Each year, when Computerworld Malaysia holds its annual Security event, the issues are always different. In previous years, industry experts and top vendors spoke about cloud security and data encryption. This year, in a packed conference room of more than 300 IT, security and business executives from many different sectors at the Intercontinental Hotel in Kuala Lumpur, the themes for the Computerworld Security 2011 Summit were targeted threats and the advent of social networking.
Security measures in any form need to change to deal with the constant evolution of threats, like new locks to counter new lock-picks. And together with the new threats opening up from the more-open-than-ever office, many of the new solutions complemented technology with the human aspects of education and shared responsibility.
Real World Solutions for Real World Threats
From the beginning of the Summit, it was clear that speakers were concerned that slapdash security solutions could not address real world problems. In his keynote, Gerry Chng, Partner at Ernst & Young Advisory, talked about the challenges of extracting meaningful data on threats versus just chasing compliance. “Compliance doesn’t really reflect true security—it’s a very reactive way of implementing security,” he said. “Usually two to three weeks before an internal audit, someone downloads reports from the past three months and starts building pivot tables and nice charts for them to use. These results are often not accurate.”
Chng also talked about the benefits of implementing a proactive Governance, Risk and Compliance (GRC) Initiative, which is a refinement of processes to increase linkages, reporting, communication and, by effect, efficiency. “A good security structure is a combination of People, Process and Technology. It’s not just about technology—if it does not suit your needs and your process, it will not work. There are dependencies to take into account. When you design processes, you can’t just take a best practice and put it in. You need to consider situations and who the people are who use it to find something that works best.”
His colleague, Tee Chun Meng, Manager from Ernst & Young Advisory Singapore also made a similar point during his talk on a more business-centric approach to security. “There is always a disconnect between the security requirements and the user requirements. Different business units have different requirements—sales and marketing need to meet people and should have access to social networks, whereas the financial department might not,” he said. “Sometimes, in order for us to try to pigeonhole security into confidentiality, integrity and availability, we miss some of the other functions that might be needed.”
Derrick Ng, Regional Sales Manager of Check Point Software Technologies Singapore, emphasised the need for what Check Point called ‘3D Security’, which explored issues beyond technology, and delved into broader picture of people, policies and enforcement. “Security becomes a collection of different security solutions. But that’s not enough—what we need is for security to become a business process,” he said. “3D security is bringing an alignment between security and business.”
One example Ng brought up was the appearance of pointless error messages, particularly for firewall-blocked sites. “You need to tell the user why he’s not able to visit the site. Is the network down? Is this site a security liability? What we need for every restriction is an explanation and resolution. If you give people something they don’t understand, they will not support it,” he said.
From a management perspective, Anthony Turco, Vice President of Identity and Security at Novell Asia Pacific separated CIOs into two categories, “visionaries” and “operationals”. “An operational CIO takes money out of the system to keep things running. A visionary CIO invests money to make more money,” he said. “And it turns out that manufacturing has the most visionary CIOs, while banking has the most operational ones.”
In a similar vein, the last speaker for the plenary session, Filippo Cassini, Vice President of Systems Engineering, for Fortinet EMEA and APAC also urged the need for management to evolve. “Today, hackers don’t just look at the devices they are fighting against, but take a holistic view of how to enter a system and so we should do the same from the other way,” he said. During the panel discussion, he added that: “Technology is like the car that you buy from us—it doesn’t guarantee you can drive safely straight for 24 hours on highway. The driver needs to know his limits, and the highway has to be safe as well. My point is that everybody has a share in security.”
The other hot topic for the day was the advent of targetted threats, particularly through social networking services. Many of the vendors of the day highlighted that Facebook was a new threat frontier, with criminals often using malicious links and identity theft on social networks as a hole in organisational security.
Eric Lam, Sales Director Enterprise for Symantec Protection Suites at the Symantec APJ Specialist Group in Singapore summed up the problem during the panel discussion: “You wouldn’t walk down Bukit Bintang and show everyone your photos and information but that’s exactly what a lot of people do with Facebook.” One of the solutions he highlighted was Symantec solving the delay in virus definitions with its new reputation-based file ratings, which rates files according to reputation of publisher and use, so that malicious or unusual files would be flagged for scanning, thus making security more efficient.
Lam also cautioned that targeted threats were a dangerous emerging trend over the past two years. “Because they are targeted, they utilise a lot of social engineering…they find out about the companies, and who’s in charge of what roles. It’s actually customised for each company,” he said.
According to Novell’s Turco, one solution was leveraging multiple technologies to establish a consistent and dependable identity. “Right now, the enterprise owns the identity. My work gives me my user account, and passwords. Now, some of those services are moving to the cloud. And I get different identities from my suppliers and customers. Now we all have multiple IDs on Facebook, twitter, MSN and other social identities,” he said. “What is optimal is something like the Malaysian MyKad, which is consistent across platforms.”
On the ubiquity of social networks, Jonathan Andresen, Director, Product Marketing, Blue Coat Systems pointed out that “things you used to do before, like email, search and browsing, can now all be done on one website—social networking,”. He then showed related statistics that the top malware attacks from 2010 all used social networking, with the Zeus worm topping out at more than one million bots at its peak.
Sign up for Computerworld eNewsletters.