Security lessons to remember for 2012

Industry insiders share key takeaways from past year and how these can guide companies' security strategies in evolving IT landscape.
Written by Ellyne Phneah, Contributor

Hack attacks, cloud security missteps and rising threats on social networks are just some of the more notable security challenges that had plagued both IT professionals and everyday consumers in what was an eventful 2011.

As the brand new year unfolds, ZDNet Asia spoke to several security insiders and distilled eight key lessons learnt and what kinds of security posture and know-how enterprises and online users should take note of.

1. Security everyone's responsibility
In today's security landscape, IT security is no longer solely in the hands of the tech department but should be extended to every single person in the company, said Christian Funk, malware analyst at Kaspersky Labs.

He said in his e-mail that regular training for employees will greatly help reduce the risks of a security breach via malware and targeted attacks. It is also important to showcase real-life cases and examples to make such training efficient offer practical tips, he added.

"This is especially crucial in modern times where we increasingly process data on mobile devices. It is substantial to create policies to define what data is allowed to be processed on these devices and what is not," Funk asserted.

John Ong, South Asia regional director at Check Point, added that employees need to know that network and data security breaches will only increase. Anthony Lim, regional director of SecureAge, also noted that in spite of investments in technology, education and enforcement to mitigate these risks, such attacks will persist.

Moving forward, Ong urged users not to "shrink back" from being accountable and responsible for organizational security.

"They have to be aware of security threats, best practices, and most of all, apply these practices diligently and militantly," he said.

"When bad things happen, users must be proactive in reporting such lapses and intrusions to relevant supervisors, so that disaster or incident recovery can be done promptly to reduce risk."

2. Keep systems up to date
On the backend, the malware analyst said updating installed systems is crucial for enterprises. This is because breaches are often successfully conducted by exploiting software vulnerabilities on both client- and server-side systems, he explained.

The situation is made more complex as companies are creating more online services and Web sites, which makes it difficult to ensure all of them are updated on time., Funk noted.

As such, he advised companies to come up with a holistic approach for software update management and configuration of all systems, specific to their purpose and technical environment.

"Default configuration may work, but are rarely the optimum [solution]. Poor configuration makes it as easy as outdated software for cybercriminals to breach through [one's systems], he added.

3. Signature-based approach not enough
Beyond updating one's system, Vincent Goh, Asia-Pacific vice president of RSA, the security arm of EMC, said companies should not rely solely on signature-based intrusion detection (IDS) and prevention systems (IPS) as these are not sufficient to protect the network environment.

This is because while these tools help identify and prevent against known threats, there is always the possibility of an unknown virus that had escaped notice from the systems to infiltrate the network.

So instead of a passive security system, IT administrators and users must look into identifying unusual patterns in behaviors and understanding the information flow, Goh said. "Rather than assume the environment is well-protected with antivirus and anti-spam, one should always be on the lookout for anomalies," he added.

4. SSL breaches a growing concern
Public ire and fallout from high-profile Secure Socket Layer (SSL) attacks on providers such as DigiNotar and Comodo reached an all-time high in 2011, according to Eric Hoh, vice president of Symantec's Asia South region.

At the same time, malware threats arising from compromised or stolen SSL certificates are also on the rise, he added.

As a result of these breaches, enterprises and consumers are demanding better SSL security from certificate authorities (CAs) and Web site owners. This, in turn, has compelled service providers to start implementing further protective measures against social engineering malware and malvertising, the Symantec executive said.

5. Eradicate cloud security compromises
Hoh also pointed out that rising cloud computing adoption has contributed to two notable security missteps among enterprises as well.

Firstly, with cloud computing, organizations generally tend not to address security and governance issues until the project is completed. Secondly, organizations do not verify or test the security robustness of provided by cloud service vendors, he noted.

With these in mind, the vice president advised organizations to build internal policies, processes and security protocols into every step of planning, design and deployment of cloud services to ensure enterprise data is kept safe and remain in compliance.

"Select service providers which can meet your organization's security policies [as] this will help align your business goals with the capabilities of the service providers," Hoh said.

6. Rise of mobility brings risks
The proliferation of mobile devices, particularly smartphones, last year was notable, said Hoh, citing a Gartner report that predicted smartphone sales will exceed 461 million by end-2011. Unfortunately, this growth also caught the attention of cybercrooks, which led to a significant increase in the amount of mobile malware, he pointed out.

"Looking back, it is undeniable that 2011 was the first year mobile malware presented a true threat to enterprises and consumers," he remarked.

Another impact on enterprises would be security risks posed by employees that bring their own devices to work, he noted. Tablet adoption by employees, in particular, is a "major concern" as the uptake rate is outpacing organizations' ability to secure and manage information access on the platform, the vice president said.

CIOs have responded by shifting their focus on security risks from within their organizations, he added.

7. Social networks new malware threats
Social networking sites have a role to play in increasing risks from within organizations too, as these have become a hotbed of cybercriminal activities, noted Effendy Ibrahim, Norton safety advocate & director of consumer business at Symantec Asia.

In his e-mail, he cited the company's Internet Security Threat Report 16 which found a growing sophistication in the type of attacks that rely on social networking sites. For example, online crooks would use these platforms to post shortened links, which masks the actual destination, thus misleading users to visit malicious Web sites.

In the year ahead, users must recognize such dangers that are posed on social media sites, Ibrahim stressed. They should be proactive in being stringent over who they allow on their online networks, set privacy options to the highest levels, choosing strong login passwords, and being careful of the links they click on, among other precautions, he advised.

8. SMBs prime cybercrime targets
Looking beyond enterprise security, Symantec's Hoh said small and midsize businesses (SMBs) are setting themselves up for cyberattacks, particularly since targeted attacks had become more prevalent in 2011.

Citing Symantec's 2011 SMB Threat Awareness Poll, he noted that SMBs think they will not be attacked due to their small size. However, the reality is that 40 percent of all targeted attacks have been directed at companies with less than 500 employees, compared with 28 percent on large companies, he said.

As such, he said their lack of concern and preparedness to deal with such threats are the main causes for worry.

Editorial standards