No. There you go, I said it. Things are definitely NOT better than they were 10 years ago. This may seem a shocking admission, but let’s all be honest with ourselves: we would much rather deal with Anna Kournikova-related malware than Stuxnet. To be clear, that statement has nothing to do with the fact I am male, and everything to do with the potential impact of the threat.
The threat landscape ten years ago was much simpler. We didn’t have to face the challenge of supporting consumer devices; in fact, only a small group of employees even had laptops, all owned by the business and, as such, were highly controlled. For the majority of the workforce, they were given a desktop computer, and a social life outside of work hours. Okay, perhaps this was just (a bit) more than 10 years ago….
Although the rapid adoption of multiple technology platforms has enabled businesses to operate 24 hours a day with a contractual guarantee of 100% uptime, there is no doubt that such an enabler comes with potential risks. Without wanting to sound too ominous, the attack surface will only continue to grow – and not only for businesses, but for each of us individually, with reports that the number of connected devices is predicted to hit 50 billion by 2020.
Through the rapid adoption of more devices, more communication platforms, and the demand for greater availability, the threat landscape will only get broader. Consider that ten years ago, your most important documents were likely stored on a hard drive, or on an external storage media device that – for many us – were floppy discs placed in a sometimes locked drawer. Of course, you played Russian Roulette with the floppy disc gods, praying that they still worked when you tried to retrieve the data, but at least the data was safe from prying eyes.
Today, data is automatically backed up to online storage services, synchronized with every device in the home, and reside within USB drives that contain more storage than most businesses had access to 10 years ago. It is not uncommon for even the most valuable data to be replicated and stored across 10 to 20 platforms. This, of course, is encouraged, as it improves the availability of data. Ironically, however, every move to improve the availability of data increases the attack surface, and negatively impacts its confidentiality.
Faster network access enables us to download the latest movie blockbusters, or hold video calls with friends half way around the world. However, it also enables a new breed of threats that are bigger and with functionality many of us could scarcely have imagined five years ago, let alone a decade ago. Flame (and, of course, Stuxnet) are excellent examples. What was so incredible about these particular threats is that it was over 20MB, with modules that could record voice conversations, and send it all back to its attacker. Its predecessors were often limited to 1.44MB, and the hope someone would pick up the disc and spread the ‘destruction’ within.
While the threat landscape has evolved dramatically, the response from industry has been equally impressive. Security used to consist of anti-virus software and, perhaps for the more progressive companies, a firewall. A short walk around any number of the security conferences run today reveals a technological landscape offering silver bullets to today and tomorrow’s threats. Although many of you may raise your eyebrows at the statement ‘silver bullet’, let’s be clear the silver bullet does exist, but every threat isn’t a werewolf.
Another area where we have witnessed a dramatic improvement is the dissemination of information, where security professionals often find information overload in terms of the latest threats, best practices, and support. This is delivered through the many conferences, books, webinars, podcasts, tweets, LinkedIn updates, and well...you get the idea.
Yes, we can look back ten years and wish security was as simple as implementing a sheep dip to scan floppy discs, and switching off modems on users’ desks. Technology, however, has enabled a fundamental shift in every part of professional and personal life for the better. Today we are better equipped to tackle the evolving threats, and there are more security professionals than ever before working together to ensure they’re identified and eliminated – protecting businesses and individuals alike.
Raj Samani is VP and CTO for McAfee EMEA. Samani was a 2012 inductee into the Infosecurity Europe Hall of Fame (2012), and is co-author of the recently published book Applied Cyber Security and the Smart Grid. A member of Infosecurity magazine’s editorial advisory board, he currently serves as the Cloud Security Alliance’s chief innovation officer.