After a decade of researching information and cyber security and addressing the security needs of businesses, government entities and the military, a look back brought some surprising ahh-haa moments. The following are the more interesting aspects of what was uncovered.
PASSWORDS—First they were too short and easy, then we made them long and complex. The user community responded by writing them down. It is amazing that very few (a single digit percentage) of systems use biometrics to enhance system access security and reduce the issues surrounding complex passwords. Passwords are just the tip of the iceberg. The real issue is the lack of a program approach to access control and that includes physical access as well.
EXTERNAL DEVICES — The use of smartphones, iPods, iPads and a number of other devices that connect to the USB ports on computers has skyrocketed. The onboard security of several of these devices can only be described as limited if not non-existent. Several of these devices use the USB port for charging their batteries that further complicates the issue. Malware sitting on these external devices, waiting for a USB connection to transfer their harmful content, is a growing concern. Just recently, a logistics company experienced a malicious code transfer to one of their employee’s laptop at the individual's home by the individual's daughter. When the laptop returned to the office and connected to the network, the resulting infections were highly disruptive for two weeks and extremely costly given the impact to their customer service.
BUDGET REDUCTIONS — The economic downturn has driven budgets down across the board and security was not spared. In 2009, only 36 percent of organizations saw an increase in their security budgets and 12 percent reported their budgets remain the same. Providing security in an environment that saw one new strain of malware introduced into the threat environment every 1.24 seconds is costly. Not only did the frequency of new threats increase, so did the complexity and sophistication of their malicious capabilities. Add to that the fact that a vulnerability in Internet Explorer was traced back to an IE-6 release in August of 2001, and wasn’t discovered until November 2009, and it is easy to see how quickly security budgets can be consumed.
Britain's Chief of MI6 (their spy agency) recently said, "The whole question of cyber security is shooting up everybody's agendas." Mr. Chabinsky on a rotational joint duty assignment with the Office of the Director of National Intelligence (ODNI) said, "The cyber threat can be an existential threat - meaning it can challenge our country's very existence, or significantly alter our nation's potential.” It would be hard to overstate the importance of cyber security to every company, as well as our nation. Arguably, this is the most important job at this point in time.
January, 2011
