Under lock and key

IT security is one of those aspects of business that has leapt to the fore in recent years but it’s still a tricky to area to get to grips with as organisations’ boundaries become less defined and harder to defend. We hear from Absolute Software’s William Pound, Finjan’s Yuval Ben-Itzhak and MyLaptopGPS’ Dan Yost about the hot issues at the moment and the pitfalls you should avoid.

“Vehemently resist the strong temptation to rely on one single whiz-bang technology, a supposed 'silver bullet'”
-Dan Yost, CTO of MyLaptopGPS

CXO. Protecting information and confidential data is paramount today. What challenges are organisations facing when it comes to security?
William Pound. The biggest challenge that organisations face is actually understanding exactly what they have got to secure. We believe that you can’t secure what you don’t manage and you can’t manage when you don’t know what you have. How many organisations know what company information is saved and where, but they have absolutely no visibility of where their physical assets are located? In today’s mobile world, those assets contain more data and are often outside of normal ‘in- security eco-systems’.

Yuval Ben-Itzhak. Many organisations are still relying on signature-based security solutions, such as anti-virus and URL filtering, to protect their information and confidential data. However, traditional security solutions are signature and reputation-based; designed to protect against known threats that are static by nature. Traditional approaches of identifying threats and issuing patches to protect networks leave a substantial window of vulnerability for data to be stolen. To heighten their infection ratio and minimize their detection risk, cybercriminals turned to dynamic malicious code for their attacks, thus avoiding detection by AV or URL-filtering solutions. Cybercriminals embed their malicious obfuscated code not only on web pages in legitimate websites, but also in rich-content files such as PDF and Flash. These techniques set a new challenge for security solutions and organisations to detect and block dynamic malicious code in time; before the malware enters the corporate network. Real-time code inspection technologies were introduced to combat such new dynamic attacks.

Dan Yost. The challenges are many and significant, the toughest being rapidly diversifying data-bearing assets (laptops, smart phones, etc.), multiplication of attack vectors, ‘data sprawl,’ and user non-compliance. There are so many endpoint devices now, it is significantly more challenging for organisations even to identify them all, let alone place solid controls over them in a timely fashion. Meanwhile, the criminals get craftier, and have more windows of opportunity. At the same time, the exploding volume of confidential data creates a tsunami of risk – all of that data must be kept secure, and the bigger the ocean, the harder it can be to contain every drop. Worst of all, users resist necessary security policies. Our own teammates circumvent the policies built to protect them, usually because the security technologies employed are intrusive and inconvenient.

CXO. How has technology evolved in the past few years to ensure information and systems are secure and keep the criminals at bay?
WP. Technology has grown in leaps and bounds over the last few years. Solutions like firewalls, encryption and anti-virus continue to provide added layers of security. We believe that Absolute Software’s embedded solution provides the ultimate layer of end-point security by enabling ongoing control of the device. However, security technology is only part of making sure information is secure. The other part is to make sure that employees know, understand and comply with their company’s security policy. This is especially true with mobility when the assets and the data they contain are often outside of the office domain.

YB. The evolution of security technologies started with the detection of known viruses and providing signatures. URL filtering provides protection against known malicious websites. Both security technologies are reactive. This leaves a window of opportunity for cybercriminals consisting of the time that a threat is identified and the time that a patch is available from the security vendor. Traditional security solutions were therefore not designed to protect against crimeware and Web 2.0 attacks using obfuscated dynamic malicious code. The security industry reacted with security products that offer proactive ‘zero day’ malware detection techniques by filtering malware from all aspects of inbound and outbound Web traffic. Such security products include real-time content inspection that provides zero-day protection against cybercrime and Web 2.0 attacks. It detects and blocks malicious inbound and outbound content based on the code’s intended criminal action, and doesn’t rely on signatures, URLs or reputation attributes.

DY. Security technology solutions tend to be fairly reactive, responding to the latest attacks. When you want the cookies in the jar, usually you simply figure out a way to defeat the existing jar. The cookie vendor responds by building a thicker jar or a better lid, or decides that jars are indefensible and switches to boxes, and the cycle continues. Technology has evolved similarly. Encryption, tracking, deterrence, perimeter defence, biometric measures, and other methods have grown in their reach and stability, but a key factor has always remained a challenge: users. Sometimes the keeper of the cookie jar leaves it open, due to laziness, negligence or rebellion. The best overall progress has been made by skilfully layering disparate but complimentary technologies, abandoning reliance on one supposed ‘silver bullet’, and doing so in a fashion that relies as little as possible on user cooperation. It’s very effective.

CXO. As workforces become more mobile and devices get smaller and more sophisticated how can companies best protect defences?
WP. Mobile devices, including phones, PDAs and laptops can be protected both physically and technologically. Asset management is a crucial foundation to any security structure. The challenge is to use that knowledge to maintain as much control as possible over those devices that, due to their simplicity, are often considered relatively harmless. Organisations need to take real responsibility for the data on their mobile devices, as their use becomes more common and the consequences of a breach are far wider than to just the organisation itself. To take responsibility there needs to be policy and traceability. Asset management is key to knowing who has a device and, if necessary, where it is. We believe this is particularly important if a device is lost. Not only can technology be used to trace the device and allow it to be recovered, but sensitive data files can be deleted, preventing it from being used maliciously.

YB. Data is one of the most valuable assets of today’s enterprises and includes critical business data, intellectual property and private information that are spread throughout the organisation on servers and desktops. Once data is transmitted, it is at a high risk of being misused or abused. Employees also use USB ports and CD writers to copy information, and use laptops and VPNs for working outside of the office, which makes outbound data vulnerable. The optimal way to stop leakage of different types of outbound content is real-time content inspection. This technology is able to stop leakage of different types of outbound content. Even when a file extension is manually changed to mislead and bypass file type filters, real-time content inspection will block these files based on their exact file type. Granular rules can also be applied per user and per group for tighter protection of certain employees or user groups.

DY. Vehemently resist the strong temptation to rely on one single whiz-bang technology, a supposed ‘silver bullet’. The day after a company pats itself on the back for a ‘silver bullet’ deployment, criminals just laugh as they discover how to duck. Devices will get smaller, more sophisticated, and more diverse –multiplying attack vectors. Companies must constantly re-examine their methods, always looking for more security layers to add, as unobtrusively as possible. It’s a never-ending job, and this must be expected. Companies who believe they can finally solve this problem and move on, not remaining proactive, are being dangerously foolish. And yet, that is what many companies do. By layering a large array of complimentary defensive technologies and wisely remaining vigilant, companies can truly win – and we’ve seen it.

CXO. A breach in security or loss of confidential data can be catastrophic – not only the potential financial loss but also the knock-on effect of damage to reputations and the brand. What advice would you offer for a quick recovery and for ensuring lessons are learned?
WP. Organisations need to have a clear process to follow if an incident occurs. But also, we cannot legislate for human error, and a lot of data breaches and data loss cases are down to policies not being followed or, as an example, employees leaving their laptop in the back of a taxi. In this situation, it is important for an organisation to act responsibly and take every possible measure to minimise the impact. If tracking software is installed and activated on mobile devices, it means that as soon as the loss is reported, sensitive data can be deleted – or even retrieved – from the lost device. Not only that, but it can be traced and then recovered by the local police. It means that there is real damage limitation, rather than not knowing until it is too late whether the sensitive data has fallen into the wrong hands.

YB. Successful data breaches can result in: loss of existing customers; difficulties in acquiring new ones; loss of intellectual property; loss of R&D data, product designs, road maps; brandname and corporate image damage; negative impact on competitive position; loss of market share; potential lawsuits; non-compliance with rules and regulations; loss of productivity due to downtime, investigations, and damage control. The average cost per data breach incident was estimated in 2007 at US$6.3 million; the cost of lost business per incident at US$4.1million. In most reported cases, breached companies relied on traditional security solutions for protection. To regain their reputation, organisations are advised to inform their customers and stakeholders that they are implementing a comprehensive multi-layered security solution, such as real-time content inspection. This way, they can guarantee that each and every piece of inbound and outbound web content is analysed and blocked based on its intention, and not on its origin or form.

DY. Notify quickly, and be ‘pre-diligent’. The most common and intense criticism of the many breaching organisations, bar none, is failure to quickly notify the victims. People have remarkably extreme expectations about how fast notification should occur – reasonable or not. By very quickly and thoroughly rectifying a problem, a company can forge extremely loyal customers – even more loyal than if a problem had never occurred. This will never mean that a breach won’t still cause some customer bleed, but a slow response is a back-breaker. The second most damaging post-breach factor is actually a lack of diligence pre-breach. Never have to announce that a breach occurred and no serious steps had been taken beforehand to secure the data. Thousands of companies have suffered both mistakes.

CXO. How are your products and services helping your clients today?
WP. Absolute Software’s flagship product in EMEA is ComputraceOne, an asset management, tracking, data protection and recovery solution for mobile devices. We have partnered with the world’s largest manufacturers of laptops and other mobile devices to help some of the world’s most data critical businesses avoid becoming the next data loss headline.

We have over 3.4 million subscribers globally and our software has helped to track and recover literally thousands of mobile devices across the globe. We have deleted tens of thousands of files remotely after a theft or loss, broken up major crime rings and internal thefts. ComputraceOne is a proven solution that gives companies real peace of mind that if they suffer a breach, they can very quickly close the door on any potential malicious use of the data.

YB. Utilising patented active real-time content inspection technology, Finjan's award-winning appliances prevent Crimeware and other malicious web content from infiltrating corporate networks and stealing business data. Finjan’s secure web gateway solution analyses each and every piece of web content in real-time, regardless of its original source, and understands its potential effects before it executes itself on the end user machine. By understanding the true intent of web content, Finjan’s active real-time content inspection technology detects and prevents crimeware despite the propagation techniques and anti-forensics methods in use. This prevents any malicious web content from entering the corporate network, thus protecting enterprises from crimeware that may result in severe business damage. Finjan’s offerings also include advanced applications, such as: policy management; integrated cashing and security; enhanced auditing and reporting tools; and integrated data leakage prevention (DPL). Multiple protocols, ports and applications are also supported, including IM, P2P, Flash and streaming video.

DY. We practise what we preach, and that means layering. Our special six-layered approach never relies on a supposed ‘silver bullet’ and it has yielded the best theft rate in the business: 0.4%, 32 times better than the average. We help our clients analyse their current security practices, how our features will integrate with them, and what the resulting strengths will be. We examine how other layers they may already be using can be bolstered or enhanced. Our clients have widely varying goals, and we are helping clients by applying extremely effective features and knowledge to meet their particular goals, not by offering a canned solution based on our own goals.

William Pound is the VP of Global Corporate Development at Absolute Software. He has 25 years of experience facilitating international business for developing strategies to move new products into foreign markets. As a Canadian Trade Commissioner for 18 years, Pound supported the business development for hundreds of companies in Europe, Latin America and the Middle East.

As CTO of Finjan, Yuval Ben-Itzhak has over 15 years of high-level management experience. He was the founder and CTO of KaVaDo Inc., CTO at Ness Technologies and senior project manager at Intel Corp. Ben-Itzhak was selected as InfoWorld's ‘Top 25 Most Influential CTOs of 2004’ and Computerworld’s ‘40 Innovative IT People To Watch, Under the Age of 40’ for 2007.

CTO Dan Yost joined MyLaptopGPS in 1999, specialising in system automation, network security and application development, including a satellite-based GPS telemetry concept system for the USDA. Yost addresses various business groups and associations, on mobile data security and privacy protection.