New Data, Wireless Threats & the Virtualization Angle
This article originally appeared in the Sept. 2010 issue of INTERNET TELEPHONY.
When it comes to online security breaches, the hits just keep coming.
Whether we’re talking about financial firms, hotels, retailers or the government, no one is safe from those who want to get into their computer systems. And while hacking started out as a hobbyist’s game, often involving relatively small numbers of hackers and losses, today hacking is an organized, worldwide, often large-scale, business.
So widespread is the problem of online theft that unless it’s big in terms of loss or security concerns, we often don’t even hear, or care much, about it.
One recent report on a security event featuring Michael Barrett of PayPal quoted the online payment executive saying: “If I steal an iPad in real life, I will be stopped by some burly and rather unfriendly employee at the door. If I steal the equivalent of 10 iPads on the net, no one gives a damn. In fact, 10 isn’t even interesting – a hundred, maybe.”
First, the Good News
The good news is that while online breaches are becoming more sophisticated, there was a decline in the overall number of them in 2010. That’s according to a new Verizon (News - Alert) study, which it put together in collaboration with the U.S. Secret Service.
The study attributes the decline in part to “law enforcement’s effectiveness in capturing criminals,” and cites the arrest of Albert Gonzalez, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and was sentenced last year to 20 years in prison. Some reports indicate this was the biggest such fraud in history. It involved the use of SQL injection techniques to create malware backdoors and packet sniffing to enable the theft and sale of more than 170 million credit card and ATM numbers from 2005 and 2007.
Nonetheless, a new report out of the Government Accountability Office criticizes federal agencies for their lack of top-level leadership and a “clear vision” on U.S. cybersecurity.
“Federal agencies have not demonstrated an ability to coordinate their activities and project clear policies on a consistent basis,” the report says. “Unless federal agencies institutionalize a coordination mechanism that engages all key federal entities, it is less likely that federal agencies will be aware of each other’s efforts, or that their efforts, taken together, will support U.S. national interests in a coherent or consistent fashion.”
In any case, one thing upon which we all can agree is that cybersecurity remains a significant problem that – like any crime – can never be completely eliminated. But the likelihood of security breaches can be reduced significantly with the right tools and processes.
Minding the Store
The retail space is among the most targeted verticals in terms of security breaches. According to the above-mentioned Verizon study, retail accounts for 15 percent of the online breaches. (Financial services make up 33 percent, and hospitality makes up 23, meanwhile.)
The fact that more retail locations – and for that matter, more locations of all types in all verticals – now use wireless technology is making these businesses even more susceptible to security breaches. Not only do retailers and hotels often use wireless LANs to enable point-of-sale, scanning and even payroll applications for their own internal use, many restaurants, coffee shops, hotels and stores now offer free Wi-Fi. While that connectivity may encourage customers to spend more time in the stores or select a given hotel, it can also be an open invitation to hackers.
Probably the most well-known breach in the retail space involves TJX Companies Inc., says Patrick Bedwell, vice president of product marketing at Fortinet, which sells unified threat management solutions to service providers and businesses. That case involved the handiwork of two guys who sat outside various TJX stores and used long-range antenna and authentication codes to capture credit and debit card information, he explains.
A 2007 Computerworld story reports that the case of TJX, which owns such brands as Bob’s Stores, Marshalls and TJ Maxx, involved the theft of 45.6 million credit and debit card numbers over a period of more than 18 months. In addition, the piece states, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was stolen.
This case exemplifies how wireless networking can open up a business to security threats, and how those trying to breach the systems don’t even have to walk into the business to get into the network, says Bedwell.
That said, Bedwell suggests retailers and other organizations that use wireless LANtechnologyneed to implement a set of best practices around securing those networks. That should include vulnerability management scanning to detect rogue access points, make sure devices use encryption and are fully patched so no unauthorized applications are running on those devices, and more. He adds that it’s also important to align security procedures between an organization’s wireless and wireline networks so there’s greater control of the applications and their authorization to lessen the chance of malicious content making its way onto the system.
Securing Wireless Endpoints
As wireless devices like smartphones play a larger part in our lives and enable the download and use of more applications from multiple sources, securing these mobile endpoints is also an issue of growing importance, notes Jacob Greenblatt, chief strategist at Discretix (News - Alert), which supplies embedded security solutions to manufacturers of chipsets. Discretix's mobile security solutions currently protect millions of handsets, flash memory cards/drives, and smartphones with such features as secure boot and more.
“Discretix solutions are deployed in devices from HTC, Sony-Ericsson, Acer, Lenovo, Sharp (News - Alert), Motorola and Fujitsu,” says Greenblatt. “Although I cannot comment on specific models, I can say that our solutions are deployed across Android (News - Alert), Symbian and Windows Mobile.”
As user adoption of mobile banking and other financial applications flourishes, the role of security on smartphones will become even more important. That point was highlighted recently when it was reported that Citigroup found a flaw with its iPhone mobile enterprise application.A story by The New York Times noted that: "Mobile banking is a popular and fast-growing activity on smartphones. The Citi Mobile app, currently the eleventh most popular app in the finance category of Apple's App Store, allows customers to check balances, transfer funds and pay bills. The glitch highlights the security challenges that are emerging as cell phones grow more sophisticated and consumers increasingly use them to organize their lives. John Hering, chief executive of mobile security provider Lookout, said his company is discovering more apps that could inadvertently expose or leak personal information, such as location information and phone numbers."A company called BIO-key International has responded to that potential problem with the introduction of a mobile biometric identification and authentication platform. The solution provides enterprises with the ability to capture and transmit fingerprint biometric data to a secure server for identity and authentication of smartphone, laptop, tablet and desktop users. BIO-key partners including Computer Associates, Evidian, IBM and Oracle have added BIO-key’s biometric identity solution into their offerings.
“We live in a world with 24x7 access to information from mobile devices,” says Mike DePasquale, CEO of BIO-key International. “Application providers and enterprise IT professionals have been struggling with how they can quickly, conveniently and accurately establish the identity of remote users looking to access their sites and applications. With the anticipated ubiquity of fingerprint-enabled smartphones such as the LG eXpo, the first such smartphone introduced in the U.S. market, enterprise application providers now have a more secure and convenient alternative to passwords for their remote users to establish their identity,”
Security & Virtualization
As wireless traffic goes through the roof, enterprise customers and network operators are being forced to optimize their network and data center assets, says Jim Freeze, chief marketing officer of Crossbeam Systems, which sells a blade-based security platform. One way they’re doing that is via virtualization, which enables them to have less idle server resources, he notes.
However, as noted in a white paper by Crossbeam: “Virtualization of the data center is provoking fundamental questions about the proper place of network security services in this new scheme.”
Freeze says most companies want to be able to take advantage of virtualization, but there’s not a lot of uptake for related security solutions because enterprises don’t know how to apply virtualization for security. However, in the above-noted white paper, Crossbeam describes how one of its customers, a pharmaceutical company, uses its platform to run security applications across all its application servers across separate physical servers. This setup, which is just one of many possible architectures, can allow company to run a firewall, an IPS and other security functionality on one platform, and to implement different security rules on a flow by flow basis.
With the influx of virtualization implementations, it should come as no surprise that Infonetics Research (News - Alert) is projecting that the “nascent virtual security appliance market is primed for tremendous growth over the next 5 years.
“The drivers for this market are strong, and include the increasing volume and variety of security threats, the rapid adoption of server virtualization, new security challenges presented by virtualization, such as inter-virtual machine threats, and the availability of purpose-built solutions for securing virtualized server environments," explains Jeff Wilson, principal analyst for security at Infonetics Research.**
Key Findings of the 2010 Verizon Data Breach Report
The above-mentioned report, which Verizon did in collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups. But the overall number of breaches investigated last year declined from the total for the previous year. Below are some of key takeaways of the study.
Most data breaches investigated were caused by external sources.
Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners. Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
Many breaches involved privilege misuse.
Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information. An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
Commonalities continue across breaches.
As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
Meeting PCI-DSS compliance is still critically important.
Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.
Virtual Security Appliance Market Highlights
Key players in this product category include AEP, Altor, Astaro, Blue Coat, Check Point, Citrix, Enterasys, McAfee, SonicWALL, Stonesoft, Symantec, Vyatta, and others.
· Year-over-year, from the first quarter of 2009 and the first quarter of 2010, the virtual security appliance market is up 119%
· The virtual security appliance market is expected to grow nearly eight-fold from 2009 to 2014, when it will near $1.6 billion
· The virtual security appliance segment posting the strongest quarterly growth in 1Q10 is content security gateway virtual appliances, up 22%
· North America is currently the largest regional market for virtual security appliances
· The worldwide virtual security appliance market jumped 64% in 2009 over 2008, to $203.8 millionSource: Infonetics
Edited by Stefania Viscusi