Q&A: Graham Cluley
IT security expert Graham Cluley addresses some of the major topics raised at this year’s InfoSec in this exclusive Q&A
A lot of the InfoSec industry talk in the last few years has been around APT (Advanced Persistent Threat); is this area still of significant interest? Or do you feel it was over-hyped and takes focus away from more pressing issues around failure to implement basic critical controls?
I think it's fair to say that there has been a lot of hype around so-called “Advanced Persistent Threats” that exploit zero-day vulnerabilities to establish a foothold inside businesses. The very fact that the term and acronym exists rather than just, for instance, “undetected malware” indicates that the hands of security vendor marketing teams have been hard at work trying to drum up interest in their products.
Yes, targeted attacks are a serious problem – and there is evidence that companies of all sizes might be at risk from malicious hackers who may want to break into their networks in order to either steal information from them or to use them as a stepping stone for attacks against their partners and/or customers.
But such threats are still in the minority. By the far the most common types of malware attacks any organisation is likely to encounter are the run-of-the-mill, financially-motivated threats which aren't targeting specific firms or groups.
The truth is that organisations cannot be distracted by the hype, but instead use it as an opportunity to reinforce the essential elements of a layered defence – including user training, anti-virus software solutions such as those from McAfee, Panda or Bitdefender among others, firewall products from vendors like Barracuda, Cisco and Sonic Wall, intrusion prevention such as that offered by Trend Micro or Fortinet, access control, encryption tools from companies including True Crypt or Laplink, to two factor authentication from VASCO, RSA, and so forth.
Info security training on spending is still lagging behind spending on tools – what is the cause of this disconnect? Can the channel help promote better education?
Training should never be neglected or treated like the poor cousin when it comes to securing a company. The majority of cybercriminal activity depends not so much on exploiting weaknesses in security technology, but instead exploiting users.
Channel Pro Newsletter
Stay up to date with the latest Channel industry news and analysis with our twice-weekly newsletter
Humans are the real problem – and if IT managers could roll out a software update to patch their users’ brains I'm sure they would! As we can’t go quite that far, we must not drop the ball when it comes to raising awareness of security threats, and training users about what to look out for.
There are great opportunities for the channel to help with these awareness and education opportunities and use them as an opportunity to become a company's trusted security partner.
The recent Heartbleed vulnerabilities were actually dealt with reasonably quickly; is this type of industry-wide response the norm going forward? What lesson can we take away from such a far-reaching vulnerability discovery?
Although there are some things which can be commended about the response to the Heartbleed vulnerability there are still, sadly, many websites which are still vulnerable. Every day, during my regular work rather than by hunting for them, I stumble across websites that are still susceptible to the Heartbleed bug and could – potentially – serve up sensitive information to attackers.
Going forward I would like to see vulnerability researchers continue to act responsibly, working with vendors to resolve security problems before the details of how to exploit those flaws becomes public knowledge.
Heartbleed showed the inherent weakness of static passwords. The flaw allowed hackers to capture user’s login credentials which could then be used in an unlimited way at any time. With a one-time password solution, such as a DIGIPASS, even if hackers had managed to capture an OTP, it would have expired and been rendered useless in half a minute. This is much more secure.
Many traditional infrastructure-led businesses have piled into security in recent years (IBM, Cisco and Intel) to name a few – what do these non-traditional infosec entrants bring to the industry and channel partners focused on security? Does it matter if you align with a specialist versus a generalist vendor?
Clearly the larger firms can bring significant resources to the security marketplace, and they are eyeing up the security market with greedy eyes hoping that the sector can help them generate significant growth and sales. However, they are not necessarily as experienced at security as the long-standing players in the field and may find themselves tripping up and making mistakes that will damage their reputation in a market that has a long memory.
Often it’s better to do business with a trusted expert in a particular field rather than a company which tries to be all things to all people. When something is as important as security, firms probably feel most comfortable dealing with companies who have a long track record in security, and whose staff have a deep understanding of the issues, challenges and technology required to handle them.
Confidence in the cloud took a downturn last year when it emerged that US intelligence agencies may be routinely “hacking” into corporate data. How much of the security footprint needs to be devoted to largely overlooked encryption technologies? Is this an area that has enough focus from the channel?
In my opinion, if you aren't encrypting your sensitive information you might as well be placing it on billboards in the middle of Piccadilly Circus. Companies every day place their trust in third-party service and cloud providers who promise that they will treat security as a priority. However, it has become a common occurrence to read media reports of firms who have dropped the ball, and negligently failed to prevent hackers from breaking in an exposing the data of their innocent customers.
If you don’t want that to happen to your data, you have to securely encrypt it. It’s the final layer of protection. Because maybe the hackers will get past all the other defences you have in place... but if your data is garbled gobbledygook they won’t be able to do anything with it.
The channel should be advising on and selling encryption solutions, and technology that helps better secure information in the cloud. It shouldn't be hard to convince firms to understand the need for encryption - the challenge is getting them to sign on the dotted line for it!
But don't make the mistake of thinking that encryption is the be-all-and-end-all. You need a layered defence to manage the level of risk inside your organisation.
Christine has been a tech journalist for over 20 years, 10 of which she spent exclusively covering the IT Channel. From 2006-2009 she worked as the editor of Channel Business, before moving on to ChannelPro where she was editor and, latterly, senior editor.
Since 2016, she has been a freelance writer, editor, and copywriter and continues to cover the channel in addition to broader IT themes. Additionally, she provides media training explaining what the channel is and why it’s important to businesses.