Cyberwar: Worse Before BetterSecurity Experts Agree: We're in for a Battle
Admittedly, that's an ominous message, but truthful. Among some of my key takeaways from conversations:
- Compliance is no longer the primary focus for organizations. That's no surprise. We've heard that message over and over again.
- The recent rash of cyberintrusions cannot and will not be stopped.
- And the RSA Security breach is linked to more than we might think.
Here are some insights from industry leaders I met:
PCI 2.0 - 'Changes Were Subtle'Torsten George, a vice president at Agiliance, which focuses on governance and risk management, had some interesting thoughts about the industry's reaction to version 2.0 of the PCI Data Security Standard.
We can't just look for the attacks we know; we have to be on the lookout for what we don't expect.
In fact, George says PCI-DSS 2.0 has more changes than the surface reveals. His analysis: Most organizations will be caught off-guard when January rolls around and organizations must be fully compliant with the new version.
"PCI will be a huge challenge for those dealing with cardholder data," he says. "If I'm in the payments chain and I'm using a cloud-based solution, we are talking about implementing a whole life-cycle. ... Now I have to prove to the QSA [qualified security assessor] if that's in scope."
Here's the scary part: George says many organizations affected by PCI [like retailers and healthcare providers] have not thoroughly examined version 2.0, much less taken steps toward complying with it. "They thought there were no changes, that the changes were subtle," he says. "They will be in for a surprise."
And that's a bit disheartening, since we know that complying with PCI should be considered a minimal standard. Security is only getting more complicated, and as recent breaches have proven, protecting cardholder data is just part of the problem.
Layered Security: 'It's About Pattern-Based Detection'Ansh Patnaik, director of product marketing for ArcSight, an HP Company, reiterated that point when I caught up with him at the summit. He also echoed what I've heard many security leaders talk about for the last 24 months: Anti-virus software and firewalls are not going to protect a network.
As part of a layered security approach, AV software and firewalls play their roles. But if they comprise an organization's primary lines of defense, that's scary. "It's about pattern-based detection," Patnaik says. "Anti-virus is great, but it's not enough. You need to know what the vulnerabilities are inherent in the code."
Anti-Malware: Look for the UnexpectedThe discussion about code is an interesting one. I met one online security company that's taken a different approach to understanding codes. Knowing the vulnerabilities of codes in apps, operating systems and software used by an organization and/or its customers is part of the solution, says M86 CEO John Vigouroux. The other part: Identifying the intention of the malicious code fraudsters are using to penetrate our networks.
"It's really all about the malware," Vigouroux says. "Firewalls can only go so far; anti-virus can only go so far, since it's all signature-based, it's only able to fight known viruses that are on a database."
But malware, as the mighty Zeus has proven, is changing all the time. "We can't just look for the attacks we know; we have to be on the lookout for what we don't expect." And that means scanning the HTML code or Java script, for instance, used by hackers in the codes they write to understand what they're going after.
Vigouroux brought up the recent Citi breach as an example. He did not say definitely that a scan of malicious code would have prevented that breach, but he hinted that Citi's online compromise was needless and could have been prevented with better technology.
Agiliance's George said much the same, suggesting that Citi, an RSA customer, was likely breached because of its reliance on SecurID tokens. "We're going to see a lot more linked to RSA," George says.
It's all speculation, when it comes to the Citi breach and others. But it's clear - and security experts I caught up with at Gartner agree - we have to change the way we mitigate risk and defend our networks.