Enterprise security is about more than products
As the cyber security industry continues to spin out a multitude of products and services to the channel, security watchers were given a sober assessment last week of what really needs to be done to fully secure corporate networks.
At the NetEvents Global Press & Analyst Summit in San Jose, also attended by leading IT suppliers and security vendors, senior US enforcement officials spelt out that spending more and more on expensive security products wasn't the only thing they could do to protect themselves.
Ronald Layton, deputy assistant director of the US Secret Service, told delegates that it was never easier to spread malware across the internet: “Cut & Paste, if you can do that you are 80% of the way there in launching an attack – you do not even have to code in many cases. The tool-sets you see today [to easily spread malware] would have been highly classified 20 years ago - they are very advanced now.”
Michael Levin, former deputy director of the US Department of Homeland Security, said: “70% to 80% of hacks are down to human error, they are preventable. But companies simply aren't doing the basics to protect themselves.”
For instance, Levin said encryption must be used more widely. He said: “Sending unencrypted emails are like sending a postcard, and you wouldn't put your social security number on the back of a postcard.”
The Secret Service's Layton said education was key to helping prevent attacks, not blowing all the resources available on security products. He said: “Curiosity is the new caffeine, it's the new drug that makes us want to read every message and click every link. That's why experts are looking at how human behaviour is affecting the spread of malware.
“When addressing cyber hygiene, if I'm a company with $10, all of that $10 is going to go on education [not security technology].”
And even though the capabilities of security products and services were advancing, with artificial intelligence, for instance, being used to spot attacks in advance of them attacking networks, Layton said the battle was effectively being lost. He said: “As security competency goes up, actual security goes down.” He explained that as security products became more powerful and all-encompassing, there were millions of lines of more code involved, which was a weak link: “There is bound to be a vulnerability in there somewhere,” he said.
One only has to think about the recent CCleaner attack, which affected Avast's PC clean-up and security tool, to know what Layton means about weak product code. As weak and breached code was used to spread the CCleaner attack to end users, those same users who were going the extra yard to protect their machines!