Websense A/NZ managing director, Adam Bradley
Workers bringing their own device to work isn't an issue - getting the right security policies to deal with them doing so is, according to analyst Frost & Sullivan Asia-Pacific ICT practice research director, Arun Chandrasekaran.
He was speaking at State of IT Security 2011 forum in Sydney where key security issues impacting Australian organisations and the channel, as well as the new generation of security challenges in the years ahead, were the fcous.
Leading security vendors Websense, WatchGuard and VMinformer were also represented at the forum.
Chandrasekaran highlighted key security themes impacting Australian business from an analyst’s perspective.
With Australia now one of the most virtualised nations in the world, the analyst said the challenge was in establishing how to secure IT foundations and infrastructure that are located behind firewalls.
Identifying who has access to sensitive information and whether safeguards such as encryption are in place is important, as well as educating employees about security risks.
With more companies adopting a “BYO device” approach, Chandrasekaran said “devices are not the issue, security policies and how they are defined for enforcement are".
VMinformer founder and chief technology officer, John Reeman, echoed Chandrasekaran’s point that virtualisation can now be found everywhere, so companies should now focus on securing virtualisation and the cloud.
“If the foundation is wrong from a security perspective, something’s going to break in the future,” Reeman said.
One area of concern for Reeman is that some privileged users on a network have access to sensitive data, so something should be done to prevent them from having that level of access in the first place.
“We don’t know what privileged users are doing, so giving them the keys to the kingdom could be dangerous,” he said.
Social networks are becoming an increasing concern for businesses from a security perspective, according to Watchguard Asia-Pacific channels and alliances vice-president, Scott Robertson.
“Social networks are not only popular, but they instil a certain level of trust in users,” he said.
The trust issue is contentious for Robertson, as it is often difficult to know who the real person is behind the profile and whether the posts and links they are sharing are not malware.
Another problem is that people are able to upload applications to social networks, but it is hard to know who is validating that code.
If businesses are allowing their staff access to social networks such as Facebook, Robertson recommends that they set acceptable business policies that cover numerous groups within the company.
“So while a company wants to allow their corporate Facebook page to be accessed and updated, they will want to ensure that Facebook games such as FarmVille can’t be played by employees,” he said.
Websense A/NZ managing director, Adam Bradley,said hackers now targeted companies or organisations and their vulnerabilities not for fame as in the past, but more for financial and politically motivated goals.
While attacks in the past might have been simple in nature, hackers are now actively going after the identities of key stakeholders and sending phishing emails to hijack their personal data, with some malicious code even coming in encrypted forms.
“The challenge now is to know what information you want to protect and recognising that you can’t do it behind walls and guards anymore,” Bradley said.
He added that sophistication of attacks had grown recently, whether they were massive coordinated attacks or do-it-yourself hacks by individuals, and there was a need for a bi-direction approach to security.
“Too many people are concerned about what data is coming in the network without considering what data may be going out,” Bradley said.
With statistics saying that users are typically only two clicks away from malware, the key is to understand what data you have and who has access to it.
Other key points that businesses should consider is what the security risks are, look into developing a separate security protocol for executives, investigate outbound traffic as well as inbound, and regularly check apps for vulnerabilities.
“The more valuable the information is to you, the bigger the risk,” Bradley saidd.
