October 10, 2014

IT Security: Think Like A Thief – And An Average Joe, Too

By Steve Prentice

IT Security: Think Like A Thief With security threats to information services growing in sophistication, frequency and variety, IT professionals on all sides of the marketplace are realizing an urgent need to reinvent themselves to better anticipate the bewildering variety of attacks that they and their customers face. The problem that they are discovering, is […]

IT Security: Think Like A Thief

With security threats to information services growing in sophistication, frequency and variety, IT professionals on all sides of the marketplace are realizing an urgent need to reinvent themselves to better anticipate the bewildering variety of attacks that they and their customers face. The problem that they are discovering, is that the systems’ maliciousness and weaknesses exist not only in the software and hardware at their fingertips, but in the minds of those that have access to it.

A good example of this can be seen in just one form of attack: SQL injection, in which destructive code finds its way into a database by way of a vulnerable opening. These vulnerable openings might be the “username” or “password” panels on a login form, or the space for a credit card number on an ecommerce form. It would never occur to the average user to insert anything other than the required information into this panel, but for the bad guys, this panel is as tempting as an open window, or a set of misplaced keys. It is the way in to an unprotected treasure.

It is the mindset that is essential here. Good guys don’t think like bad guys. Therefore, IT defense often appears to be playing a game of catch-up with opportunists who may exist anywhere on the planet, yet who can access a server with ease.

A recent Brighttalk.com webcast featuring data collected by the Ponemon Institute pointed out that U.S. companies reported an average of “$12.7 million in losses to cybercrime,” with “the most costly cybercrimes … caused by denial of services, malicious insiders, and malicious code. These threats account for more than 55 percent of all cybercrime costs.”

The rise of the use of mobile technologies and BYOD serve to compound this problem, given the wide variety of apps, platforms and devices in use, but once again, it is very often the users themselves that are the chief offenders. A classic example of network vulnerability in past years was the act of leaving a password on a sticky-note under the keyboard. A modern variant of this is the free and open use of mobile technologies – part of the BYOD culture that is making its way into the Workplace. Users seldom employ the vigilance required to ensure their devices are clean and impermeable as they connect to their employers’ cloud servers.

As CIO Community Manager John Dodge pointed out recently the results of a survey from Centrify Corp. reveals that “only 43% of employees using mobile devices for work are keenly aware of mobile security. That means 57% are not.” The survey points out that “on average, 45 percent of the enterprise employees surveyed have more than six third-party applications installed on their personal device” and “43 percent have accessed sensitive corporate data on their personal device while on an unsecured public network, such as the airport or a coffee shop.”

These findings point out a disturbing reality for IT security specialists: they not only have to think like bad guys, they also have to think like average, innocent good-guys, for whom password and security protocols are tedious, and in the case of younger professionals, unfettered access to Internet technologies is a given.

DDoS attacks, for example highlight how this weak link can be exploited. One documented case, an attack on a group of U.S. banks in January 2013 was carried out by waves of botnet zombies located around the world. The source of the outbreak was determined to be an innocent general-interest website based in the U.K. that had been poisoned by a web design company based in Turkey. The weak link: an administrative password on the U.K. website.

These events, just a couple of the many thousands that happen every day, reveal a requirement for security specialists to maintain a number of different mindsets – to think like a thief, certainly but to also not overlook the most obvious source of IT vulnerability: the average human being.

This post is brought to you by the Enterprise CIO Forum and HP’s Make It Matter.

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.
Jeff DeVerter

Charting the Course: An Interview with Rackspace’s Jeff DeVerter on AI and Cloud Innovation

Rackspace’s Jeff DeVerter on AI & Cloud Innovation In an insightful conversation with CloudTweaks, Jeff [...]
Read more
Katrina Thompson

Why Zombie APIs are Such an Important Vulnerability

Zombie APIs APIs have a lifecycle, the same as anything else. They are born, they [...]
Read more

AI at the Gate: Navigating the Future of Cybersecurity with SonicWall’s Bobby Cornwell

Navigating the Future of Cybersecurity In the face of the digital age’s advancements, AI’s role [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more

Azure Free Tier vs. AWS Free Tier: Which Provides More Value?

Cloud computing has become a cornerstone for the digital transformation of businesses. From startups to [...]
Read more

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more

SPONSORS

Interviews and Thought Leadership

Srini Kalapala

Driving Growth: Srini Kalapala Discusses Verizon’s Network APIs

Welcome to our interview with Srini Kalapala, Senior VP of Technology and Product Development at Verizon. Today, we explore how Verizon’s network APIs are reshaping global developer landscapes and enhancing [...]
Read more
Dolores

Q&A: Airport Security Trends with Dolores Alemán, Frost & Sullivan Analyst

Airport Security Trends In this CloudTweaks interview, we delve into the evolving landscape of airport security with Dolores Alemán, a seasoned Research Analyst at Frost & Sullivan. Dolores brings a [...]
Read more

Gartner Predicts Solid Growth for Information Security, Reaching $287 Billion by 2027

AI continues to become more weaponized, with nation-state attackers and cybercrime gangs experimenting with LLMs and gen AI-based attack tradecraft. [...]
Read more

Navigating Tomorrow: AI and Big Data as Catalysts for Smarter Governance

The Future of Governance In a world increasingly shaped by big data and artificial intelligence (AI), it’s curious why these [...]
Read more

The Future of Cybersecurity: Insights from Cyber Upgrade’s Founders

AI and Cybersecurity: Innovations and Challenges In the rapidly evolving landscape of technology, where artificial intelligence and cybersecurity shape the [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.