Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

(ISC)2 Conference warns of new crimeware targets

ISC Squared : 03 August, 2009  (Technical Article)
Low Priority Vulnerabilities identified as the next target of cyber criminals looking for easy routes into vulnerable systems
Security Managers were warned to recognise the economics that are shaping the threat landscape at the (ISC)2 SecureLondon Conference last week. Speakers, including several security executives within the financial sector, pointed out that the organised criminal elements that are behind most attacks are developing sophisticated business models that often target traditionally low priority areas for the security manager.

In his keynote address, James Rendell, Senior Technology Specialist at IBM Internet Security, advised the 140 security professionals attending the event that "We are in the middle of a stampede to `webify' things. There is not necessarily a good reason to do this in every case; there is just a general desire to do so. "

Saying SQL injections increased by 30x at the end of 2008 (tracked by IBM X-Force security labs) he suggested that criminals like them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—they don't have to recognise the underlying operating system or even the database as they take advantage of the Web front ends that companies are applying to all of their applications. Rendell pointed out that 54.9% of all vulnerabilities are Web applications and that over half of unpatched vendor vulnerabilities are Web applications with 74% of Web application vulnerabilities disclosed in 2008 not having a patch available at the end of the year.

He also said that IBM research shows criminals are increasingly targeting client systems, particularly browsers, because they have not been the priority for patching. This is despite the fact that PC vulnerabilities have been decreasing.

Marcus Alldrick, CISO for Lloyd's of London, said that criminals have realised that attention is paid to the most critical security patches: "We are seeing multiple medium vulnerabilities being attacked. 95% of attacks are on the client side as companies are patching well on the server side." He warned the audience that attackers have business models that include developing "a greater understanding of your vulnerabilities," while many companies don't realise the risks they are taking with new IT implementations, and struggle to maintain asset inventories. "We need to patch more effectively," he said, also pointing out that only 65% of organisations in the financial services sector conduct vulnerability scans at least annually.

Dr. Serdar Cabuk , security specialist Visa Europe, suggested that some tactical additions to the software development lifecycle should be considered, acknowledging that current economic pressures are likely to be a barrier to strategic changes in current practice. "The reality is you will have an SDLC (software development lifecycle) in place, but you won't have a secure SDLC. At the moment, economic and other pressures are preventing strategic long term changes, but short-term tactical measures that can provide an interim fix, "he said.

Jason Creasey, Head of Strategic projects with the Information Security Forum (ISF), pointed out that a key concern to a company's defences will be surviving reductions."Spending on information security will be reduced, which will introduce weaknesses. What is worrying is that this will particularly effect spending on tomorrow's security," he said, revealing that 63% of ISF members expected their budgets to decrease in 2009. The cutbacks are coming at a time when both criminal attacks and business models are changing. Predicting that the sophistication of organised attacks will increase, he said: "We can expect crimeware as a service.... We need to look beyond historical data, change our thinking about threats, and develop and research responses to a range of events."

The event also featured a case study of an award-winning user awareness campaign featuring four short films developed under the direction of Mark Lodgson, Deputy Head of Information Risk Management at Barclays, and a panel discussion on whether companies are achieving the right balance between, people, process and technology. The panellists and audience discussion reflected agreement that there is too much focus on technology and that the technology was the easy part of the equation. Information Security managers today will be able to make a bigger impact by focusing on the people and getting process right.

"It is clear that many of the issues have little to do with the technology," said Lodgson. "We have to think about how we look at the whole end-user environment, which covers all the systems and non-systems issues... turn the mindset around to consider how can organisations really take people seriously, get them involved."

A survey completed by 43 of the 140 attendees suggested that budget allocations don't match the desired balance expressed in the discussion. Sixty eight percent suggested that people were the most important factor for a successful security strategy, while more than half 54% said that 25% or less of their budget was focussed on people. When asked what was currently the biggest focus for the security team, the most popular response was compliance , followed by offshoring/outsourcing, eroding boundaries and criminal attacks.

"This is interesting, as we all know, being compliant doesn't necessarily mean being secure," commented John Colley, CISSP, Managing Director, EMEA, (ISC)2 who moderated the panel.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo