Why We Still Can't Fix The Big Issues In Security

The biggest security concerns for Australian companies turn out to be virtualisation, mobile devices and social networking. The bad news? There's no totally effective way of securing any of them, and we're still making elementary mistakes in the security strategies we do adopt.

Picture by Duncan Harris

I attended a security roundtable with a bunch of security vendors in Sydney yesterday, discussing broad trends in the business security space. Frost & Sullivan research director Arun Chandrasekaran said that virtualisation (including cloud), mobile device strategies and how to deal with social networking accounted for 80 per cent of the queries he received from clients relating to security topics. All present significant security challenges, but one evident disturbing trend is that we're often getting the basics wrong. There's not much point stressing about newly-emerging threats if you're not taking steps to deal with security problems that we have known about for a decade.

That's evidently what's happening with virtualisation. Australia has one of the highest uptakes of server virtualisation in the world, but because many virtualised servers were originally used for test and development rather than production systems, security has often been something of an afterthought. That approach can have dangerous consequences. "If we get the virtualisation foundations wrong from a security aspect, then something's going to break down the track and when it breaks it's going to be big," said John Reeman, founder and CTO for VMinformer.

Reeman also made the equally important but often overlooked point that human error — something that it's hard to automate against — is still a major factor. "90 per cent of the common attacks that occur boil down to human failure," he said. But that, of course, makes it even more important to follow the dull-but-essential security basics: keep systems patched, analyse incidents, and set clear policies. "Organisations who choose to be complacent will undoubtedly have a failure."

One major challenge for security when exploring social networking is that the underlying code isn't available for inspection, and changes extremely frequently, but people continue to provide information to them. "Social networks create a culture of trust," said Scott Robertson, VP Asia Pacific channels and alliances for WatchGuard. That same criticism can be levelled at almost any cloud-based app, but the widespread use of social networking tools arguably makes them a more urgent issue.

Two factors mean that security will never be perfect. One is the human element: even with well-developed security procedures, people are hard to protect against. "Hacking can start with a phone call saying 'It's Adam from IT and we're going to be working on your system so we need your username and password', and a lot of people will still fall for that," said Adam Bradley, ANZ managing director for Websense.

The other, regrettably, is that we still continue to neglect the basics. As Bradley points out: "We can't offer stability and security for people who don't patch." IT work often involves repetitious tasks, but it seems in this case too many of us aren't trying. How well does your organisation deal with security? Tell us in the comments.

Evolve is a weekly column at Lifehacker looking at trends and technologies IT workers need to know about to stay employed and improve their careers.


Comments

    Thats easy ... "no comment"

    It can be a Catch-22 situation.

    Sure, there's the continual need to apply patches to have protection for the latest threat but how often can that itself cause other issues?

    If it ain't broke don't fix it? If you're rebooting anyhow apply the latest patches? If it is broken do you want to apply an untested "fix" to a system that may not accept it properly?

    Damned if I have a fool-proof answer.

      Lately I've been using the theory that if you keep all your systems as generic as possible, you reduce the chance of patches breaking things.

      Over time, systems tend to get more unique and quirky - settings changed, scripts added, etc. The further you are from the norm, the greater the chance an update will break something you use regularly, and the more testing you have to do before you can patch. A fresh install every few years doesn't magically fix everything, but it does improve your odds.

    People still believe they can come up with complete solutions that circumvent all human agencies. Look through some of the tech forums at sysadmins trying to stop people from being able to make copies of text from any documents they've read online.

    I made the point to some of them 10 years ago that all you need is a cheap digital camera to take "real world" screen shots. Now you've got the advantage of phones with OCR apps built straight into them.

    Also, regardless of how well you think you secured your computer, let's not forget how often the back door is left open. Computer "apps" (Adobe, Real Player) that people use daily are security nightmares. The holocaust that will hit mobile devices in the future will be mind blowing.

    http://www.eweekeurope.co.uk/news/most-web-apps-fail-security-audit-prior-to-deployment-27285

Join the discussion!

Trending Stories Right Now