IW500: Security Threats Pose New Challenges

Companies need to find new ways of protecting themselves against attack, as new threats emerge from cloud computing and organized cybercrime, according to a panel of enterprise security managers and security vendors speaking Monday at the InformationWeek 500 conference.

The panel at the Dana Point, Calif., conference was moderated by InformationWeek.com editor-in-chief, Alexander Wolfe.

Cloud computing changes how enterprises approach protecting their resources, said Eva Chen, CEO and co-founder of Trend Micro. Traditionally, data resides on the company network, and securing the network secures the data. But with cloud computing, the data resides outside the company network and requires special protection.

"People are looking at the cloud responsibly," said Renee Guttman, vice president of information security and privacy officer for Time Warner Inc. Like every technology, cloud computing has upsides and downsides. Companies can protect themselves by proceeding to cloud computing cautiously. "Maybe they don't put the keys to the kingdom in the cloud initially." Companies can put perimeter security and intrusion detection systems in the cloud.

InformationWeek editor John Foley, who covers cloud computing, noted that cloud vendors often have rigorous physical security, including guard dogs. "What is the great risk about cloud computing since the cloud computing vendors think they have it under control?" he asked. But cloud vendors can't really guarantee security unless they understand their customers' business and special needs, said Mischel Kwon, incoming vice president, public sector solutions, RSA, Inc., and outgoing director of the US Computer Emergency Response Team, Department of Homeland Security. "Security isn't a matter of 'I have the best security system in the world.' Security is a matter of 'I have the best security for this specific purpose,'" she said.

Transparency A Problem

Guttman said transparency is a problem for cloud vendors. "I can't look at their facility," she said. Ultimately, vendors and their corporate customers will need to find some kind of accommodation -- perhaps third-party auditing -- to guarantee security.

"I will be more comfortable with cloud computing vendors when they accept some liability," said Jerry Johnson, CIO of Pacific Northwest National Laboratory. For example, if Pacific Northwest's human resources department loses the Social Security numbers entrusted to it, Pacific Northwest will face $1.5 million liability. "Will the cloud vendor assume some of that liability?" Johnson asked.

Businesses and security vendors must collaborate on security, Kwon said. Security is a "team sport" that requires partnership between businesses and security companies to build systems that are protected by being well built and well maintained. Most attacks are taken against known threats, indicating companies have failed to perform proper "lifecycle management" by installing patches in a timely fashion, she said.

Threats are growing more sophisticated. "We've gone away from script kiddies and amateurs to well-funded criminal organizations and nation-state hacking," Johnson said. Frontal attacks on the network are diminishing, in favor of "spear-phishing" -- phishing attacks targeted against specific people -- and other forms of social engineering. Attackers compromise the firewall, get into the network, and once in the threat becomes an insider threat.

Denial Of Service Increasing

Companies are experiencing increased denial-of-service attacks, Guttman said, speculating that the attacks might be distracting from other, more subtle efforts.

Kwon agreed that the attacks might be a diversion. "You wonder if the loud noise you can readily detect in your system is masking the symptoms of a more stealthy attack," she said.

Companies can protect against risks by understanding their current business, and the direction their businesses are going, said Guttman. For example, Time Inc. has gone from primarily being a magazine company to primarily being an online company, bringing different risks.

Companies can also manage risk by aligning IT security with other parts of the organization, for example, parts of the business protecting against fraud and guarding privacy.

Companies need to spend appropriately, Johnson said. Gartner estimates that companies in a steady state spend 3-4% of the IT budget on security, and up to 7-8% when companies are taking preventive action. But Pacific Northwest thinks that's too low; it tries to spend 6% consistently to stay on top of risks.

Enterprises can manage risk by understanding what's at stake. Computers aren't important, it's the business as a whole that need to be protected, Kwon said. Johnson added that security also protects customer confidence.

Guttman said she doesn't like to use the word "security." Instead, she likes to say they're "managing risk." "The reason I have a beef about the word 'security' is because we keep saying we're not secure, and yet that's what we do," she said.

See full coverage of the InformationWeek 500 here.

InformationWeek has published an in-depth report on managing risk. Download the report here (registration required).