RSS Alerts
Many battles need to be fought before a war is won, and when it comes to fighting cybercrime, the same holds true
Simone Seth, ISF

Share

More services

Related Stories

  • Google China redirecting search service to Hong Kong
    Numerous reports over the last few weeks pointed toward a complete withdrawal of Google’s search business in China, but the search giant has confounded expectations by simply redirecting its Google.cn site to a server in Hong Kong.
  • 58% of software vulnerable to Google-style security breaches
    Research just released claims to show that 58% of business software is vulnerable to the same security breaches as a seen on Google, the US Department of Defense, and other sites.
  • Google on the cusp of pulling search business from China
    The ongoing saga between Google and the Chinese government appears to have reached a tipping point, as a recent report indicates the company may be withdrawing its search business from the world’s fastest growing internet market.
  • Westin is latest hotel to be hit by hackers
    In further proof that the hospitality industry is becoming a prime target for hackers, The Westin Bonaventure Hotel and Suites has admitted a likely data security breach.
  • Intel targeted by January cyberattack
    Intel was the target of a concerned cyberattack in January – around the same time that Google identified the Operation Aurora attack, according to a 10-K filing that the chip maker made to the SEC.
  • Hacked Google threatens to pull plug in China
    Google is threatening to unplug its controversial Chinese search engine, following a massive hacker attack on its infrastructure that it says was designed to access the accounts of human rights activists. And the company was not the attackers’ only target, it claims.

Top 5 Stories

Feature

Comment: Are we winning the war against cybercrime?

29 March 2010
Simone Seth, ISF

Simone Seth from the Information Security Forum asks if we are winning the fight against the cyber criminals

Military history tells us that many battles need to be fought before a war is won, and when it comes to fighting cybercrime, the same holds true. Continuous headlines about security data breaches show us that there are still more challenges ahead.

For example, the criminals who recently hacked into Google’s systems allegedly attacked more than 100 other companies, and in February it was reported that hackers stole customer names and payment card information from a leading hotel group. The list goes on, but the good news is that the vast majority of organizations are more determined and better placed than ever to protect their data, brand value and reputation.

Over the past few decades there has certainly been greater awareness and investment in information security. But at the same time, the level and sophistication of attacks has also increased. So with breaches still happening, it should come as no surprise that many business and government leaders are asking what more can be done.

In some cases breaches happen because there was inadequate protection in place; but in many other instances, breaches happen despite robust integrated control structures throughout the enterprise.

So, is the solution additional investment in more advanced tools and products, or should money be spent on further security awareness training in an attempt to change people’s behavior and the culture surrounding security and privacy?

These are substantial questions, and while it is possible to draw conclusions, meeting the challenges of protecting information can only be achieved through a structured, informed and methodical approach.

The first step in determining how to better protect against cybercrime is to truly understand the nature of the attacks. For example, are they perpetrated primarily from external sources and focused on target organizations, or are the majority undertaken by insiders?

A careful analysis of attacks faced by a single organization or organization type should be followed by a thorough review of the effectiveness of current security programs and control frameworks.

An effective strategy for protecting information can only be developed based on a detailed understanding of the threats, vulnerabilities and control gaps in the operating environment. It may be that additional investment in products and technology solutions is required or, alternatively, the existing security and business processes may simply need to be refined.

The key point here is that there is no one-shot solution for information security. Protecting information requires constant vigilance and application.

So, can organizations ever completely protect themselves from the likelihood of data breaches? With new technology emerging all the time and the nature of the attacks constantly changing, it is likely that some vulnerability will always exist; but that doesn’t mean the criminals will win. What organizations need to do is to arm themselves with all the latest methodologies and tools at their disposal and harness knowledge and expertise through working with organizations such as the ISF. This way we will be able to reduce the level of risk and win the daily battles.

Here are just some of the things private and public-sector organizations anywhere in the world need to do:

  • Understand the implications of ubiquitous access and distributed information
  • Appreciate the enterprise-wide nature of security
  • Overcome the lack of a clear strategy and game plan
  • Establish proper organizational structures and segregation of duties
  • Understand complex global legal compliance requirements and liability risks
  • Assess security risks and the potential magnitude of harm a date breach would have on the organization
  • Determine and justify appropriate levels of resources and investment
  • Deal with the intangible nature of security
  • Reconcile inconsistent deployment of security best practices and standards
  • Overcome difficulties in creating and sustaining a security-aware culture

We may never totally rid ourselves of security breach headlines, but by working together, we can stay one step ahead of the criminals.

Simone Seth is senior research consultant at the Information Security Forum (ISF). She joined the ISF in 2006 and provides thought leadership and consulting services to ISF members in the areas of information security, information risk management, regulatory compliance and information security governance. Seth has produced research on topics from information security compliance, data privacy and wireless LANs, to outsourcing, third-party relationship management and trends forecasting. She has more than twenty years of experience in the financial services industry and has held senior roles with companies such as Deutsche Bank, Citibank and JP Morgan Chase, specializing in information security, data privacy, business continuity, security architecture and regulatory risk management.

This article is featured in:
Compliance and Policy  • Internet and Network Security • Security Training and Education

 

Comments

ac says:

30 March 2010
Hi Simone,
Interesting article although first, it fails to differentiate perimeter intrusion security from information security, and,second, although it presents intrusion prevention issues and tools, it does not note that information, and knowledge, are much more ubiquitous than applications, systems, and even networks. Like many today still, you seem to be focusing on an illusive perimeter to secure while knowledge transparently crosses perimeters. In fact, knowledge has its own logic and paradigm and sharing it securely cannot be achieved without, at least, first understanding knowledge foundations. From there, work can start, and there seems to be quite a bit, especially from where most stand today. Once knowledge is secure, perimeter security can focus on what it is supposed to do: protect networks, systems, and applications from intrusion and abuse, but even when the perimeter is abused, information and knowledge remain protected. Like many, you seem to present a very narrow view of security, information, and sharing, offering no solution but wishful thinking. When you are ready to consider something deeper, please contact me as I know we can do better than try to prevent sharing and collaboration. Rather we need to enable knowledge and valuable information sharing, across all perimeters, always knowing the difference between sharing and giving, as well as the difference between information and IT. Thank you for your hope and cheer-up, it is always good anyway.
Regards,
ac

secure that! says:

29 March 2010
"We may never totally rid ourselves of security breach headlines, but by working together, we can stay one step ahead of the criminals."

It's a good thought, but I doubt it. Think of securing a perimeter, you have to secure and watch the entire perimeter, criminals only need to find one weak point and exploit it.

There will always be zero day vulnerabilities taken advantage of in the wild.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012