about the shift of "advanced attacks" becoming more social.
He explains that the attacker will log on to social networking platforms, such as LinkedIn, and try to sniff out information posted online such as who are the company administrators, where did they go for lunch, where did they go for their recent holiday et cetera. Having a barrage of information about the victim at hand allows them to craft a targeted attack, be it email or a phone call, on that person.
"The tooling is now available for these cybercriminals to attack at this scale. That's going to be a huge issue and I don't think the industry has dealt very well with that up to this point," he said.