Tighter access controls are needed claims the head of security at IBM

User identity management, tighter access controls and security analytics are essential in today’s threat landscape according to Brendan Hannigan, general manager of security systems at IBM. Speaking at the IBM Interconnect Conference in Singapore recently, Mr Hannigan claimed that although mobility, cloud and social networking are driving the most significant changes in business, they are also posing the greatest security risks.

He claimed that the problem is now serious because IT departments have little control over innovations, and find that they are constantly striving to play catch-up with new technologies that are foisted on them by consumer demand. He claimed that IT departments could try and control it, but it would be impossible to stop at the end of the day.

Protection against cyber-crime with access controls is important

It’s not as if this is a new problem though, as throughout time there has been a constant battle with businesses putting up protections and criminals trying to work their way around them. However, what’s different now is that the problem is more serious than it’s ever been before:

“This particular pendulum swing that we’re experiencing now is more serious than anything we’ve seen in the past.”

To illustrate his point about security, Hannigan used the analogy of a castle. Historically castles were built to protect people and villages, but then invaders brought ladders with them to overcome the obstacle. So castles were then built higher with thicker walls. Unfortunately invaders then brought siege engines with them which allowed them not just to scale the walls, but invade en mass. Castles then resorted to building moats, and so on and so on. The problem these days he claimed is that the criminals who want access to security systems are entering these security ‘castles’ by helicopter:

“We can’t just keep doing what we’ve been doing,” said Hannigan, adding that the assumption still exists among businesses that if they keep building walls around their assets they will be safe:

“Walls used to keep everything nice and protected inside, but now everything is so connected – employees are connected, businesses are connected, applications are connected – so, unfortunately, bad things are ending up right within the castle walls and the weaknesses inside are exposed.”

Hackers are becoming more sophisticated

He maintains that whilst the security strategies of the past still have an important role to play in today’s landscape, but they are utterly inefficient when used on their own. Previously security systems were designed to deal with the so-called ‘classic hackers’; in other words those who randomly searched for weaknesses and then exploited them to cause websites to crash. Unfortunately today’s hackers are more sophisticated, and are clearly aware of the wealth of digital information they can lay their hands on:

“Firstly, so many important things are now stored digitally. Everything from consumer information to airplane designs to turbine designs to important information about our mining discoveries, whatever it is, all of that information is stored digitally. Secondly, in general there’s a whole population of skilled people relative to these types of technologies. Young people have a very good sense of how these technologies work. Thirdly, bad people are motivated by where the money is. Whether that be important intellectual property or actual financial information.”

“Many years ago, people had hackers randomly going after them causing significant, costly inconveniences; now they have very organised entities going after them specifically, targeting them to steal things, damage things and potentially destroy their business. It’s a very different war, a very different climate. And the techniques used by the attackers are much more sophisticated and the result is much more impactful.”

Social networking, Hannigan claims has also added another dimension to the threat, because it’s a tool that can be used to get information about an individual and ultimately about the company they work for. It’s the company that remains the real target:

“Social networking information is a nice way to get an understanding of who that person is connected to, and who they communicate with. For example, they could craft an e-mail to that person that looks very personal, very targeted. By clicking on a link in that e-mail they can install spyware on that person’s computer without them knowing, and that will be just the beginning.”

The IBM X-Force 2012 Mid-Year Trend and Risk Report, which pulled data from more than 15 billion security events per day, from over 4 000 clients, in over 130 countries, recorded a significant increase in attacks on exposed social media passwords. The report also flagged up another critical issue, and that was the continued disparity in mobile devices and corporate “bring you own device” (BYOD) programmes:

“Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network. To make BYOD work within a company, a thorough and clear policy should be in place before the first employee-owned device is added to the company’s infrastructure,” according to the report.

Hannigan argues that, while infrastructure securities like firewalls still remain important, in today’s environment people security is also now essential:

“Of course, many companies have basic access controls of some sort, but the reality is that we have found that about only 34% of our customers actually have comprehensive identity management strategies.”

What companies should be doing to contain this risk is to focus on controlling access to environments, and monitoring that access. Businesses should be organising priority users with the most privileged access and monitoring them closely. They should even go as far as ensuring that employees only have these access privileges when they absolutely need them.