Security is no longer a box ticking exercise where businesses would rely upon an anti-virus product, a firewall, a patching programming, and little else. Security is now one of the most important factors impacting business and IT decisions.
The significant increase in threats posed and the global coverage of hacks that have significantly damaged brands has skyrocketed security to become a number one priority.
Security is no longer a matter of protecting the points such as email, it is about having a holistic view that looks at numerous elements such as data encryption, point protection, regulatory adherence, and more.
In HPEs Cyber Risk Report 2016 the company reveals the results of a year-long research effort by HPE Security Research, significantly it highlights the fact that it is not a matter of if hackers will strike, but when they will.
Sue Barsamian SVP and GM, HPE Security Products said: “Security practitioners from enterprises of all sizes must embrace the rapid transformation of IT and ready themselves for both a new wave of regulations and an increased complexity in attacks.
The report says that 2015 was the ‘Year of Collateral Damage” as unsuspecting victims such as the United States Office of Personnel Management (OPM) and Ashley Madison affected those who neither had direct contact with the entity, and whose information resided in their networks only as it related to someone else, or as is the case with Ashley Madison, did not appear but could be deduced from the data.
The point is that these breaches were not just about getting payment card information, they were about getting information that could potentially change someone’s life. What this highlights is that it is not just things like card data that should have the highest possible levels of security protecting it, but all personal data and data with value.
Increasingly security researchers are becoming a vital tool in the fight against hackers and critical vulnerabilities.
One way to incentivise security researchers is through rewards programs, or the implementation “bug bounties.”
The Cyber Risk Report said: “Rewarding skilled researchers for identifying potential avenues to the enterprises’ crown jewels has taken many forms, from public recognition to money, and everything in between.”
The question being posed then is what can businesses do to protect themselves from becoming victims.
Numerous vendors have focused increasingly on creating patches to address individual bugs, while efforts have also been undertaken to provide defences for entire classes of vulnerabilities.
What should happen then when a vulnerability is discovered is that patches, which are typically made up of point fixes, remediate the discovered issue. The problem is that this is a never-ending cycle of activity; it costs a significant amount of money and also requires a lot of man-hours to do correctly.
The only thing this solves is that one vulnerability and when the next issue comes along then the whole process starts again.
An alternative option is to look for wide-reaching fixes where the inclusion of things like MemoryProtection and MemGC, which has demonstrated how wide-reaching fixes disrupt attacks in an asymmetric fashion. So instead of releasing patching to fix many different vulnerabilities, these defensive measure can take out an entire class – for a period of time.
While security methods designed to combat breaches are growing in capability, the number of vulnerabilities also appears to be growing.
Take applications for example where the most vulnerable categories likely to appear in an application are: insecure transport, web server misconfiguration, cookie security, system information leak, and privacy violation, according to the HPE report.
The report said: “Insecure Transport: HSTS Not Set is the most prevalent issue within this category, accounting for nearly 29% of findings. Again, this may be due to the fact that HSTS is a fairly new browser capability.
“Likewise, Weak SSL Protocol (20%) and Weak SSL Cipher (95%) both may appear as a result of relatively new industry standards and regulations (e.g., RC4 being marked as unsafe,296 the January 2015 release of PCI SSC’s Data Security Standard 3.1297), which result in more issues being flagged for existing configurations.
“Again, backward compatibility decisions may be an issue here. Missing Perfect Forward Security (6%) is another relatively recent mitigation technique making a significant showing.”
Finding the right technology but also the right partner is one factor that is becoming increasingly important, particularly as the threat landscape grows there is a need to join forces in order to increase the chances of being able to stay safe.
Due to the growing threat there is increased focus by numerous vendors on security and numerous products can be found to do different jobs.
HPE’s Fortify security products, which have been named as the number one market leader by Gartner, offer numerous capabilities.
On the application security front HPE Security Fortify offers capabilities such as automated static code analyser which identifies and pinpoints security vulnerabilities in source code early in the systems development life cycle.
Dynamic application security testing enables the user to similar real-world attacks in order to identify and prioritise vulnerabilities.
On the automated dynamic security testing front there is WebInspect, a tool that mimics real-world hacking techniques and attacks, and provides dynamic analysis of complex web applications and services.
DevInspect is designed to provide immediate feedback to the developer in order to eliminate security vulnerabilities as the application is written, for secure code development.
This is particularly important as it helps to build in security from the grassroots level, this means that the application will be inherently more secure than an application that has security added on as a last thought.
“DevInspect is a secure coding tool designed specifically for developers who need agile development but cannot compromise on application security. It enables identification and remediation of security vulnerabilities in source code from inside the developer’s environment (IDE), eliminating security flaws before the code is even compiled,” the company said.
The reality is that the threat of cyber-attack is unlikely to go away no matter what is done by the business. The job of the business and the vendor is to build a coherent strategy through thoughtful planning that can help to increase the physical and intellectual price an attacker must pay to successfully exploit an enterprise.
In essence, it is about making your business look like it is not worth the time, cost, and risk to attack. Basically it is about employing similar methods to those that are seen in the animal kingdom, if the ‘prey’ is bright red and yellow then the chances are it is going to be dangerous and not worth attacking.
To achieve this defence it is necessary to build a holistic strategy, work with a vendor, use the right tools, and deploy methods such as bug bounties. While this may seem like a lot of work with numerous different elements it is worth the work because the alternative is potentially being hacked, losing vast amounts of data, being fined, and losing customers.