BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Security industry in 'rut, ' struggling to keep up with cybercriminals

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 3 Oct 2013 00:57:32 -0600
http://www.networkworld.com/news/2013/093013-security-industry-in-rut-struggling-274315.html


Dramatic changes are needed in multiple fronts if the security industry
hopes to move ahead of cybercriminals, who are continuously finding new
ways to breach corporate systems, experts say.

Some technology pros say the industry needs to develop new technologies and
architectures that send hackers back to the drawing boards.

"I think we're in a security rut right now," Ed Amoroso, chief security
officer for AT&T, said,ThreatPost reports. Amoroso made the remarks this
week during a panel discussion at the Billington Cybersecurity Summit.

While other experts agree hackers are winning, they are hesitant to blame
it on a lack of new technology.

"The call for more innovation is only focusing on the technology aspect,"
Murray Jennex, a professor of computer science at San Diego State
University, told CSOonline. "I agree we need more innovation, but that
innovation by itself will not give us better security."

What else is needed is more effective sharing of attack data between
security professionals working for vendors and corporations.

"My research has found it takes much less knowledge to use existing
technologies to attack than it is to defend," Jennex said. "Security
professionals need more knowledge to do their job than attackers do."

However, the attackers are the ones who are faster at sharing exploits for
the latest products, Jennex said.

On the white hat side, security professionals get paid for how they defend,
not what they share, and companies view knowledge as a competitive
advantage. In addition, companies fear being sued by customers or partners,
if the data shared relates to them.

Also giving hackers a leg up is manufacturers failing to make security a
priority in the design process. This is particularly true with industrial
control systems (ICS).

"If we can build in immunity from attack, then we don' have to defend
against it," said Eric Cosman, a member of the ICS Joint Working Group at
the International Society of Automation.

The blame for not having more products secure by design lies as much with
the buyer as the manufacturer, said Paul Rivers, Manager of System and
Network Security at the University of California, Berkeley.

This is particularly true with mobile devices. Security is not a high
priority with consumers, so manufacturers turn their attention to more
desirable features, such as ease of use, music, video and voice recognition.

"Until that changes, I don't think you're going to see some new Silicon
Valley startup with the first feature on their feature list being security
related," Rivers said.

Marc Hoit, vice chancellor for information technology at North Carolina
State University, said ignorance on the part of technology users also
contributes to the number of security breaches, which makes it seem that
defensive technology isn't working.

"Most of the infections come from poor user behavior and unpatched
systems," Hoit said.

People are too quick to click on attachments and companies have a lot of
difficulty keeping software up-to-date, which leaves known vulnerabilities
unpatched, experts say.

On the research side, Hoit said a lot of work is being done at NCSU and
other universities in spotting abnormalities in a network through better
algorithms for analyzing massive amounts of data from hardware, software
and network traffic.

Internet2, a nonprofit research organization comprised of more than 450
universities, businesses and government agencies, is conducting a lot of
security research,A'A Hoit said. However, researchers often have difficulty
getting access to the Internet traffic needed for their work.

"It's a privacy and security issue," Hoit said. "I don't know any open
network providers that will give you their traffic flow."

So while the industry struggles with multiple issues, hackers operate in a
simpler world where the only focus is on breaking into systems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: