Cyber Vigilantes' Guerilla Tactics
Toby Weir-Jones, British Telecom's vice president of product strategy for managed security solutions, can tick off the problems inherent in trying to protect corporate data. "The notion of a single front door is gone," Weir-Jones says. "You've got wide-area networks, multiprotocol label switching, virtual private networks, extranets with partner connections, super-important customers who get to come into a different piece of the infrastructure. There's not really a single ingress point anymore. You also have to assume that malware will be present on your network. You don't try to guarantee that it won't get in."
Toby Weir-Jones, British Telecom's vice president of product strategy for managed security solutions, can tick off the problems inherent in trying to protect corporate data.
"The notion of a single front door is gone," Weir-Jones says. "You've got wide-area networks, multiprotocol label switching, virtual private networks, extranets with partner connections, super-important customers who get to come into a different piece of the infrastructure. There's not really a single ingress point anymore. You also have to assume that malware will be present on your network. You don't try to guarantee that it won't get in."
Instead of trying to build a digital Chinese wall around a company, security experts are figuring out where the valuable data or intellectual property is stored then building rings of access around that data in a manner that resembles the Pentagon. The inner ring is the most secure, while everyone can still do work with limited access in the outer rings. The more people with access to the system and the more things going on, the more intricately you need to set up those rings. All data is encrypted, and access to the most valued secrets may be on a one-time basis with a password that works for one hour--and it may require three sign-offs from top executives to make it happen.
In Pictures: The Year's Biggest Data Breaches
"The new way is to secure as close to your crown jewels as possible," says Richard Isenberg, director of security at CheckFree. "You build outward from that. There's a lot more focus on internal security, too. Suppose someone is onsite and has bad intentions. The fear among financial companies is mass export of data. One database could contain millions of social security numbers matched with names and addresses, which could lead to a theft of millions of dollars."
Banks have been particularly forward thinking when it comes to security. When you log in to an online account, the banks utilize a pattern-recognition database to determine what Internet Protocol address the person is using, what operating system the computer uses and what the resolution of the monitor on that computer is--and it compares that information to past history.
"If consumer A normally pays six bills from this part of the United States at this time of the month and we suddenly get someone logging in from Czechoslovakia on a different operating system from a different provider, that's going to generate a programmatic second call," says Isenberg. A customer may get an SMS (short-message service) message on his cellphone instructing him of a four digit code if he is trying to log onto an account. That way, a cyberthief won't get the message or be granted access to the account.
"We're at the point where we're going beyond the question of where you were born. It now may be: 'What is the fourth digit of the middle name of your great-grandmother?' " Isenberg says.
Authenticating is the first step for doing business online. Determining intent is the second. After that, privacy issues begin muddying what can be done. Robert Jamison, undersecretary of protection and programs in the U.S. Department of Homeland Security, says his department has been trying to work with corporations to trade information about security threats and how best to stop them.
Cooperation with the private sector is rife with suspicion, however. "How do we break down the barriers to private-sector companies providing us with information about their threats, their intrusions and how their networks have been impacted," Jamison says. And to complicate matters, there are a host of agreements between various companies about what they can and cannot share.
"We're getting good cooperation, but it could always be better," Jamison says. "But we have barriers on our side, as well. How can we share sensitive information about threats the federal government has? We're reluctant to give that out, for obvious reasons."
So far, no one is suggesting more regulation of online commerce. But the regulations getting put into place for the credit card industry are one model: Industry experts say those are the minimum security standards needed to alleviate lawsuits when there is a security breach and the minimum cost companies have to spend on their security infrastructure.
Solving these problems isn't cheap--and one solution hardly fits all. "First, you have to start with an assessment of where the vulnerabilities are," says Art Coviello, president of RSA. "Then, you need to do your best to figure out the probability that the vulnerability will be exploited. Very often what people end up with is low, medium or high. Then you construct your risk equation accordingly."
From there, companies have to figure out just how much it will cost if something goes wrong. Coviello says if an organization is extremely vulnerable but there's low probability someone will break into the system because there isn't much value, it doesn't make sense to spend a lot of money.
"If there are just a few vulnerabilities, but the probability is high and the materiality is high, that's where you want to apply the bulk of your effort," he says.
"Conventional security practitioners are more interested in saying, 'You can't do this or that,' and they're actually stifling initiative and innovation," Coviello says. "The security practitioner shouldn't be saying 'No.' They should be saying 'Yes, but here's how.' And that should be done in the context of risk."
In Pictures: The Year's Biggest Data Breaches
Economic Bust, Cybercrime Boom
Spear-Phishing And Pharming
When Everyone Can Mine Your Data