Cyber criminals will go after the easiest targets, the path of least resistance, to maximise their financial gain. For example, because the U.S. has not yet widely adopted chip and PIN credit card system, as well as debit cards, there is still an active skimming market compared to northern Europe and Asia.
The same can be applied to Internet banking attacks. Those countries with less complex Internet banking applications, and less experience at detecting the sophisticated attacks, get hit harder than those that have more experience. If you take the botnet issue, countries with high numbers of well-connected computers, but less awareness of how to protect citizens and organisations alike against malware — like South Korea — have been targeted in the past.
If traditional reactive security controls, such as AV scanning and reputation and URL filtering are now inadequate, what do enterprises need to do to implement a pro-active approach?
Enterprise organisations need to make network-security technology decisions based on the strength of the product — not the strength of the brand. There are well-known security vendors that are still selling solutions using technology that is out of date or not adequate to protect against the current or latest malware threats.
Let’s take the example of Web gateways. Many security vendors maintain that URL/reputational filtering is an effective means of gateway protection, but actually this is not the case. Today, 84 percent of all infected websites are legitimate ones that have a good reputation and categorisation, enabling typical users to access them. In this case URL/reputation filtering is rendered completely ineffective.
Security-conscious enterprises need to look for technology that doesn't rely on heuristics and signature-based engines to provide protection. They also need to be sure to challenge their security vendors to prove that their technology actually does protect against the new wave of cyber threats. Testing solutions head to head is recommended, but also running a malware audit on your internal network can also highlight just how big the malware gap is.
What new threats does cloud computing present? Can cloud security issues be overcome or will there always be risks?
Organisations will continue to consider cloud computing as a compelling information-distribution business strategy. However, what they need to understand and know is whether the security policies of the cloud provider can match the organisation’s security policies. They will often find that there is a large gap.
Furthermore, cloud providers are becoming an attractive target for cyber criminals because they store a vast amount of data and information. There are a number of key points that organisations should consider when reviewing cloud computing options:
- Where is your data being stored? For example, you are a business headquartered in the US using a US-based cloud provider but the data is stored, for example, in China, then the question of which regulatory authority applies to your data may become complicated, if there is a dispute. If a cloud provider files for bankruptcy, a court might consider data stored with the provider as an asset of the provider and not an asset of the user organisation. Currently, it is not clear whether legislation in jurisdictions of the user organisation location, the provider’s location or the data’s location will govern the protection of the data stored in the cloud.
- Who controls and protects your data? There is no physical control over data and information in the cloud. In addition, while the client has no control over the data managed by the cloud provider, cloud service level agreement contracts often stipulate that data protection is the responsibility of the end user organisation. A case in point is Google. The company provides security and privacy assurances to its Google Docs users, unless the users publish them online or invite collaborators. However, Google service level agreements explicitly make it clear that the company provides no warranty or bears no liability in case of Google’s negligence to protect the privacy and security of its user.
- Compliance and legal framework. The cloud-related legal system and enforcement mechanisms are evolving more slowly compared to the development of the cloud technology. Compliance frameworks currently do not clearly define the guidelines and requirements surrounding data stored in the cloud. Cloud computing thus poses challenges and constraints for organisations that need to adhere to stringent compliance regulations and the associated reporting requirements for their data.
Sign up for CIO Asia eNewsletters.