IT Security: It's All About Damage ControlBy Tony Kontzer | Posted 2014-11-26 Email Print
Trying to keep the bad guys out of your corporate network isn't even the primary goal any more. Instead, it's preventing them from getting what they really want.
The October edition of the Harper's Magazine Index included this doozy of a statistic: The average global company in 2013 was subjected to 16,856 cyber-attacks.
Granted, many of those attacks were minor nuisances, but the sheer volume speaks to just how important information security has become to business—and what a struggle it is to stay on top of attacks, malware and security tools.
"It really is a cat-and-mouse game," says Jaime Parent, associate CIO and vice president of IT operations at Chicago's Rush University Medical Center. "The anti-viral vendors don't like this, but I think that in the fourth quarter of 2014, the bad guys are winning. I'm very confident the good guys will come back, but the bad guys have the upper hand right now."
While the overwhelming majority of security incidents are the work of so-called "script kiddies"— people lacking the skills to do anything more than clog networks or deface Websites—every threat has to be taken seriously in order to spot the more severe threats. The unfortunate truth is that advances in technology have created a veritable business model for those who successfully engineer sophisticated attacks and make off with high-value information.
"Data is valuable, and it's becoming easier to find ready buyers," says Eric Hanselman, chief analyst at 451 Research. "There are dark communities that trade in information just as readily as they trade in any other ill-gotten gain."
Worse, that black market is only getting bigger. In a recent security report, "The Invisible Becomes Visible," Trend Micro predicts that during 2015, "More cyber-criminals will turn to darknets and exclusive-access forums to share and sell crimeware."
One silver lining: Because so much stolen data is flooding into those underground markets, prices are driven downward, and the bad guys have to steal more to make ends meet. In fact, the black market price of a U.S. credit card credential dropped from $3 in 2011 to $1 in 2013, while stolen Facebook credentials that cost $200 in 2011 could be bought for $100 two years later, according to the Trend Micro report.
Meanwhile, emerging cloud-based IT models are steadily removing what used to be the main function of IT security teams: securing a company's technological borders. Instead, that's being left to cloud providers, while IT security increasingly revolves around identity and access management, monitoring and damage control.
In other words, security is no longer about keeping the bad guys out. Rather, it's about limiting what they can do once they get in.
"You get to forget about the perimeter," says 451 Research's Hanselman. "Your daily life in security is about understanding your posture rather than defending at all costs."
Benefiting From Vigilance and Luck
That's certainly been the case for Parent at Rush University Medical Center. The 664-bed hospital—which, as a medical education facility, supports a population of 10,000 care providers, students, faculty, researchers, support staff—hasn't been victimized by a major breach, a fact Parent attributes to a combination of vigilance and luck.
Still, the organization has to contend with its share of successful phishing attacks and insider threats. Parent and his team have to investigate every incident and shore up every perceived security hole to make sure that spotless breach record remains intact. It's a resource-draining job, to be sure.
"The thing that hurts us the most is the time in remediation," says Parent. "If an infection has gotten some traction, it's difficult to touch all the devices, re-educate the users and clean out the network."
Parent believes the hospital's biggest threat is its own employees, who expose the IT environment by storing passwords on Post-It notes and clicking on phishing emails.
Hence, the centerpiece of Rush University Medical Center's security strategy has been a user education and training component dubbed "I Care, I Protect." The idea is to make sure users are prepared to deal with various situations, so they can help prevent identity thieves, dumpster divers and other cyber-criminals from getting the information they crave.
"Technology without the human component only takes you so far," Parent points out.