Pointless security perimeters inviting criminals to run riot across IT systems

Perimeter security in IT is no longer viable yet companies continue to overinvest in ineffective attempts to keep criminals at bay.

Eddie Schwartz, vice president of global security at telecoms firm Verizon criticised firms for spending most of their security budgets on ineffective perimeter defences.

"We’ve created what looks like the semblance of security and the bad guys pretty much drive around the perimeter and do whatever they want," he said. "We’ve invested so much money in checklists, perimeter security and securing things that are not that important, that there’s not much money left for anything else."

The 10th Data Breach Investigations Report (DBIR) published last month discovered that attackers are becoming more effective at a faster rate than defenders, meaning in the long-term networks are becoming less secure.

Schwartz added that collaboration was more widespread on the criminals’ side, with breached companies often seeking to hide their vulnerabilities from the public and their competitors.

His remarks come at a difficult time for IT security, with anti-virus software failing to protect consumers while organised crime from | Eastern Europe and Asia continues to outwit every sector, from retail through to telecoms and even finance.

In a demonstration of how a system could be attacked, Paul Pratley, investigations manager at Verizon, showed how allowing other vendors direct access to point-of-sales systems and back-end servers could quickly lead to customer data being compromised.

"The concept for the security industry for the longest time has been a hard shell and a gooey centre," Chris Nova, global managing principal of the RISK team at Verizon said.

"Most organisations will freely admit they don’t have the budgets to keep up with the spiralling costs of security."

In a conversation with small healthcare firms Schwartz said he had half-jokingly advised them to give up on security, noting that even multinational financial firms were struggling to keep on top of cybercrime.

"In the next 3 years there will be a tsunami of companies avoiding security altogether," he said.

The DBIR recorded a rising number of hacking and malware based attacks, with bespoke cybercrime software being sold for thousands of dollars.

For the past few years most breaches have been for financial gain, with cyber-espionage and attacks for ideology or amusement motivation for a much smaller proportion of breaches.

"This used to be a finite data set with known questions, now this is an infinite data set with unknown questions," Schwartz said.