While mobile online shopping is wonderfully convenient, pre-Christmas frantic buying combined with summer holiday laziness (for those of us “down under”) can put customers at risk of cyber-crime, such as scams and phishing attacks designed to enable identity theft and financial fraud.

Consumers need to be sure they are extra vigilant and take some simple steps to better protect themselves.

Did you know:

More of us are shopping online:

• In America, the number of consumers visiting e-commerce sites on Black Friday this year (25 November – seen as the start of holiday shopping in the US) increased by 35% year-on-year.
• Online retail in Australia is expected to reach AU$30.2 billion by the end of the year.

More of us are using mobile devices to shop online:

• According to Google, Australia has the second highest smartphone penetration in the world (behind only Singapore) at 37%, and is expected to reach 50% by the end of the year.
• No wonder the number of shopping queries coming from mobile devices in Australia has increased 220% year-on-year. In fact, one quarter of all Christmas shopping-related Google searches this year now come from mobile devices.

Yet many of us put ourselves unnecessarily at risk when mobile online shopping:

• Many people don’t take even basic steps to protect the information on the mobile devices – for example the Unisys Security Index found that 6 in 10 Aussies and Kiwis, and almost half of Hong Kongers, don’t secure their mobile devices with a PIN or password (November 2010)
• Ironically, we also know consumers in Asia Pacific are unforgiving when businesses don’t protect their data, with 85% of Australians, 81% of Hong Kong people and 80% of New Zealanders saying they would cease doing business with the company if they discovered a data breach. So surely we should put the same expectation on ourselves as individuals to take steps to protect our personal information.

Below are some simple suggestions to reduce your risk of cybercrime while shopping online this holiday season.

Tips for safer online shopping:

• Protect information on your smartphone or tablet by locking it with a PIN or password.  Even better, choose one that is hard to guess and change it regularly.
• Fully log out of an online shopping account when you have finished with it, so that someone else cannot continue shopping in your name if they get hold of your smartphone or tablet.
• Only shop on trusted and secure transaction sites. Check the site has an SSL certification, and the URL starts with https:// (not just http://). The absence of an ‘s’ is often an indication of a rogue trader.
• Be extra careful when creating online accounts via a smartphone as the limited web functionality and smaller screens can make it more difficult to verify the authenticity of online shopping sites.
• Closely check your bank and credit card statements to identify any purchases that are not yours – if you find any, contact your bank or card provider immediately.
• Don’t action emails that ask you to enter personal information about your online banking access into a website – your real bank would never ask you to do this.

Seasonal scams to avoid:

• Too-good-to-be-true promotions, which are actually phishing sites to access all your data.
• Seasonal screen savers and eCards can carry trojans and viruses, so don’t open them or download unless from a trusted source.
• Be selective when downloading smartphone apps and FaceBook apps – remember all apps are a software program.
• Be wary of ‘spirit of giving’ scams that take advantage of people’s generosity over Christmas, asking for donations via emails, tweets or text messages from sources you don’t know.

Cheers,
John Kendall
Unisys Security Program Director, Asia Pacific

NOTE:  This is an opinion piece and is intended only to provide a summary of the subject matter covered. It does not purport to be comprehensive or to render advice. No reader should act on the basis of any matter contained in this piece without first obtaining specific professional advice.

While there was hype about the incident, Steve focused on immediate points enterprises should focus on working through.

• Maintaining dialog with solution provider who is under attack
• Preparing for an extended investigation
• Informing user base
• Evaluating internal systems

2011 was a year of unprecedented cybercrime. That is no hype. The scale, sophistication and frequency of cyber crime took most enterprises and governments by surprise.   The pressure will not let up in 2012. So, the question becomes is your enterprise ready for the road ahead? There are so many pathways to that question!

Unisys Security Straight will be here in 2012 to re-engage with you and begin our conversation on the road ahead. Predictions for 2012.

Thank you for your readership, and we welcome your blog topics for next year.

This week I want to bring your attention to one of our most recent additions, Richard Bryant.  He is a passionate man on paper, and if possible to imagine, an even more passionate man in person. What is he so worked up about? -  Hacking threats, and the desire to demystify cyber crime. We had him sit down and talk us through The Six Biggest Hacks and How to Deal With Them.

In this three part series posted this September, Richard goes beyond describing the terminology. He spends time really helping us understand

• Why that threat is even categorized as a threat
• How hackers pull it off
• Why the current IT model fails
• How can you change the dynamics

If hackers are 42 steps ahead of enterprise security, Richard is a one man mission to help enterprises understand the business risk and solve their security challenges. Glad he is on our team!

This year we focused heavily on challenges rising from cyber security, consumerization of IT and social media. Really, how could we not? While most of the content in the blogosphere focused on the “what” are these challenges, I would like to think we added more to the “how” are enterprises going to be begin addressing these security challenges.

Over the next few weeks I want to highlight three bloggers that challenged us to think beyond the “what”, and gave us content to really dive into the “how”. First up, Jan Wiewiora and his September post on Preventing Data Leaks Before They Occur. While most content is focused on the sensationalism of what happens after a data leak, Jan builds a case for enterprises to never have to show up on the front of the newspaper.

Better yet, Jan tackles challenging “how” questions head on! – “How do we get employees to not become inadvertent security threats?”; “How to determine access controls that will truly help protect data without requiring a “lockdown”?; “how to implement policies and have an impact?”.

The idea of knocking out or blocking access to critical infrastructure to weaken an opponent is nothing new. In ancient times attackers would surround cities and cut off access to food, water and other supplies.  Such blockading is common military offensive strategy.

But with our increased dependence on our technology networks in both our work and personal lives, it is no surprise that today’s attackers seek to exploit security vulnerabilities in the cyber world with the aim of disrupting the physical world.  This applies regardless of whether the cyber attack is designed to take down the IT system itself or is used to damage other critical infrastructure such as water supply.

Interestingly, when we polled the public in 11 countries across the globe in March 2011 as part of the Unisys Security Index™, Australia and New Zealand were the only two countries where the Internet was rated as one of the top two national infrastructure assets vulnerable to malicious or terrorist attack.   

This may be because our nations “down under” are very aware of their remoteness and resulting dependence on the internet to be part of the global market.  Or perhaps it is simply because Aussies and Kiwis are less concerned about the vulnerability of other pieces of national infrastructure, such as public transport or places of large gatherings, than people in other countries are.

Either way, it is clear that effective cyber security is now an essential part of protecting national infrastructure and therefore is a vital part of any national security strategy – not just to protect vital information and communication technologies, but also to ensure they are not used to damage or block access to other physical infrastructure.  This is evident in the renewed focus being placed on cyber security by the Australian, New Zealand and other governments.

Cheers,
John Kendall
Unisys Security Program Director, Asia Pacific

However increased competition through deregulation of many industry sectors such as banking, telecommunications and energy providers, and access to a much wider market to buy from via the Internet, has moved power into the hands of the consumer to decide whether they want to continue doing business with you, or change to someone else.

Customer trust is key to developing customer loyalty.  But it can be quickly eroded if consumers feel that they have been put at risk – such as if they find out that an organisation they have been dealing with has suffered a data security breach. 

This is particularly the case in Asia Pacific where, according to the latest Unisys Security Index™, at least 8 in 10 people in Australia, Hong Kong, and New Zealand would stop dealing with an organisation, such as close their account, if they found out that the privacy of their personal information had been compromised.  Of the 12 countries surveyed in the global research study, Australians are the most likely to say they would take such action, with Hong Kong and New Zealand not far behind.

Of course this is what people say they would do, and some sceptics point out that Sony hasn’t exactly fallen in a heap after its recent PlayStation security breaches.  But Sony’s PlayStation customers have made a significant investment in their console and games software so there is a deterrent to simply swap to another gaming platform.  In contrast, we are regularly bombarded with marketing offers from mobile phone carriers, home loan lenders and energy providers with attractive rewards to change over, often with the offer to manage the administration of changing providers for you.  In these “utility” markets it has never been easier to change – and the customer knows it.

The survey also found that many people say they would consider other actions such as publically exposing the issue and taking legal action.  It is almost as though they want to punish the organisation for putting them at risk.

There are currently no laws for mandatory data breach notification in Australia, Hong Kong or New Zealand.  Given the possible reaction of customers some might argue there is no incentive for businesses to tell customers about a data breach.  But organisations do have a responsibility to inform their customers immediately if there has been a breach so that customers can take actions to minimise their vulnerability to financial or identity fraud.  They may even win some brownie points if they are seen to act quickly and helpfully.  Also, consider the impact if an organisation is caught trying to cover up such a breach – damage to reputation and loss of customer trust.  Better to have quick and transparent communication with customers and work with them to reduce their vulnerability.  You have more chance of retaining your customers’ trust that way.

Mandatory data breach laws would make sense if it is found that businesses (and government organisations) fail to act responsibly off their own bat.  But the focus should be on those breaches where there is real risk of harm as a result of the breach (eg access to financial details; risk of identity theft; access to biometric data etc).

The Unisys Security Index (conducted since 2006 in Asia Pacific) has consistently found that the top two security concerns for the public are data security related:  people obtaining/using credit/debit card details; and unauthorised access to/misuse of personal information.

No wonder they are putting business and government on notice that that they are not going to passively accept privacy breaches.  

Cheers,
John

For example, in the event of a data breach by an organisation holding an individual’s personal information, the willingness to continue with the organisation, but not online, drops with age, from 31% of 18-24 to 16% of seniors who are 65+. These seniors are also less likely to change their passwords (63%), while those in the 50+ category are more likely to say they would publicly expose the issue (62%) than any other age group. This enthusiasm for direct online action came as a surprise.

This action of publicly exposing the issue, perhaps through social media platforms, shows the willingness by not just the young to use the digital world as a democratic tool. This raises a wider question as to whether we are doing enough to create the right avenues for people to easily express their objections to online crime rather than create their own “campaigns” of outrage.

Perhaps unsurprisingly, those that have embraced social media from the start are less willing to see social networks closed down in the event of civil unrest. Over two thirds (72%) of those aged between 18 and 24 would be against the temporary closing down of social networks, with over half (60%) of seniors supporting the temporary closure of social networks. While the findings demonstrate people don’t want to see criminal activity on social networks, the results again demonstrate the need for awareness of appropriate avenues online to help police counter and resolve cybercrime.

All these points suggest that changes in attitude are needed if we are to close the gap created by the digital divide. Only with more effort placed on public awareness and education on how to counter cybercrime (particularly for the older generation) and a better understanding of the definition of what ‘normal’ online behaviour is for the younger generation, can we really take the steps to achieve David Cameron’s vision for an internet that is about freedom of access to all, not a medium for a free-for-all.

This suggests that there is an increased expectation from the public about how law enforcement responds to cyber-security concerns and whether the authorities have access to the skills and resources they require. Based on our work with governments and businesses around the world, we feel there are three key areas, which can help progress the debate:

• More expertise in computer forensics – in the past, if you had a witness who saw a crime then you had a good case; but today you need specialist computer experts to gather evidence and to have the knowledge to pick out key trends in discussions on social media channels.  This takes particular skills and there should be a discussion about how to recruit this talent; how it can be funded and which skills should be the priority.
• Encouraging young people tempted to commit online crimes to apply their skills on the right side of computer security – for example, I’m also director at the Cyber Security Challenge, set-up to encourage more people from different backgrounds to consider careers in cyber security.  Each year the Cyber Security Challenge runs a series of competitions testing problem solving and investigative techniques and it demonstrates how diversity in experience can help bring different approaches for solving security challenges.   Legal profession and law enforcement could also draw on different backgrounds to help expand understanding of behaviour in this area.
• Shifting investment in research and development – to date much of the research into computer security has focused on creating unbreakable encryption codes or the toughest perimeter defence.  With so many access points to any kind of modern IT network, there needs to be a shift towards securing information itself rather than building a wall around it which can be breached.  Also investing in new techniques such as behavioural analysis and predictive methods can help prevent or at least pre-empt online criminal behaviour. 

There is no overnight fix to this problem; we can’t fool ourselves into thinking it will quickly dissipate if these measures are in place but they are a good starting point to bring in the right people and talent to close the gap between law and technology.

According to the latest Unisys Security Index, which tracks consumer security concerns every six months and yields valuable insights into the issues that matter to people today, 48% of the public believed that a temporary shutdown of social networks might help to prevent coordinated criminal activity during periods of severe civil unrest. It also found that 46 per cent of the public accept that authorities should utilise social networking data to improve public safety, such as the uploading of real time criminal evidence by the public. In addition, 56 per cent of respondents mentioned they would take legal action against companies which suffer breaches relating to personal data online.

The key debate for governments and law enforcement has been how to cope with the growing influx of social media platforms used in instances such as the London riots, without relinquishing the freedom of speech the UK has become synonymous with – as David Cameron mentioned at the London Cybercrime conference on 1st and 2nd November 2011, the internet is about freedom of access to all, but not as a medium for a free-for-all. It is evident that the public want to see protective measures in place that will safeguard them from a repeat of such instances and guarantee their freedom of access to the internet.  

As devices become increasingly interconnected enabling a swifter and freer flow of information, there is a need for traditional legal structures and corporate governance to adapt accordingly. While governments and law enforcement authorities consider ways of quickly sharing and identifying cyber threats across borders and jurisdictions there is a clear need to have better mechanisms for the swift sharing of criminal info leading to convictions. In addition, the public and business have a responsibility to behave within the law when using cyberspace but to do so the traditional legal framework needs to be brought up to date.

In this ever connected world, the public want to know that they and their data are being protected. The conclusions from the survey show that the public expect law enforcement to have the legal framework to act swiftly to protect society online and that they, the People,  are ready to act if they feel they have become a victim of data and online crime.

Mark Cohn, CTO for Unisys Federal Systems shares with us in this video his views on what consumers’ willingness to share biometrics informations means to organizations.

Visit Unisys Security Index findings to learn more about about American consumers’ responses.

To learn more about the Unisys Security Index Findings please visit http://www.unisyssecurityindex.com/  

Watch the Steve Vinsik video on Consumer Reaction to Data Breaches at http://www.youtube.com/watch?v=4VBXeume6wU.

 Australia and New Zealand are classic examples.  In the Unisys Security Index conducted in April, one in three Australians and even less New Zealanders said that they perceive freight sent by air, sea or land to be vulnerable to malicious or terrorist attack. The level of concern “down under” is some of the lowest recorded globally compared to more than half of the US and two thirds of the UK public.

Source: Unisys Security Index, April 2011 – percentage of public responding that cargo transported by air, sea or land is “extremely” or “very” vulnerable to malicious or terrorist attack

Sure – public perception may not match the reality, but you would not want this apparent low level of concern regarding maritime trade security to be reflected in our national priorities.  Given that 90 percent of the world’s cargo moves by sea, and with both the Aussie and Kiwi economies being highly dependent on safe and efficient maritime trade, ports present a high value target for those wishing to do our nations harm.  It is important that commercial and policy decision makers are not lulled into a false sense of security. 

So why does the public hold such a low level of concern? Perhaps it is because relatively few of us directly interact with seaports and so have no immediate experience on which to base an assessment. Or maybe we simply don’t believe that a serious port security incident could happen here. However, the ten year anniversary of the 9/11 terrorist attacks and the more recent attacks in Mumbai (which were facilitated by insufficient security measures at Indian ports and insufficient maritime domain awareness) serve as stark reminders that it can indeed happen on our home turf.

There is no silver bullet answer. Today’s port security landscape is characterised by increasingly sophisticated threats, new vulnerabilities, evolving national and international regulations and mandates, a broad range of stakeholders. There is also a plethora of security solution providers jockeying for attention and a piece of the port operations budget. This information overload often leads to a ‘comply first – ask questions later’ approach comprised of single point (silo) security solutions that resist integration with basic port operations, devour scarce operational resources, potentially alienate key stakeholders, do not account for future growth requirements and may not even address the most important security challenges.

These types of issues can be avoided by developing a comprehensive security roadmap or master plan that aligns business and security strategies and provides a prioritised and actionable plan to address not only the current requirements, but take into account future growth and plans. This approach allows ports to look at their business and make decisions on where they need to make investments to not only address the high priority issues, but also where they can get the largest return on security investments and payback by way of security fees and tariff adjustments.

Find out more about the Unisys Port Security Roadmap for Asia Pacific here.

But does the hunger for new apps make us more vulnerable to cybercrime?  Apps are far more than colourful icons on your smartphone.  They are powerful pieces of software code that you have downloaded onto your device. 

Our appetite for the latest app seems to be pushing us, and our phones, to break boundaries.  For several years “Jailbreaking” iPhones has been a popular way to gain full access to the operating system in order to download apps not available through the official Apple App Store. You can read more about a recent Adelaide business that was hit by flash SMS hack via a jailbroken iPhone. 

“Why Should We Be Restricted To Only Buy Our Apps From Apple? We Want More Freedom!”
Well here’s something to consider:  When you ‘jailbreak’ you might not be the only one you’ve given access to your phone and the data you keep on it – or more scarily the corporate data and systems it allows you to access.

Cybercriminals have quickly figured out that by offering “non official” apps they can encourage users to jailbreak their phones, and make them vulnerable to exploitation. This could include your phone being used for surveillance and hacking.  It is the modern version of the old nasty trick of leaving a free USB stick in a hotel for unwitting business travellers to use, only to find that it unleashes viruses onto their laptops and corporate systems.

And just like the increasingly sophisticated SPAM campaigns that try to trick us to reveal personal data, clever social engineering is being used to make us think it is OK to unlock the built-in protection on our mobile devices.

If you run a search on “jailbreaking iPhones” you will get mountains of instructions on how to jailbreak and why it’s so “cool”.  But interestingly, more and more of the posts from 2011 are starting to discuss the potential risks. 

If your iPhone is a personal device and you never use it for work then it’s up to you if you want to take the gamble.  But if you use it to discuss or access company information — no matter if it was purchased by you or your employer – think again.  Do you really know what is buried in the code of that non-official app you are downloading?  It is not worth the risk for towards organization and personal data.

There’s probably an app to work out the odds…

 Over the past few months, Unisys has been briefing Asia Pacific organizations on the findings of its second annual Consumerization of IT research report. We’ve conducted briefings with state and federal government departments, retail banks, insurance companies, property management companies, telcos, retailers and FMCG companies, but the response to the research findings and the challenges these organizations face when it comes to enterprise mobility are remarkably consistent, regardless of type or location of organization.

 This is the second year we’ve run these briefings—often with the same organizations—and we’ve noted a marked difference in their readiness to embrace mobile devices and applications as business tools and the maturity of the discussions surrounding mobile technology implementation. Our top ten observations from more than forty briefings we have completed are:

1. Most organizations have moved past the ‘lock it out’ response we encountered last year. The IT departments now realize it’s nearly impossible to prevent employees from bringing mobile devices into the workplace, but not only that, the business can see benefits in allowing, or even encouraging, the use of these devices for employee productivity and interacting with customers/citizens. Aiding this change is the observation that organizations are less concerned about lost employee productivity. They aren’t as worried that employees are going to waste time playing games, browsing websites or using social media on the mobile devices during work hours because they expect that giving employees access to tools that let them work outside of business hours has productivity benefits.
2. Organizations are more open to the Bring Your Own Technology (BYOT) approach, at least for select employee groups. This often starts with senior executives purchasing their own smartphones and/or tablets and asking the IT department to connect them to the network. However, while more BYOT is being allowed, few organizations we’ve briefed have yet given access to corporate systems beyond email, calendar and contact access so the devices are not yet being used to their full potential.
3. There are many instances of device procurement by the business occurring outside of the usual IT procurement channels. Business-line teams are buying company-owned devices from manufacturers or resellers directly, which means devices aren’t being captured in the usual IT asset registries and organizations have no visibility or control of the applications, data or security on the devices. Procurement teams are now trying to gain back some control to ensure devices are properly secured and the device lifecycle is managed, but also so that they can negotiate better deals with device and telco suppliers.
4. While there’s increased interest in enterprise use of mobile devices, organizations are challenged to building business case to support widespread deployment. They need to find the ‘killer app’ that will help them demonstrably improve employee productivity or make a business process more efficient.
5. The security of mobile devices, particularly those owned by employees, remains the primary concern of IT departments and is the key issue that is delaying enterprise usage. However, this year the organizations briefed are more aware of the technology and policy protection measures that can be taken to reduce security risk.
6. IT departments, particularly those in government and financial services organizations, want to retain control over the applications and data access on the device to reduce security risks and productivity loss. This is driving interest in the creation of public and private clouds to host data, enterprise app stores to control what applications employees can download, and enterprise cloud-based storage for backing up data.
7. There is greater recognition that IT policies need to be strengthened and more employee training is required to reduce risks related to misuse of mobile technology. Many organizations that allow BYOT ask employees to sign agreements to allow the organization to check data on the devices, monitor devices to ensure they have appropriate security tools in place, and conduct remote data wipes for lost, stolen or end-of-life devices.
8. Few organizations have begun creating or modernizing corporate applications for use on mobile devices by employees. Most have only enabled use of corporate email, calendar and contact lists, and a few standard business productivity applications that can be downloaded from an app store. However, several organizations we briefed are exploring simple information capture mobile applications to replace paper-based forms and systems. For example, a property management company is creating a property inspection form application for its inspectors. The inspectors will be able to complete the form on a tablet at the property, take photos with the device camera and attach them to form, and then upload the form to the database before moving onto the next property, whereas previously they would have to return to the office to provide the hand-written form to another person who would type the information into the database.
9. Cost and application development skills in the organization have been barrier to more application modernization. For some, an interim step has been to introduce a virtual desktop environment for the mobile device until the corporate applications can be modernised to take full advantage of the smartphone or tablet interface and functionality. The organizations we briefed are planning to standardize on one or two mobile operating systems to keep end user support and application modernization costs to a minimum.
10. For the small number of organizations briefed that have created mobile applications for their customers or citizens, most have started by taking a simple website function and enabling it for mobile devices (e.g. mobile banking or airline check-in functions). However, they are prioritizing application development for customer/citizen usage over employee usage.

We have observed considerable advances in the interest in and adoption of mobile technology in the past twelve months since we launched the first Consumerization of IT research report. Based on the feedback from Asia Pacific organizations, we expect to see greater advances, particularly in the adoption of BYOT programs and development of corporate mobile applications, in the year to come.

[Patricia Titus] I recently traveled to Belgium and Holland for meetings with clients and prospective clients.  The activities centered around the Consumerization of IT and the disruptive trends and the impacts on their business operations and enterprise security.  As I usually find when talking to a diverse group with diverse missions, some were far more advanced with their strategy and implementation than others. 

[Sowmya Murthy] What were some topics of interest?

[Patricia Titus] What I always find interesting is the level to which security professionals will address a situation.  Some address it from the policy view, and others are quick to take the technology fast track.  What we were able to do is guide the conversation to show the point of convergence between the need for policy and the need for technology to solve the problems.  And don’t forget the human factor, which I was constantly reminded of.  It was a great exchange of ideas and very thought provoking dialogue. 

[Sowmya Murthy] Anything strike you as surprising?

[Patricia Titus] What was of particular interest is that a few of the participants in our events were adopting the National Institute of Standards and Technology security frameworks and guidance documents, which we’ve been using in Unisys now for several years both for our public sector clients but also inside our corporate network.  It’s a great enhancement to the ISO 27001 standards we already use.  It was refreshing to see that NIST security guidelines were being used outside the United States.

[Sowmya Murthy] Any current events that made for good fodder for conversation?

[Patricia Titus] My visit to Europe was just after a large and disastrous DigiNotar hack.  This provided a great discussion point about “having your eggs in one basket.”  The effects of that hack forced a major disruption to online transactions affecting  several governmental entities and companies , causing untold economic impacts.  The open and candid discussion we had  helped me see the big picture of those incidents even better and  to see what happens to organizations that don’t embrace the defense-in-depth strategy in their operation.? 

[Sowmya Murthy] What final thoughts did you walk away with, and how does Unisys figure in the Consumerization of IT story?

[Patricia Titus] In summary, the globalization of our digital world brings to light that we’re all suffering from the same issues when it comes to Consumerization of IT, mobilized workforce and cyber security pitfalls. Unisys has taken proactive steps to address our own internal Consumerization of IT and the mobility of our workforce, which in turn allows us to share the lessons learned.  Because we consume our own services within the company, it is a testament that we know what our clients struggle with and have some valuable lessons learned.  We recognized that in order to address the disruptive technologies, it meant more than buying a third-party security technology to secure our corporate data on a device. It meant we needed to move to a more data-centric framework which is a bit of a change from our previous network-centric view.  One thing we’ve realized is the importance of risk advisory services to help determine what you really should be implementing.  Taking the business needs in to account truly drove our strategy and developing a cross-functional working group is one example of how to build consensus for your mobility projects.

Unisys is on an amazing journey ourselves.  For more view into our ongoing journey please go to Security Straight Talk blog or the Disruptive IT Trends – Consumerization blog.

• Establish policies for mobile device usage.  Users have responsibilities when allow remote access to applications and data.  Whether the devices are provided by the enterprise or personally owned.  User education on usage policies must be provided.  IT and HR need to work together on implementing the policies.
• How are mobile user identities managed?  Is a simple UserID/Password mechanism secure enough for the data they will access?  Is multi-factor authentication needed?  Will some type of token key store like a smartcard be required?  Do you need biometric verification?
• What type of Mobile Device Management will your enterprise require?  If you only need secure email then Exchange ActiveSync (EAS) services may be all that is required.  Depending on the importance of the data, more security may need to be applied.  Know the built-in security features for devices.  Do they provide hardware encryption?  Manage and enforce polices for mobile devices.  Consider remote wipe of secure data or even the entire device.
• Should recovery of lost a device be considered?  Use of device tracking by network access or Intel Anti-Theft (for larger devices) may be of value.
• Consider a custom App Store for enterprise applications.  If possible, control applications loaded on the device.  Setup “white list” and “black list” applications and provide the capability to enforce them.
• Provide “jailbroken” device detection and automatic wipe of enterprise apps and data.  Devices that are “jailbroken” or “rooted” can no longer provide the protection profiles needed.
• Does a secure sandbox for applications and/or email/web access provide the necessary separation of user and enterprise data?
• If developing custom apps from internal or open source code consider code vulnerability scanning tools to detect coding errors and purposely designed vulnerabilities.
• Implement the concept of least privilege.  Provide only the access necessary for each use type.  Do not allow access to resources that the user does not require.  It opens the system to being exploited if the user access credentials are compromised.
• Protect data in motion (SSL, VPN, etc.) and data at rest (encryption).  Look for Certified FIPS 140-2 encryption capabilities in the products and services you provide.  Keep server certificates up to date and only allow access when the certificates are correct.
• Ensure that redeployed devices are purged of all data and apps.  When re-issuing enterprise owned devices completely re-image the device or reset to factory defaults.  Then build the device for the user.   The new user should not have access to the old user’s data or apps.
• Keep sensitive data server side.  Enterprise IP or sensitive data should only stay at the data center.  The device should be simply the plane of glass that the user has to view the data.  It should never be allowed to be saved outside the data center.  Other than taking a picture of the display, there should be no capability save the data anywhere.
• Ensure your security operates with continuous compliance and active management.  Look for a deal with violations.  It may be necessary to revoke user privileges if they abuse the policy.

Innovating on what’s possible – while working toward all that is described above, consider how mobility can help improved your business capability.  Improving customer service, higher productivity or optimization of human resources are all possibilities.  These are generally discovered during an Innovation Workshop or “brainstorming” session, but can also come from employees, customers or competitors.  Some of the current capabilities being implemented include:

• Location based services – the ability to use the device’s GPS coordinates to provide user services. While phones have been providing location services like nearby restaurant or gas station location, new apps are providing a greater user experience.  These include current coupon listings, user ratings of restaurants, location of government services.  There are apps that help travelers identify and understand historic locations, monuments or people.  People that work together could locate each other and get directions to each other’s location.
• Use the device capabilities like the camera.  Several financial institutions allow the deposit of check through check images from a smart phone.  Scan the barcode to renew a prescription.  Scan a product’s UPC code and get price comparisons for stores near your location.
• Augmented reality – the ability to use the phone to show you information or content about where you are now.  There is an app that shows the location of all New York City subway lines and shows closest stations when you hold the phone up.  As you move around it changes what is overlaid on the live video with new station names for those in front of you.

I have laid out many of the areas to be considered.  The task may look at too big to tackle, but can be implemented in stages once you understand what you want to accomplish.  My next BLOG will cover how to get started implementing Secure Mobility and how Unisys can help.

Related posts:

• Consumerization of IT: Moving Beyond Security Concerns for IT Organizations, Part I
• Consumerization of IT: Moving Beyond Security Concerns for IT Organizations, Part II

• If using a COTS product does the vendor offer mobile access?
• Does your system vendor provide tools for assisting in the modernization of older apps through portals (like Clearpath portals).
• Can the application be replaced by a COTS product that has mobile access?
• Is it possible to use tools that help you create a SOA based environment where modernized apps can access the older applications as web services (like Unisys AMPS).
• Can you create a mobile web based version of the UI?  Many web sites are difficult to use on smartphones because of screen size.  You must consider how users of smaller screens will interact with the application.
• Can HTML5 provide all the capabilities you need in a mobile application so you only need a secure web browser?
• Are there specific device attributes that you are considering that would require a native app?  The camera, microphone, or NFC (near field communication) are devices you need to consider.
• Are you going to support multiple device types and Operating Systems?  Should you consider a MEAP product to build for multiple platforms?  Does the MEAP give you access to the device capabilities that you want to exploit or do you need a native app?

Understanding the infrastructure considerations – when you start allowing mobile device access to applications and data, what are the infrastructure impacts that should be considered?  In many cases legacy mainframes and server environments were not built with the security of systems today.  You need to carefully decide what applications will be made available, and how you will secure them.

• Will all remote access be through Secure Gateways or other VPN type connections?  Will you need to allow some mobile capabilities to access server applications directly opening ports into your network?  Does your remote access capability have the capacity to support the number of new mobile users?  If your internet connection is too slow, users will have difficulty using the application remotely.  You also need consider multiple providers for remote availability of the infrastructure.
• What services in the data center are leveraged by mobile users and platforms today and what changes are planned?  Based on your application architecture, will you implement Virtual Desktop Integration (VDI), Remote Desktop Services, Citrix Receiver, or Virtual Network Client (VNC) access to your infrastructure?
• What types of devices do you need to support for remote access?  When examining user types and the application they need to access, what device best meets their need?  Some users are sufficient to have an older laptop with something like Windows Thin Client, while others need the complete mobility provided by today’s smartphones.  Also consider teleworkers that could benefit from the capability of Secure Stealth Virtual Terminal (SSVT).  This provides a less expensive but highly secure capability of mobile access from user owned systems.
• Will you be providing your own mobile app store?
• When using wireless device near or within your facility, will you implement a wireless intrusion detection system?  You need to protect your environment from intruders as well as protect your wireless users from connecting to rogue access points.
• With more mobile users and devices dependent on the data center, are your Disaster Recovery (DR/COOP) capabilities ready to support them?

Related posts:

• Consumerization of IT: Moving Beyond Security Concerns for IT Organizations, Part 1

Point Solutions Do Solve The Problem

So IT looks for solutions. Every Mobile Device Management (MDM) or Mobile Enterprise Application Platform (MEAP) vendor has the answer to bring them control…or so they say. Most management platform vendors seem to have an offering that supports mobility. The problem is that point solutions do not really solve enough of the problem. You need to understand all the facets of mobility in order to pick the right technologies to make your enterprise succeed.

We believe a holistic approach is necessary to design a mobile device strategy that meets the needs of the enterprise while providing the security for enterprise data. There are several key areas that need to be discovered and documented in order to build the strategy. These include:

1. Understanding the users
2. Understanding the applications/data they need to access
3. Understanding application modernization scenarios
4. Understanding the infrastructure considerations
5. Understanding the security requirements
6. Innovating on what’s possible

Understand the users – in this area you need to develop a categorization of users within the enterprise. The Gartner Segmentation Model for Mobile and Client Computing is a very good method for coming up with the categories. Consider all users of mobile devices. It is easy to pick the executives or professionals who travel with mobile phones and want email access, but also consider someone like an inventory clerk in the warehouse with ruggedized handhelds for inventory management, shipping and receiving. You need to look at securing all the devices. Priorities can be set once the assessment is complete. In the segmentation you document:

• Where they use their devices. e.g. locally, multiple locations, internationally
• The level at which they need to operate independently. Do they need to work with data while not connected? Must they follow a specific process or can they change the use data?
• What are the types of data that they need to access and use. Is it just email and messaging? Sales reports in a financial system? HR data in the HR systems?
• What level of collaboration is needed by each user type? Do they simply read emails from other users or do they need to interact real-time on documents?

Understanding the applications/data they need to access – in this area you need to develop a list of the applications, data and systems that mobile users need to access. Email is easy; you know that is what most mobile users need. HR systems, sales and financial are also key areas for selected members of the user community. But how about access to building control systems or power consumption data that could help facility managers better support the company’s green initiative. The idea is get them all down in a list, and then set priorities for implementing access.

Related posts:

• Consumerization of IT: Moving Beyond Security Concerns for IT Organizations, Part 2

The themes for the day were best summed up by Congressman Rogers who stated that there were three types of companies and organizations: Those who have been hacked, those who don’t know they’ve been hacked, and those that will be hacked. I was quite impressed with Congressman Rogers’ and Governor Snyder’s comments around the cyber threats we face today. Both were obviously well informed on the issues, and it certainly made me feel a bit more comfortable knowing that our government leadership understands the importance of today’s cyber threats.

Several hundred government and business leaders attended the event, and throughout the day, we discussed the threats that we are facing from

• organized crime,
• hacktivists, and
• nation state-sponsored cyber attacks.

 

Increased vulnerabilities that state and local government and small and medium business are facing.

This is due in large part to the fact that these organizations have typically not prioritized security issues because they did not see themselves as targets. With today’s advanced cyber threats, we are noticing that the state and local organizations are increasingly being targeted, because they are considered a soft target due to a lack of some of the more sophisticated cyber defenses that large corporations and the Federal government can afford to implement.

During the event, I had the opportunity to present on the impacts of cyber security threats to our nation’s critical infrastructure. I spoke about the unique threats that our critical infrastructure has to defend against and such as a coordinated attack on both physical and digital infrastructures. Just as the Stuxnet virus leveraged a cyber attack to damage physical assets, we are seeing an increase in cyber attacks to attack physical access control systems, video surveillance systems, and SCADA-based industrial control systems. SCADA systems are at a high risk for a cyber compromise, because they were not made to be on a typical corporate network and as such, were not designed to protect against cyber security attacks. Just think how a simple denial of service attack on a SCADA device that regulates the flow of electricity from a remote facility to a central power plant can impact and damage significant components at the power plant by causing the device to not respond or to send inaccurate data back to the command and control system.

The presentation focused on connecting the dots and making systems work smarter together. I recently wrote an article for GSN Magazine on big data analytics and connecting the dots. Big data analytics is the only way that we can connect the dots of literally billions of pieces of data and identify the top five to ten threats that we need to focus on right now. These sophisticated analytics allow us to become more proactive in our security defenses as opposed to the reactive posture that I see in many organizations today. By analyzing the data and connecting the dots, we can provide visibility to the real threats an organization faces 24 hours a day.

Cybercrime is global in nature.  As such it cannot be fought with traditional laws – often the perpetrator has never set foot in the country where their victims reside.  No one country can combat the problem effectively.  Therefore international cooperation is essential for a concerted global fight against cybercrime.

The Move Towards a Global Fight Back Is Gaining Steam.

The Council of Europe Convention on Cybercrime is the first international treaty on crimes committed either against or via computer networks, dealing particularly with online fraud, offences related to child pornography and unauthorised access, use or modification of data stored on computers.

Recently the Australian Federal Government indicated it would set up the legislative framework to enable consent to the Council of Europe Convention on Cybercrime, which will allow it to work alongside the more than 40 nations who now support the Convention (including the UK and US).  Unisys has formally declared its support for this move.

Privacy And Civil Liberties Issues Will Need To Be Taken Into Account.

Striking the right balance between security and privacy will remain a key challenge for international cooperation across jurisdictions.  Sensible safeguards will need to be in place to ensure that investigation and pursuit of crime does not infringe on people’s privacy and civil liberties [if innocent], particularly when dealing with electronic and potentially highly sensitive identification information.

It is critical to ensure personal identity information, most notably biometrics including DNA, is treated with greater sensitivity under the relevant domestic privacy laws.  Security measures that better protect an individual’s personal information from unauthorised hacking, replication or misuse, by their very nature increase privacy protection and build confidence and trust as a result.  It is in this sense that the Convention could play a key confidence building role.

The community’s attitudes toward privacy are evolving.  Because of this, it is important to continue to test assumptions being made about the level of community support for certain types of security measures.

Security Index Finds Willingness in Consumers to Accept their Role in Security

Since we started conducting the Unisys Security Index (regular public opinion polling of consumer attitudes toward various security related issued) in 2006, we have observed that people expect security in many dimensions of their lives – to enable them to do their banking online and to travel easily, for example.  With this comes a willingness to participate in security by doing some things they once might not have done, or by providing sensitive personal information if it means their security will be better protected.

For instance, approximately

• 70% of Australians would be prepared to use a photograph, voice recording or scan of the eye to prove their identity, and
• 76% would be willing to provide their fingerprint (the most popular method).
• Approximately 70% of Australians would be prepared to give a biometric to an airport or airline, or participate in some other traveller identity scheme, if it meant greater security and fast tracking through security procedures at airports.

We see similar results reflected in the Unisys Security Index worldwide.

The same research finds that Australians consistently are more concerned about misuse of their personal information than any other security issue. This is reinforced by the public attention to recent high profile breaches. Clearly privacy remains important to most people.  However, today people are willing to forgo some degree of privacy if it means that their personal or financial information, or their personal safety, will be better protected.

We believe it is important to maintain and build public confidence that they are protected wherever a crime against Australia, our people or our interests, is committed.

Today, almost half (46%) of organisations globally have published official social media guidelines.  We are also starting to realise that other corporate policies, such as those for recruitment, employee harassment, security and so on, need to be expanded to include social media.

The influx of consumer-style and employee-owned mobile devices into the workplace is also creating a mad scramble to ensure security and IT policies cover and manage the new threats that these devices bring.

But having guidelines and policies is only the first step.  What’s the point of them if employees aren’t familiar with them or understand the reasons they are needed?

The key is making your policies accessible and easy to understand.

Here’s a great example of using social media (YouTube) to educate employees about their social media policy and obligations.  It’s from the Department of Justice for the State of Victoria in Australia.

It’s one thing to have a policy.  It’s another thing to make sure employees are familiar with it. And I think these guys have got it right!

Now what? Bridge the IT and Employee Gap

By now you’ve found out that a great part of your employees were already using personal devices to access corporate information.  And likely, you were hopping mad.  Look at it this way – This is a great opportunity for you to bring those early adopters into the fold and make them your test group.  This approach often help’s bridge the gap between IT and the employees.  IT underestimates personal device use by 50% or more, according to the IDC-Unisys Consumerization Study conducted with 2,659 iWorkers and 564 businesses in 9 countries.

Pilot Groups that Represent Each Division and Type of Work

Selecting pilot groups that represent each division and type of worker will guarantee greater success in your program and give you better lessons learned.  This is the phase of the project that will help you refine your approach, introduce technology enhancements, and give you a change to be sure your policies are covering the liability.

No Measurement. No Success to Prove.

An area often overlooked is the ability to measure the success of the program.  Plan to lay out the right number in business terms that you can present to the board or executives.  By taking a methodical approach to this technology trend you should also enhance your security while increasing employee satisfaction.  And most importantly you can focus your resources on the business or mission critical data.

IT LockDown is not a Strategy. But You Are Allowed to Say No.

Something else to remember is not every device is not ready for the enterprise and you will have to say no if you can’t ensure the security of the endpoint.  For instance some devices can’t accept a PKI certificate and if that’s your policy you have to make decision based on the possible risk.  Consider publishing the requirements or specification that a personal devices needs to meet to participate in your Bring Your Own Device (BOYD) program.  It will go a long way in customer satisfaction.

At Unisys, we are practicing what we preach. My colleagues and I will be back to discuss our own movement in Secure Mobility and Consumerization of IT. Where is your organization on this path of mobilizing your employees?

Related posts:

• Beyond the Hype of Consumerization of IT, Part I: The Data
• Beyond the Hype of Consumerization of IT, Part II: The Device and Its Role

Where to Begin on Devices? Don’t boil the ocean.

 I’ve seen a growing number of organizations purchase a technology to manage the end point device and deploy it to the entire population at a huge cost.  Buy it, deploy it and claim victory. Not so fast.  Think of all those companies that put their security into the hands of just one vendor only to find out that the vendor was compromised and in turn so could they.

First, Tackle the Everyday Employees’ Access to Simple Email, Calendar and Contacts

Preferable to the single vendor approach is the implementation of multiple technologies with role based access determination.  So you likely will have most employees who really want to use their personal device to access simple email, calendar and contacts.  Also perhaps being able to book some travel and complete their timesheets.  You could achieve success by ensuring

1. the device authenticates to the enterprise,
2. the individual authenticates to the enterprise and
3. restrict access based on the trust in the device.  So in this instance you can use Public Key Infrastructure (PKI) certificates along with strong multi-factor authentication.

Give Access to Sensitive Data without Data Ever Leaving the Data Center or Cloud

So what do you do with the employee that really needs/wants to get access to highly sensitive corporation data?  Consider the virtual desktop as one solution coupled with a good thin client application.  That way they can work on the device of choice but the data never leaves the data center or cloud. 

There are draw backs to this approach based on what employee needs to do with this data.  Although the off-line capability is getting better, ensure you have a well thought out plan for who is using this capability and who should still have a corporate issued device with all the security bells and whistles.

Clear and Concise Policy Document

Now that you are embracing the personal device to access organization data, begin reviewing policies and acceptable use agreements.  I’m not talking about the “disclosing sensitive data” form but a clear, concise document that lays out the agreement between your company and the employee.

Take into mind the possible confiscation of the personal device if there is a ‘legal hold’ or investigation and clearly spell out the reimbursement plan.  Don’t forget that if the employee chooses this route you need to be able to account for what happens if the device stops working and the employee is not able to work.  Think about the service desk changes and educate your employees about who to call if the device is lost or stolen.

Stay tuned for Beyond the Hype of Consumerization of IT, Part III: We Are Ready To Deploy!

Organizations Continue To Treat Their Data The Same Way As They Have For The Past Decade.

Thinking you can just throw technology to solve the problem is never the answer. Put up a moat, install the firewalls, batten down the routers, secure the remote access, build up the defense in depth 4-zones and that should be it. Right? Wrong. Yes, you’ll need technology, but it can’t be the only thing you do to solve this growing problem.

Look at the Architecture Holistically.

By thinking about what needs to change you might quickly find that you have no clue where your data is, where it’s going and who’s accessing it. The National Institute of Standards and Technology, Special Publications series (NIST SP Pub) lays out a sound plan.

• Identify your assets, meaning what devices want to connect to the network or get access to the data.
• Categorize your data (Federal Information Processing Standard FIPS 199) into assurance level – low, moderate and high.
• Find the right security controls to apply to the data based on this categorization.
• In some cases building a co-location model will be the safest way to ensure your controls are appropriately applied.

So what do you gain by doing this?

1. Money. You’ll cut costs by putting a tiered structure in place. Essentially you stop paying for a lot of security on data that just doesn’t matter, and applying that money to the business critical data.
2. Innovation. You transform your data center and ready it for the next technology trend.
   1. By moving your data into a co-location model you ease the burden on your engineers who are responsible for daily security operations.
   2. Enable your auditors to focus only on those systems they’re really interested in (keep them out of things they don’t need to see).
3. Efficiency. Allow a more streamlined approach to application modernization targeting your plans around data you need to get out to mobile devices with the right level of security baked in.
4. Scalability. This new framework will allow you to re-bake security into the architecture which has likely, over time, become porous and vulnerable.
5. Protection. You can now protect the most valuable data from exposure based on a new set of security standards.

Stay tuned for Beyond the Hype of Consumerization of IT, Part II: The Device and Its Role.

• Proactive scanning of all endpoints to ensure that viruses and other malware are not installed on the systems and affecting their operation.
• Enforcement of compliance with policy at the network access points to stop non-compliant systems from accessing the network.  A VPN tunnel should not be created of all the protections are not active on the endpoint.
• Use encryption at your endpoints to ensure data is protected.  Use AES-256 or above encryption.  This includes portable media.  If you do not have an enterprise endpoint encryption solution, consider implementing Bitlocker during your Windows 7 migration.
• Scan inbound and outbound emails and attachments for viruses and inappropriate content.  Ensure that IRM controlled data is not leaving it should be protected.

Ensure users understand the policies governing corporate issued endpoints.  Users need to understand that the data on the device can be wiped at any time a security violation is suspected.  Users cannot assume any personal data on the devices will be saved.  (When it comes to Bring Your Own Device this is much harder. Read more about Unisys policy and how we manage this.)

Part of the user training needs to include social media policies.  Users must understand what is expected when they interact with Facebook, Twitter or other sites from work or on a corporate/agency device.  They should also be trained on what they can place on those sites and information they can enter.  The corporate/agency specific policies should be enforced for these sites, which may include blocking them from internal locations.

The above is a good overview of what to consider for establishing an environment for data loss prevention.  Not all organizations will be able to accomplish all the steps discussed but getting started and maintaining consistent policy enforcement is a key to success.

• Identify and classify all your information assets.  This becomes the foundation for creating consistent policies for data at rest and data in motion.  This should identify the information sources and who should have access.  Establish the risks of exposure for each asset.  Document how each asset is accessed to ensure there is appropriate protection in place to mitigate an attack or unintentional leak.  System available by remote access must be secured with appropriate controls such as firewalls and should only provide access through encrypted tunnels.
• Establish your access controls using a “deny by default” philosophy.  While large organizations need to use role based security from a manageability perspective, the roles should be managed for specific need and not provide users with access to more data than they require for their job.
• Educate users on the proper handling of data, and how to act if they know of or suspect a data leak.  The information must be institutionalized throughout the organization.  There must be an easy way of finding out what is expected of users, and who to contact for help.  Give users tools for remediating some actions, like stopping an email, on their own.  Implementing a passive set of actions for detecting, logging, monitoring and reporting can help strengthen your policies and better educate the enterprise.  This could be as simple as logging user access to known malicious sites.  (At Unisys there is a mandatory on-line course for all users.  The training system records when each user passes the course.  It is managed by the Unisys CISO.)
• Implement a level of automated enforcement that is outside of user control.  High level controls that block access, enforce data encryption or stop redistribution (like IRM) can be very effective against incidents from insiders.  You could consider not allowing the user to have administrator privileges on their system.  This could prevent unwanted software installation.

In my next blog post we shall discuss what kind of controls and user training have proven to be most useful.

Do you have control over where your agency/enterprise data goes?  Are you aware when employees send emails with confidential attachments to the wrong recipients?  Do you know when sensitive customer or company data gets posted to external file-sharing sites?  Research shows that up to 90% of sensitive data breaches are unintentional but they can be prevented.  Organizations with top performance in preventing data leaks are more proactive and decisive with their investments, instead of making reactive purchases to fix a security incident that just occurred.

I was recently talking to someone in IT about network security and employees need to access data.  I was concerned to hear that one of the big threats to networks and systems is people who personally implement something like GoToMyPC to access their office desktop/laptop.  For those who are unaware this service has you open up a connection from your office PC to a server on the internet.  You then use another computer to connect to the same server, and forward commands to your office PC.  And it tunnels across port 80 (which most companies allow) so the network doesn’t even know it’s an issue.  The problem of course, is that you now have a connection through the corporate firewall from an untrusted service.  This could allow an attacker to gain access to the office PC, running under the credentials of the employee, and provide access to any data that the employee can get at.  Your corporate IP could start streaming outside the company.

Another issue is with services like DropBox.COM.  On the surface it seems to be an easy way for people to share large files when the enterprise does not provide the capability.  A problem occurs when employees put confidential or proprietary data on it so they can access it when out of the office or share it with other parties.  Again, an untrusted service now has your corporate IP and you don’t know who might be accessing it.  Your security department would never be contacted if DropBox.COM discovered it had been hacked.

In my next blog post – Preventing Data Leaks Before They Occur, Part II — I will talk more to the user education and policies that have higher impact on reducing these data leakage threats.

Just a few key questions, and we were able to get just a wealth of information. If you have naysayers who do not yet see the need for a new security paradigm, today is a good day to read this blog and add value to your business case on mobile devices and its impact on cybersecurity.

[Sowmya Murthy] Tom, what are some key trends in Mobile Hacking that should be on the radar of any large enterprise CIO/CTO?

[Tom Kellerman] According to the 2011 McAfee study, 85 percent of your assets are intangible and, thus, economic espionage is reaching a global crescendo. In addition, 65 percent of the 1000 executives surveyed were worried about wireless and mobile device security. “Worried” seems like a euphemism in today’s hostile cyber landscape.

The most recent United States Secret Service Data Breach Report noted that remote access compromise was the primary attack vector employed last year. The modus operandi of targeting remote user devices to bypass the network security controls has become commonplace. These cyber infiltrators applaud our widespread adoption of mobile devices as they fully recognize that your latest Android, iPhone or tablet have greater attack surfaces and minimal security controls beyond encryption.

Today’s mobile device is a computer. With more memory and computer power than that of our desktops, mobile devices live in a power struggle between two networks: one we lease (the carrier network) and one we own (our corporate network). These powerful computers lack security controls because the carriers and device manufactures of these mobile devices obfuscate the operating systems BIOS and low level device control from the user. These devices also have a multitude of attack surfaces which create an oasis for hackers.

[Sowmya Murthy] What are the critical gaps you believe need to be addressed in the short term?

[Tom Kellerman] There are 6 fundamental security gaps in mobile device security.

1. Authentication: Access control is the foundation of computer security. As we follow the lead of the financial sector’s mobile banking models for risk management, we must be aware that one time use passwords via SMS are being defeated by Zeus Trojans and DroidDream as they compromise these devices. Voice authentication and other biometrics will be critical.
2. Virus scanning and removal: Given the hundreds of mobile malware which are flourishing in the wild, it is important to note that the current mobile antivirus solutions do not actually clean the devices. If these technologies actually do identify a threat, you must get the phone reimaged. Obviously, this is not very easy to do when you are traveling or meeting deadlines.
3. Data Leakage: Encryption is foundational. However if the user, wireless cyber environment or device is compromised, then the keys will also be compromised.
4. Web filtering/Browser security: Trends of attacks have focused on this weak side door. The browsers on most smart phones are injectable and thus become gateways for hackers.
5. Application Security: We have all heard of malicious apps but many trusted apps like their website cousins are being polluted as we speak. The future of systemic widespread infestations is coming when hackers begin to infiltrate the servers of “Android Market” and the “App Store.”
6. Mobile Intelligence: Mitigating the environmental risks to your users and their devices is paramount. Your users’ mobile devices are capable and intelligent machines. Wireless situational awareness and continuous monitoring sustains your remote user population.

[Sowmya Murthy] There is a lot of talk about a new security paradigm, is one really necessary at this point? Why?

[Tom Kellerman] We are now carrying computers in our pockets – it is time we start treating them as such. You would not let anyone bring a home computer to work and plug into your network without applying the appropriate controls, would you?

Then, why would you let anyone with a smartphone connect and do the same? 2011 has ushered in the year of wireless attacks. Managing these attacks can be achieved through greater situational awareness via continuous monitoring of the wireless spectrum. Mobile intelligence can only be achieved via a combination of wireless intrusion detection and dynamic location-based policy management. A new security paradigm is necessitated – Convergence of physical and cyber security must occur. The way to address these is to apply intelligent mobility by providing contextual awareness in real time.

Building castles in the sky requires a healthy respect for the adversary’s capabilities. The art managing mobile risk resides in limiting the capacity of a hacker to ex-filtrate data in real-time.

Tom Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, CTO of AirPatrol, and serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a member of the National Board of Information Security Examiners Panel for Penetration Testing, the Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International Cybersecurity policy. Tom is a Professor at American University’s School of International Service and is a Certified Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Vice President of Security Strategy for Core Security. Prior to his five years with Core Security, Tom was the Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. In this role, Tom regularly advised central banks around the world about their cyber-risk posture and layered security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.”

[Sowmya Murthy] Gholam, as a security practitioner, what does “Borderless Enterprise” mean to you?

[Gholam Sheibani] Few would contest that borderless enterprise (including government agencies and non-profits) ends organizational rigidity, enhances agility and collaboration and communication in its “ecosystem” (employees, contractors, partners, suppliers, customers, etc).

[Sowmya Murthy] Why do you think there is such importance placed on organizational borders now?

[Gholam Sheibani] Globalization mixed with changes in our social culture (media and social networking); global economic volatility; and shifts in customers’ needs and expectations makes embracing the notion of borderless enterprise – or at least some form of it – a necessity for organizational sustainability and even survivability.

[Sowmya Murthy] What will it take for an organization to make this necessity a reality?

[Gholam Sheibani] My expectation is that the evolution to becoming a true borderless enterprise is a long multi-year journey down a very bumpy road that travels across every department of an organization with long stop-overs and delays in technology and security departments. Furthermore, it requires a strategic approach instead of a tactical one.

During this journey, one should make sure that there is no formation of “Sclerosis.” To me that means stagnation, overregulation, and creation of more rigid, artificial borders.

[Sowmya Murthy] You make a great point on over-regulating the cyberspace. How do we start the journey?

[Gholam Sheibani] That starts with

1. Management buy-in, support, and empowerment;
2. Revisiting the enterprise design;
3. Creating a secure borderless technology infrastructure – SOA with “loose” integration – as a borderless enterprise without it would simply not materialize; and,
4. Having a holistic approach to enterprise security (vs. siloed).

Lockdown strategy from the IT department simply won’t work will it?

There is no room for inaction and resistance is futile.

In doing so, I’m also sharing how new technology, such as Unisys Stealth Solution and our just-announced Unisys Stealth Solution for Secure Virtual Terminal (SSVT) solution, can redefine the threat, and put the advantage back in the hands of IT leaders. Today I’m wrapping up the series with the final three threats in the list:

1. DDoS (Distributed Denial of Service) Attack
2. Organization Embarrassment
3. Hacker Notoriety

Denial of Service Attack

Why this is a threat

A Distributed Denial of Service attack can be extremely damaging to an organization, as it prevents an organization from conducting business over the Internet. Employees, customers, partners, integrated web services—all are effectively shut down. Last December, the web sites of several major card services providers were brought to their knees in a well-coordinated DDoS attack orchestrated by a group that claimed to support WikiLeaks. WikiLeaks had just been cut off by the card service providers, and the hacking group was seeking retribution.

How hackers pull off denial of service attacks

Hackers distribute armies of attack bots that invisibly compromise client and server computers. They create these botnets by either breaking into servers, acquiring admin or superuser rights, and installing them throughout a network; and by using social engineering, malware, drive-by downloads, and many other tricks to insert bots on end-user desktops and laptops.

The compromised computers are referred to as “zombies,” because the bots lay dormant (dead) until reanimated by the hackers from a remote location. Suddenly the targeted organization’s web site and other servers are overwhelmed when zillions of zombie spring to life and attempt to logon, download or upload content, access pages, and so on.

The targeted servers become overwhelmed by the flood of incoming requests (a ping flood is a popular technique). It doesn’t take long for them to slow and, ultimately, tip over. The end result: The targeted organization’s systems can’t respond to legitimate users, because they’re essentially offline. Service denied. Score another one for the hackers.

Why the current IT security model fails

The objective of a DDoS attack is not really to gain access to a network, although that does occur as part of the attack preparation. But the goal is to cripple the network and the organization that depends on it by making its services unavailable to legitimate users. Traditional perimeter security is useless in this case, because the DDoS attack takes place outside the perimeter.

That said, traditional perimeter security does have a role in keeping hackers and their bots out of the internal network. But remember, hackers don’t have to compromise their target’s internal network in order to launch an effective DDoS attack.

All they need is a botnet scattered about the Internet. Also, since most antimalware solutions are based on signature recognition to identify and neutralize known threats, the network remains vulnerable to new, novel, and unrecognized threats.

How you can change the dynamic

There are two aspects to changing the dynamic with DDoS attacks. The first is to ensure that your network OS, hardware, and software are always up to date and properly configured. DDoS attacks take advantage of known configuration and coding flaws that responsible vendors ensure are patched. Ensuring your network is updated, properly configured, and tested to withstand an external attack are crucial steps.

But what about preventing your internal network from becoming assimilated into a botnet? You certainly don’t want your organization’s resources to play a role in taking down a major bank, e-tailer, or, frankly, any other organization’s servers. And you certainly don’t want your network to suffer an internal DDoS attack.

Imagine you had ten business departments in your organization. You can use Unisys Stealth to compartmentalize these departments into ten groups. If an end-user downloads malware and their PC is compromised, the botnet that springs up is effectively quarantined in that group. The result is a 90 percent reduction in the impact of the exploit, and a 90 percent reduction in the botnet’s attack capability. Think of this like a fire line that firefighters establish to fight a brush fire.

Organization Embarrassment

Why this is a threat

Unlike bank robbers, hackers are interested in more than money. Many are out to make a political or social statement. And they can do this by embarrassing any organization that, in their view, represents the enemy.

Hackers can embarrass organizations in many ways, among them:

• Break into an organization’s network, gain access to sensitive information, and make the information public.
• DDoS attacks to bring an organization’s network down, and shame the organization in the eyes of customers, partners, and the press.
• Deface a web site, posting profanity, sexually explicit images, political messages, or other undesirable materials to an organization’s public face on the Internet.

It’s not uncommon for these attacks to be inside jobs or have an operative in the organization—often a disgruntled or terminated employee—working with external hackers. Worse, even the most innocuous information can end up damaging the organization when it is made public. A five-year-old management memo penned by some long-gone executive suddenly becomes a smoking gun.

How hackers pull off organizational embarrassment

For external hackers, they are looking for the usual security holes and opportunities already discussed in this series: social engineering, malware, a default root password, a password that’s easily guessed or broken by a dictionary attack, and so on.

These exploits usually result in direct attacks against a specific organization, but they typically lack the precision planning that marks the advanced persistent threat of intellectual property. Regardless, the culprits will keep trying until they cause significant embarrassment.

The risk from internal personnel (including contractors and partners with access to your network) is actually greater than that of external hackers. Disgruntled or otherwise motivated internal people have the time, knowledge, and often the network access to find and compile massive amounts of sensitive information.

Look no further than WikiLeaks and its progeny, where information nearly always comes from lower echelon soldiers, diplomats, clerks, and political operatives who have access to classified information. They don’t have to hack into any system. They simply log on, download, and pass the information on.

Why the current IT security model fails

While there is always value to keeping the bad guys out, the real problem is that once someone is in, they might have unfettered access to an array of information, most if not all of which is not encrypted. But traditional perimeter security can’t stop an insider. The enemy is drinking coffee in your break room, and your sensitive documents are on a USB flash drive in their pocket.

How you can change the dynamic

There are several requirements to consider here. One is the need for stronger access control on internal systems and data. Another is the need to control data as it moves around our networks. Lastly, there’s the need to encrypt data at rest and data in motion, regardless of whether the end-user is physically on the local network, coming in from the outside via remote, or using a borrowed PC.

Unisys Stealth (and, by extension, the SSVT USB stick) addresses these requirements by segmenting both the network and information into separate communities of interest, and by encrypting data access. Separate network communities can (and should) be created for admins, executives, managers, clerks, departments, the credit card database, etc. The information in each community of interest is invisible to those who aren’t members of it, whether they are outside the organization or working in the office down the hall.

If a user’s PC is compromised by malware that’s designed to grant network access to an external hacker, the communities of interest maintained by Unisys Stealth means the vast majority of the network won’t be visible, with data cryptographically hidden as well. On a network not protected with Stealth, virtually all of the networks information is available to the intruder once they gain access.

This applies to internal breaches as well. Someone in customer service with an axe to grind won’t be able to poke around until they find the organization’s HR or accounting files, for example. Their view is limited only to data they need to know and network resources they need to tap.

Hacker Notoriety

Why this is a threat

The last of the big six hacker threats is hacker notoriety. Here the hack is purely for the thrill or infamy of having done it. With this threat, an organization’s good reputation and global brand can work against you, as the Internet buzz is greatest when a major company, service, or site is exploited.

Imagine the headlines if Google were taken down or their home page defaced. It’s nothing more than digital vandalism, and can be benign in the end. But it can just as easily be vicious and financially damaging, from reputation and service interruption perspectives.

How hackers pull off hacker notoriety

Hackers will use a wide variety of methods here, including the established techniques previously described. But they’ll principally look for major networks that will give them “street cred” by virtue of the perceived difficulty of the hack, or the brand profile of the hacked site.

For instance, there’s immense street cred in hacking a vendor of security products or technologies. Likewise, they might be motivated by the thrill of the chase in going after the web site of a big-name brand, as well as the media splash such an exploit would cause among press and bloggers.

Indeed, just last month hundreds of web sites were taken down—including a major newspaper’s site—through a technique known as a DNS redirect. Hackers break into DNS servers and redirect DNS requests for one site (say, Google.com) to their own server.

The hackers admitted that the goal of the hack was to have fun. No political or social agenda. No financial gain. Just notoriety, which they got. What’s notable about this hack is that they didn’t touch the servers or breach the networks of the companies affected. They targeted the DNS servers that reside on the Internet itself.

Why the current IT security model fails

Hacking used to require expertise. Today all it requires are motivation and tools—and the tools are readily available on the Internet. If you can Google “free hacking tools,” you too can be a hacker. These tools exploit known weaknesses in operating systems, servers, network software, and network hardware (including wireless).

Anyone can now sit outside a house, hotel, or store, and watch as people enter their names and passwords to gain access to supposedly secure networks. It’s time we assume that hackers can penetrate our networks at will. And that means we must be looking for ways to secure resources, applications, and data directly.

How you can change the dynamic

This is another area that Unisys Stealth helps, because it makes a network far more difficult to hack. Many hackers—especially those using free tools on the hunt for fun and fame—are looking for the soft targets. They want fast and efficient hacks they can show off to friends and tout to bloggers.

Hackers that encounter a network protected with the Unisys Stealth Solution for Network will not be able to compromise it using known techniques. That’s because Stealth deals with security differently, by protecting data, not the datacenter; by using certified encryption and bit–splitting; and by supporting multiple communities of interest.

This is nothing that casual hackers have ever encountered before. And the more unexpected barriers in their way, the sooner they move to softer targets that their free tools are designed to attack. They want notoriety, not hard work. If they can’t quickly find a way in using known exploits, they’re on the hunt for another sucker network.

Unisys Stealth can also be used to support a honeypot, a server specifically designated to attract hackers and keep them busy. Stealth can cordon off a section of the network where hackers can come and play. They think they’ve broken in, but in truth, they’re being trapped. You can now watch what they do and see the techniques they use, and take appropriate measures to ensure the network remains protected.

Today Perimeter Security Is Just A Step

The first three threats showed us that hackers are getting more sophisticated and goal-directed in their attacks. It is, after all, their business to hack into your network and steal your secrets. And the three threats I covered today demonstrate how and why the hacking threat is growing.

Hacking will continue to be a threat. And the threat level rises in organizations that rely on traditional perimeter security. This only protects the borders of our networks, and it’s getting easier by the day for hackers to penetrate the perimeter.

Today we need security that extends beyond the perimeter and the data center. Encryption is a good step, but even encryption has vulnerabilities. Unisys Stealth takes encryption to a higher level, making the data and even the network invisible to anyone who doesn’t have access rights.

And with the new Unisys SSVT, announced last week, organizations can eliminate or dramatically reduce the risk of the six most common hacking threats today.

So how do you stop hackers from getting past ineffective legacy barriers and pwning your organization’s sensitive data? You need to identify the threats, understand how hackers exploit the existing perimeter and device security model, and then introduce contemporary technology that can protect data wherever it moves or resides.

There are six principal threats IT faces from hackers. In my next post, I’ll tackle Denial of Service attacks, Organizational Embarrassment, and Hacker Notoriety. But today I want to kick-off with the first three, all of which relate to thievery:

1. Identity Theft
2. Financial Organization Theft
3. Theft of Intellectual Property

Let’s examine why they’re a threat, how hackers do it, why your current IT security model can fail, and how you can change the dynamic to protect your organization’s information assets. I’ll also cover the role that Unisys Stealth Solution for Network and the Unisys Stealth Solution for Secure Virtual Terminal (SSVT) device, announced last week, can play.

IDENTITY THEFT

Why this is a threat?

Identity theft occurs one of two ways: on a personal level, where individual private identification information (social security, credit card) is stolen; or on an organizational level, where customers’ credit card, contact, or other private data are stolen by a dedicated hack against a company housing such information.

When either hack occurs, the consequences to an organization are often loss of money, loss of reputation and loss of customer confidence. The consequences are pretty far-reaching. Use of smartphones for banking, for example, has stalled, because people lack confidence in the security of the transaction.

How hackers pull off identity theft

Hackers usually try to steal identity information using spam, spoofing, phishing, and malware tools. Generally, these make use of social engineering approaches that fool users into thinking that the malicious e-mail, document or website they are opening is legitimate. Once a user is tricked into viewing what they think is a new set of photos from a friend or an e-mail from their bank, the attack begins.

There are also more sophisticated attacks, where hackers use technology to break directly into a network. One well-known example of this sort of theft: a ring of hackers sat in cars parked outside major retailers. They eavesdropped on network traffic using rogue wireless monitoring tools to capture credit card numbers passed in plain text every time a sale was transacted. Then they sold the numbers to organized crime.

Why the current IT security model fails

On a personal level, I believe we all need to be educated on how hackers spam, spoof, phish, and scam their way to successful identity theft. For example, you and everyone you know should be careful about what websites or e-mails you open.

My wife and kids hear this all the time from me: if you’re on your computer and you get an e-mail from someone you don’t know, and you don’t know what it is, don’t open it. Toss it. Delete it. Shred it. Spam filter it. Get rid of it. But don’t open it, because as soon as you do, you might have opened our network to malware.

Education alone is not enough, unfortunately. There is simply too much social engineering going on—some of it so convincing that it fools even experts—that even alert users will make a mistake sometime. How many requests do you get from your system to update your Adobe software? Are you careful about evaluating each and every request, or do you just click “Install”? And how can you even tell if that pop-up message is legitimate?

It’s easy for me to say that everyone should be careful about sites they visit or apps they open. But what happens when it’s Google or Microsoft that is serving up the malware? There’s an Achilles’ heel to every policy and methodology that involves personal diligence.

How you can change the dynamic

On an organizational level, Unisys Stealth can stop that problem—and I mean stop it dead in its tracks. Unisys Stealth sets up “communities of interest.” The information within that community of interest is completely invisible to anyone outside that community, because it is both encrypted and parsed. If you’re not a member of that community, you simply can’t get access to that community’s data, even if you somehow gained root (or superuser or admin, etc.) rights to their network.

The new SSVT lets you to extend your communities of interest to any computer, no matter where it’s located, onsite or off. Once plugged into a device, SSVT allows users to securely communicate from their current location to a targeted destination.

For example, a bank could use SSVT to the user to securely access a sensitive banking application. But while doing so, they would not be able to do anything insecure, such as surf the web, read their e-mail, or run other apps. When they’re done their banking, they remove their SSVT USB stick, and can return to their usual computing. Even if their PC was already infected with a virus, once they insert the SSVT USB stick, only the approved banking application is accessible.

FINANCIAL ORGANIZATION THEFT

Why this is a threat?

Financial organization theft is flat-out stealing of cash resources. It is distinct from identity theft in that it is targeted at commercial banking and financial institutions. In doing so, the hackers might target customers and employees. But make no mistake: the end game is digital bank robbery.

How hackers pull off financial organization theft

The most frequent avenue of attack is malware, which spoofs the unsuspecting bank’s customers. The malware hijacks user web sessions, so customers think they are executing a transaction on their bank’s website. In truth, they are on the hacker’s site, which simulates—often expertly—the look and feel of the actual bank’s site.

Today this hack is done so frequently that the entire process, from delivering the malware to cashing out the victims’ bank accounts, is completely automated. Moreover, these attacks are very difficult to detect, because users have no idea that their deposit or transfer was conducted on a fake site. It can take days or weeks before the account transactions are reconciled by customers, or their checks start bouncing. By then, it’s too late.

Why the current IT security model fails

The common approach to preventing this sort of hack is to scan the computer to scrub any known malware before allowing access to the banking website. That, sadly, is inadequate, because the scanning and scrubbing are performed by so-called signature-based anti-malware tools. Indeed, nearly all of today’s intrusion detection and data loss prevention depend on this approach.

Signature-based anti-malware solutions—which can be deployed as software, services, hardware, or a combination thereof—respond to a known set of recognizable threats. And that, my friends, is their Achilles’ heel; the principal weakness that hackers exploit. Key word: “known.”

When a new and unknown threat emerges, the anti-malware vendor has to hear about it, capture it, reverse engineer it, identify a “signature” that will let their software or service recognize it, and then develop a way to neutralize it. And then they need to update their software or system and get it deployed to all of their users.

We’re all familiar with this process, because we all sit through so-called signature updates. The result is something like the feud between the Hatfields and the McCoys, where one side wins this week and the other side wins the next. Signature-based protection is a hit-or-miss proposition; a perpetual game of leapfrog between the anti-malware camp and the hacking camp.

If the signatures exist on the protected device, the anti-malware solution can stop the exploit. But if the signatures are out of date or the hack is new, the malware will come right in and do its dirty deeds without so much as an eyebrow raised. Hackers actually love signature-based solutions, because they give organizations a false sense of security. Hackers exploit the lag time between when an attack is released, and when it is discovered and neutralized.

How you can change the dynamic

Using Unisys Stealth and the new SSVT solution, a bank could give its customers a branded USB stick. When customers want to do their banking, they simply plug the Stealth SSVT USB stick into their computer. This establishes a secure  point-to-point connection between the customer’s PC and the bank.

Each Stealth SSVT stick is powered by a completely separate Windows or Linux operating system, embedded on the USB device itself. Again, it doesn’t matter if the PC is brimming with malware. Once the SSVT is inserted, the PC is under Stealth’s control. Only a secure, direct connection to the targeted network and application is permitted. And this connection can’t be spoofed.

THEFT OF INTELLECTUAL PROPERTY

Why this is a threat?

Theft of IP threatens a huge array of businesses and industries. Most organizations have proprietary or secret information about new products, practices and methods, technologies, innovations, R&D, or evidence in lawsuits. These hold great value to digital thieves as well, who are constantly on the hunt for such information.

In the pharmaceutical industry, for example, they are working on new formulas and new compounds for drugs every day. This information is prized by cyberbandits, who can earn big bucks for it through corporate or state-sponsored espionage or by working for organized crime. This is an area where both allies and enemies are suspect, and where the FBI has tracked down and arrested a number of violators.

Regrettably, most companies underestimate how valuable their intellectual property is, and how poorly protected that IP is within their IT environment.

How hackers pull off theft of intellectual property

While identity theft and financial organization theft are akin to a smash-and-grab jewelry store robbery—get in, get gold, get out—theft of intellectual property takes careful, long-term planning. Hackers target specific companies, specific departments, and even specific people in those companies.

Once they have gained access to the network (often through the same venues as the other threats we’ve discussed), they set up shop for the long haul, spending time probing, researching, and gathering the information they need. Cybersleuths refer to this as advanced persistent threats (APTs).They are attacking deliberately and will keep at it until they are successful or caught.

As Roger Grimes of Infoworld describes it: “APTs are professionally run attacks, managed just like legitimate corporations … Many APT companies work in skyscrapers; have CEOs, recruiters, and payrolls; and pay taxes. APT hackers work in eight-hour shifts and take off holidays …”

Think of APTs as hired guns: assassins who want to take down your organization’s most valuable IP.

Why the current IT security model fails

Nowhere is it more apparent that traditional perimeter security is failing than in dealing with APTs and theft of intellectual property. By and large, organizations are not protecting their intellectual property and don’t have a strong sense of what they have that hackers and other rogue actors would consider valuable.

Organizations with IP to protect should operate under the assumption that their “secure” networks are completely open to the outside world, and that hackers can access virtually anything on it. Your perimeter and device security serve only to keep the honest people or unsophisticated hackers out, and can prevent only the known malware threats.

How you can change the dynamic

Unisys Stealth can help prevent intellectual property from being compromised. The SSVT USB device is especially useful in circumstances where you have people are working remotely. You want to make absolutely certain that the point from which you send information to the point that receives it is secure, end to end.

SSVT, due to its embedded secure Windows or Linux operating systems, will let you do that with confidence. Using the pharma example again, imagine a research scientist developing formulas for new drugs. Before he sends e-mail or models or what have you over the Internet, he first inserts his SSVT stick into his computer. Then he connects to his organization’s network. The connection established is directly between the SSVT stick and the company’s network. Nothing else on the researcher’s computer can access it. When he’s done transferring his IP, he removes the SSVT stick out and returns to normal (i.e., insecure) computing.

As you can see, all three of these threats are becoming more sophisticated and specific in their aims. Identity theft targets people—any person who happens to make the mistake of clicking the wrong link or launching the wrong document. Financial organization theft targets commercial banking customers, and often targets a specific institution. Intellectual property theft is highly targeted at a specific company, group, or person.

The threats are evolving. So too must the security model. We need to respond proactively with a more sophisticated approach that goes beyond traditional perimeter security, and even beyond just encryption. In my next post, I’ll cover the remaining three major threats to IT in the same manner as I have covered these today. Stay tuned.

[Sowmya Murthy] So Steve what was this audience interested in talking about?

[Steve Vinsik] The conversation was about leveraging a method for high net worth clients to securely conduct financial transactions across the Internet. The challenge is about determining what is “secure enough.” The most recent Unisys Security Index identified that bank card fraud and unauthorized access to personal information were two of the top security concerns identified in our global survey. It’s easy to understand why that is the case given all the news recently on stolen identities.

[Sowmya Murthy] So, what did you share on protecting identity online?

[Steve Vinsik] The anatomy of a financial transaction is very straightforward. Log in to the online bank, click a few links, enter an amount and transfer funds. Under the covers there is quite a bit of activity occurring to make sure that transaction is secure.

[Sowmya Murthy] How so? Give me an example.

[Steve Vinsik] For example, the web session is encrypted because you can see the little lock box icon and the web address begins with https. The financial institution takes my encrypted data and conducts the transaction in its data center where they have safe guards in place to secure the data.

[Sowmya Murthy] What happens once a client tries to make a transaction?

[Steve Vinsik] Now imagine this made up scenario. The bank knows it’s me when I try to transfer $2M from my bank of the Internet account to my Swiss account because I said it was me when I logged in with my username and password. You know…the same password that was compromised two weeks earlier when my personal information was stolen from a gaming network.

[Sowmya Murthy] Hold on Steve. Who these days actually uses the same password?

[Steve Vinsik] Now I knew you were going to say that you shouldn’t use the same password for both, and in this made-up scenario, I didn’t! Hackers collected my username and password, along with my address, credit card information, and the answers to those cute little questions that web sites ask to recover a password. 

[Sowmya Murthy] How is that even possible to get our information so easily?

[Steve Vinsik] A little social engineering will do the trick! It uses piece of information to manipulate a person into giving up additional personal information not already known. Just research Kevin Mitnick and you’ll find out all you will ever want.

[Sowmya Murthy] Ok, your point is that passwords are not enough?

[Steve Vinsik] Yes. These days, passwords are just not enough.  We need to use something better to prove that it is really me conducting that transaction and not the Russian Mafia, a hacking collective, or my sister – they all have their own ways in finding out my passwords. I need to prove that it is me. It’s something I’ve been preaching about for years for use on corporate networks, and it is something we all know we should be doing but the technology wasn’t quite ready for it. Until recently…

[Sowmya Murthy] So, what did you share as the concepts at this Columbian conference?

[Steve Vinsik] Use something

1. We physically have (like a credit card or your mobile device)
2. We know (like a password) and receive (like a text message on your cell phone),
3. We are (your face, voice, fingerprint, or iris as a biometric) to authenticate various levels of transactions.

Look, passwords alone may be good enough to pay my phone bill online. If I’m going to transfer large amounts of funds between different accounts, I’m going to want to use all four methods to authenticate it is really me conducting that transaction. How many would you use?

Those are the hacks we know about. There are likely hundreds more that went undetected and unreported. The simple fact is that no organization is safe—even the security technology vendors. A user at RSA opened what appeared to be a spreadsheet attached to an e-mail, touching off an intrusion that compromised an RSA security technology used widely by the US government and Fortune 500 companies.

In an ironic twist, even the Wikileaks website, infamous for posting corporate and classified information, was hacked, resulting in the public release of secret diplomatic sources. If that’s not sensitive data, I don’t know what is.

Hackers are a problem for nearly all organizations, because most still rely on traditional perimeter security—VPNs, firewalls, IDSes, IPSes—things that protect the network’s borders. These approaches were once all you needed to prevent most attacks. But perimeter solutions aren’t holding up anymore. Hackers are getting past them with ease. Easy to use hacking tools are readily available, allowing anyone with a PC and a motive to penetrate networks. If you can spell, you can use these tools to compromise a network. And once you’re in, you often have access to everything.

To stay ahead of the hackers, we have to move beyond securing network perimeters and physical devices to securing data. Even the hackers are telling us to do this. A recently jailed hacker criticized organizations for not using encryption software. Indeed, encryption is one of the most important keys to neutralizing the hacker problem. But even encrypted data can leak, as we learned when the RSA hack led to an attack on its customer, Lockheed Martin.

An extra step is needed. For example, the Unisys Stealth Solution takes the extra step to make the encrypted data invisible. And today we announced the Unisys Stealth Solution for Secure Virtual Terminal (SSVT), which integrates our Stealth technology on a Federal government-certified USB device to allow teleworkers and other mobile users to safely share enterprise networks from any location.

If you want to learn how to evade hackers, step one is to get an education on hacking techniques and the failures of the existing perimeter and device security model. Step two is to then introduce the correct technology. With that in mind, I’d like to spend a words covering the six biggest hacker threats facing IT today, and how you can protect your organization.

The top six threats are primarily about the theft of information, but each can have devastating financial, legal, and public relations consequences for organizations that are exploited:

1. Identity Theft
2. Financial Organization Theft
3. Theft of Intellectual Property
4. Denial of Service Attack
5. Organization Embarrassment
6. Hacker Notoriety

In my next post, I will walk you through each one of these threats. I will explain why they are a threat, how hackers pull off these exploits, why the current IT security model fails, and how you can change the dynamic to protect your organization’s information assets—including the role that Unisys Stealth and the Unisys SSVT device can play.

12-week Conversation on Securing a Borderless Enterprise: Join Us!

A global team of Unisys Security experts and consultants invite you to this twelve-week long blog conversation that examines trends that breaches the neat physical and digital enterprise borders that used to work.

What’s a Borderless Enterprise?

We live in the world of a growing Cloud; misplaced corporate mobile devices; leaking valves of sensitive customer data; “42-steps” ahead hacktavists; Our enterprises are more porous than ever before. The question really is less about if there is a borderless, and more about what will it take to secure this borderless enterprise?

Intersection of Physical and Cyber Security

The complication is that most physical and digital perimeters that we once protected are now porous. That means we live in a world where it is not a matter of if our networks/locations will be compromised (on anything), it is a question of when and if we were able to minimize damage (risk). This conversation of risk is sometimes subtle, and yet, an elephant in the room large enough to freeze several related economic opportunities in an organization.

A Borderless Enterprise to you could mean…

1. An executive in your organization showed up with an iPad. Now your IT team’s hair is on fire trying to figure out this “consumerization of IT” trend
2. Your organization has made the tough mental jump to the “cloud”. Now, how are your peers creating security rules of engagement in this space?
3. You keep a watchful eye on the latest cybercrime that has spared neither governments nor large banks. You are no dummy, and are aware more needs to be done to stay off the headlines.
4. The Palm Treo 650 (2004 model) picture haunts your security training presentations, and you know it’s a scary reflection of risky outdated policies. You don’t need more mobiles devices, data centers and government regulations to tell you policies get stale in shorter bursts than before.
5. You recognize that to beat cybercrime we need the same level of international collaboration that criminals enjoy. No single institution can withstand such waves of innovative cyber attacks. So, how should yours participate in the global dialog?

In this blog we aim deconstruct some of those risk factors. We commit to bringing you valuable stories/ lessons learned on the most disruptive IT organizational trends that we see creating a more porous, borderless enterprise.

At the End of 12 Weeks: All Blog Subscribers will Receive … A Detailed Report: Securing the Borderless Enterprise Blog.

1. Acknowledge a public concern for air cargo security. Results released in May 2011 from the Unisys Security Index, a semi-annual survey of consumer opinion on multiple dimensions of security, showed that 56 percent of Americans saw cargo transported by air, sea or land as extremely or very vulnerable to malicious or terrorist attack. Acknowledging the public has yet to feel satisfied with the level of security surrounding air cargo transport is the first step to solving the problem.
2. Create a more international mandate. The air cargo industry needs something similar to International Maritime Organization’s (IMO) International Ship and Port Security (ISPS) code. We need to follow a global set of standards to reduce the threat of terrorism at all ports of entry to every country.
3. Apply political pressure. In November, the U.S. government introduced air cargo security legislation, but it has not yet been brought up for vote. In addition, the EU’s 27 member states are considering proposals to tighten air cargo security. The legislative limbo process does not allow us to make changes quickly enough. We need to push this issue to the top of governments’ agendas and pressure our politicians to work deliberately to solve the problem.
4. Attack the problem as a whole—not piecemeal. Addressing the problem one airfreight at a time is not enough. We need to establish a secure global supply chain that provides visibility into all key touch points of the air cargo transport life cycle.
5. Implement positive identification solutions. Simple document verification devices—like an inexpensive card reader that can verify that a driving license is valid by examining the hologram or the raised lettering of the license—are easy to implement and can make a big difference.
6. Analyze big data. Governments should leverage complex analytical targeting systems to identify the point of origin, shippers name and specific package contents for every single package. This way we won’t lose visibility into cargo as it moves along the supply chain.
7. Bolster physical security. In addition to seals, video surveillance and RFID tags on cargo and personnel, we must continually look to new, innovative technologies that help security personnel do their job better. The U.S. Customs and Border Protection’s (CBP) Automated Manifest System and Automatic Targeting System serve as example innovative solutions that ensure unauthorized personnel cannot tamper with cargo.
8. Perfect your procedural reflexes. The ability to quickly react and respond to intelligence can be the difference between life and death. By collaborating on intelligence tools and standardized data with countries around the world, we can detect and stop terrorist activities immediately.
9. Assess service providers. Service providers play a significant role in the larger supply chain. We should expand the U.S. Customs-Trade Partnership Against Terrorism and the Certified Cargo Screening Program to enable real-time compliance reporting mechanisms for continuous compliance.
10. Persist in policy and technology. Everyone involved in the air cargo supply chain can take steps toward improvement. Service providers need to proactively improve the level of data they collect at origin and throughout the shipping process, industry bodies need to expedite the creation and adoption of security data standards, and governments need to establish improved information sharing practices to get intelligence to the front lines quickly.

Do you have any additional ideas on what we can do, collectively, to improve air cargo security?

However, while the cyber attacks were tracked to China, we can’t be sure they were masterminded there. It’s possible that a series of different ISPs were used across multiple locations. Equally it would be in a criminal’s best interests to give the impression that their activities constituted a state sponsored campaign, leaving them hiding in the fog of confusion they have caused.

In reality attribution is the most difficult part of investigating a cyber attack. “Track and trace” takes time. That’s not to say that cyberspace can’t be policed. Hackers such as these will leave some sort of footprint. However, cyber criminals are in the main highly intelligent and will use a series of evasive techniques to obscure detection.

We are certainly living in a more uncertain world which some perceive as more insecure. According to the Unisys Security Index survey, an international barometer of consumer concerns, citizens around the world are significantly more concerned about nearly all aspects of their security compared to six months ago.  This year in the UK, public insecurity reached its peak since the study started measuring consumer security concerns in 2007; with the  greatest sources of concern  bank card fraud (according to 93% of respondents) and identity theft (according to 91%); indicating the scale of the threat posed by the digital age.

While these fears are justified, members of the public have a role to play.  Victims are often targeted because of the accessibility to their personal internet footprint.  For instance, some hacking attacks suspected of originating in China were perpetrated through social engineering, which means that criminals may have used social networking sites like Facebook to gather all sorts of personal information about the individuals. They would then have used this intelligence to send plausible and often personal emails linked to software intended to run on their computers undetected, all the while monitoring their emails. This is a common phishing technique, better known as spear phishing that can affect anyone that ignores the warning signs. The Anti-Phishing Working Group has compiled a list of recommendations that you can use to avoid becoming a victim of scams here.

In these unsettled times when we cannot be sure who the perpetrator is or even what it is they are after, there is only strength in defence; and the best defence is vigilance. It doesn’t take much for a criminal to piece together information that people post on social networking sites and know more about them and their colleagues and friends than they should. Equally, it’s down to users to activate the optimum security settings on their social networks or public email services, ensuring they’re using the verification systems offered to them and that their passwords are suitably tough to predict. And it is up to vendors and suppliers to ensure that the minimum “best practice” security is activated in a product by default.

While cyberspace remains an unknown entity for many people, the same rules that apply in the offline world also resonate in the online world. Just as one wouldn’t leave the car keys in the ignition, individuals shouldn’t make it too easy or too tempting for hackers to access their personal accounts or the organisations they work for from the information they glean from a site like LinkedIn for instance. There are two sides to a security equation and it’s not sufficient to think we can simply apply technology to remedy everything. People must take responsibility for their actions and their activities, be that in the work place or at home.

During the Unisys supported East West Institute’s Cybersecurity Summit last week in London, I was invited to participate in a panel discussion about the ‘Rules of the Road’ in cyberspace which brought together policy makers, defence experts, lawyers and technology consultants to address some of these difficult areas.

At a basic level, defining an attack can be more complex than in other conflicts. Hidden IP addresses, ‘cloned’ computers and the ability to access the Internet from just about anywhere in the world make it very hard to determine where an attack is originating from and how to respond. In Cyberspace there is no certainty, only probability and the probability has to be immensely high if you intend to commit to some sort of retaliation which may well have unforeseen side effects. Understanding whether you are reacting to another nation state, a terrorist organisation, organised criminals or simply a frustrated teenage hacker is often very blurred and unclear. Information is the currency of the online world. Cyber-attack will invariably take two forms: those that seek to influence decision making by disruption and manipulation of information; the ability to capture valuable intelligence without another nation or organisation knowing for the purposes of informative decision making on your own side or perhaps for the simple business of monetary gain. Not knowing precisely and instantaneously makes cyber conflict frustratingly hard to retaliate against. Hence, as the Financial Times leader said on Saturday (4 Jun 11), defence becomes of utmost important when trying to go about one’s business with confidence in cyberspace.

A major area of discussion at the Cybersecurity Summit discussion was whether certain targets should be ‘protected’ in cyberspace. The first element of military strategy is to disrupt the enemy’s lines of communication but what if that communication infrastructure also happens powers a hospital’s patient database or telephony systems? Or if the disruption were to damage an air traffic control system and risk numerous civilian lives? On the one hand, nation states could agree ways to identify these systems to avoid ‘collateral damage’ but would this make them more obvious targets for non-state actors such as terrorists? Would the suggestion of distinguishing some URLs with a non-combatant suffix (.med; .nsz (non-strike zone)) help? The DoD said last week that they feel they have the legal right now to undertake target “reconnaissance) in cyberspace during peacetime and mark “targets” that they feel might do potential harm in a state of conflict. Could not the same markers indicate targets that are not to be touched?

These questions don’t have straightforward answers but governments and international institutions are increasingly exploring these issues and creating agencies and frameworks to address them. The range of expertise and nationalities at the Summit was considerable (the Cyber 40+ nations) and will help bring about more collective solutions to these challenges. The UK is planning an inter-governmental conference to help define the ‘norms’ of cyber conflict in London on 1 and 2 Nov 11 at which a number of organisations including Unisys will be participating.

Just as the definitions and boundaries of cyber conflict are unclear for traditional approaches to Defence, there are similar challenges for businesses. During the Summit, a number of speakers highlighted that the estimated cost to the UK of cybercrime is £27 billion of which £21 billion affects business. In recent months we’ve seen groups of hackers coordinate ‘attacks’ on corporates and use online channels to organise physical action at retail outlets. Whilst less in the public eye, industrial espionage via online channels is also a reality.

So how can businesses respond?

As Sir Michael Rake, Chairman of BT Group highlighted in his keynote address at the Summit, “We need to be more open about discussing the threats and the issues around cybersecurity. I think that it’s an area that will require huge investment and government-business cooperation.” Many companies tend to under-report the incidence of cyber-attacks due to understandable concerns about reputation and confidence but the right forums could help identify threats more quickly and help the law and law enforcement respond more quickly.

Secondly there is no real boundary between on and offline security. All security is converged into one holistic approach within a properly formulated security framework. Companies should take a comprehensive view of risk which integrates on and offline channels, looking at areas such as access to information as a whole and how it will affect timely decision making. Two suggestions were made at the Summit for getting a better understanding of these uncertain threats and what to do. The first is to do what IT businesses do and postulate “Use Cases” for new solutions and how they might benefit the client. In the policy world this has been done with considerable effect using Scenario Driven “games” but at the strategic level. I would suggest that such an approach, but now involving key CNI industries, would provide some clarity on how to handle “events”, be they state inspired or ordinary decent crime (as Rumpole of the Bailey might have described it). The second is to recognise the uncertainty and, in the first instance, set up “hot lines” between key nations in order to deflate the rhetoric and certainly discuss the media powered storm that soon surround any ambiguous issue – Google attacks being a prime example. Industry has a major part to play in all this and I look forward to the follow on events and activities that have come out of this extremely worthwhile Summit that Unisys supported.

Earlier this year, when the earthquakes hit Christchurch here in New Zealand, and the floods engulfed Brisbane in Australia, destroying or blocking transport networks, we turned to our mobile phones. When the mobile phone network failed we turned to the Internet (often still available on our smartphones) to contact family and friends.

So the nature of what constitutes national infrastructure has changed from something that was traditionally a physical structure, to something that has become critical to the way we communicate — socially and in the workplace. Research conducted in 11 countries as part of the Unisys Security Index™, asked the public’s opinion on what national infrastructure was vulnerable to malicious or terrorist attack.

Interestingly, New Zealand and Australia were the only two countries where the Internet was ranked by the public as being in the top three areas of national infrastructure most vulnerable to malicious or terrorist attack (it ranked #1 in New Zealand and #2 in Australia). Most other countries surveyed ranked airports/airlines, public transport, and large gatherings of people in their top three most vulnerable national infrastructures.

Perhaps it is our recent experience in local natural disasters. Or perhaps it is because we recognize that New Zealand and Australia are so far removed from the business and economic centers in Europe and North America that we are dependent on the Internet to be part of the global community. Or perhaps it is because of the spate of data breaches that have been reported in the media lately. Regardless, clearly the ability to communicate and access services — and the Internet’s critical role in enabling that — have made it publicly recognized as critical national infrastructure.

Of course the public’s perception of vulnerability may not match reality. However, such recognition is useful for governments and businesses looking to introduce new measures to protect the Internet and the data stored on it or transported through it. And let’s face it, we do like to be a little different to the rest of the world, just to remind you we’re here.

The attack resulted in attackers extracting information from RSA’s systems — specifically the “secret seed” data used to generate the one-time passwords for RSA SecureID tokens — which hackers used to initiate subsequent attacks.

As the number and severity of attacks continues to rise, many organizations are worried. If these types of cyber attacks can happen to some of the most secure organizations in the world, are we as secure as we should be?

The first step to preventing a cyber attack is to make sure you have a mitigation plan in place. Part of the plan should include an IT solution map of IT assets, to fully illustrate the relationship between IT security vulnerabilities and the potential business impact of an attack on them. This helps allocate budget, and ensure your most mission-critical data is backed up most often. A colleague of mine, Walt Leach, has written on this subject for the Economist Intelligence Unit.

Here are a few more suggestions for elements to include in your mitigation plan:

• Maintain an open dialogue with the provider of the solution under attack. It appears that RSA is making significant efforts to keep customers informed. Discuss your security concerns with the vendor involved to understand the full risks to your organization.
• Be prepared for an extended investigation. Investigating sophisticated cyber-attacks can take several months. Security professionals will need time to analyze data and deconstruct the attack. Put measures in place to ensure you are engaged until the final report is issued.
• Inform your user base. Users should be made aware of the incident and possible implications and be instructed to maintain a heightened sense of awareness.
• Evaluate your internal systems. Regular evaluations of your internal information systems should be an embedded process. Review the information systems protection levels for both operating systems and applications. Make sure that all applicable security patches are installed, and review the configurations of access control systems for appropriate segregation and least privilege.

It’s important to keep in mind that mitigation plans need to be continually updated, as cyber attacks will become increasingly more intelligent. If you are unsure of how to start protecting your assets from cyber attacks, vendors such as Unisys can help you develop mitigation plans to ensure your data is safe.

I recently participated in the Unisys supported East West Institute’s Second Worldwide Cybersecurity Summit in London.  The Summit brought together 400 of the world’s leading policy makers, academics and experts to define new approaches and best practice in tackling cyber security threats.  Just as with ‘super injunctions’ a similar theme ran through the Summit – namely how can government policy, the courts and law enforcement professionals keep up with sophisticated cyber security threats which cross national boundaries; which are hard to trace and which can spread like wildfire in hours?

The East West Institute will be reporting its findings at next year’s Summit in New Delhi but I thought it would be interesting to highlight some of the key discussions I’ve been participating in over the last few days:

1. Collaboration – historically nation states have been fiercely protective of their military, judicial and law enforcement systems and reluctant to share information with other countries. However just as cyber security threats span national boundaries, it is clear that an unprecedented level of cooperation and willingness to share information will be required and it was reassuring to see a genuinely international audience participating in the conference which included delegates from India, China, Europe, the Nordics as well as the USA and Canada.
2. Finding one area to set a precedent – different interpretations of human rights; legal definitions; religious attitudes and the sheer range of attacks can make it difficult to decide where to start when tackling different cyber security threats. However picking one area where there is common ground can create best practice which can be applied elsewhere. There is universal condemnation of online child pornography and working on that basis the East West committees are seeking to create a unified legal and investigative framework which will enable different countries and organisations to take a global approach to stamping out activity in this area.
3. Ensuring we have the right skills – much of the research into security currently focuses on cryptography and national defensive measures but I believe we also need investment in researching behavioural, sociological and psychological factors which motivate hackers and cyber criminals. This can help spot trends, pre-empt vulnerabilities and take preventative measures. I had the privilege of speaking to Dr Susan Aldridge, the President of the University of Maryland University College who told me that they have just started a new cyber security faculty with up to 3000 students studying at first, second and doctoral levels with the intent that these highly qualified individuals will be available to fill the immense cyber security professional gap that President Obama alluded to in his first statement on the importance of Cyber Security back in 2009.
4. Encouraging young people who have grown up with the Internet to help tackle cyber security – older generations typically shape policy and legal precedent but clearly we need more ‘Internet natives’ to want to help solve these challenges. Last night the UK Cybersecurity Challenge was launched, a series of national online games, which encourage people from all backgrounds to come up with solutions for handling threats. Last year’s winner was a 35 year old postman from the north of England, the runner up a 17 year old maths student who had no knowledge of computer science and third was a “resting” actor from London. The goal is to excite and inspire people to consider careers in the cyber security industry and is a great way of bringing in new perspectives and new talent to combat the online security challenge.

Adapting to criminal behaviour is nothing new but the challenge here is enabling the law and law enforcers to keep pace with the rapid and borderless nature of cybercrime. Clearly there is a lot more to do but the four themes which have been discussed over the last few days are practical areas where quick gains can be made.

Further thoughts to come tomorrow from the second day of the East West Institute Cybersecurity Summit.

However, what we found especially interesting is that Americans are just about as concerned about the security of critical infrastructure (such as bridges and power plants, 61 percent; and cargo security, 56 percent), as they are about air travel.

The security of this critical infrastructure extends beyond simply protecting physical assets. Threats are now arising from the cyber realm, and our physical infrastructure is actually at risk of electronic attacks.

This is reflected in The White House Cybersecurity Legislative Proposal that was presented last week. President Obama prioritized cybersecurity following a number of attacks against our critical infrastructure — such as those centered on the electricity grid, financial sector and transportation networks:

“The Nation’s critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operations to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services.”

It is clear, from both the Unisys Security Index findings and the cybersecurity proposal, that everyone from officials at the highest levels of government to the average U.S. citizen is concerned about protecting the nation’s critical infrastructural assets. And it has become essential that the government and businesses guard those assets with special attention paid to any piece of infrastructure connected to the Internet.

How can this be done? To start, businesses need to take a holistic view of their data and how it is being secured. Many businesses are getting burned because they are only looking at the perimeter of their infrastructures. That is not to say that physical security is no longer important. Organizations should continue to invest in surveillance and biometrics-based security to provide insight into who is gaining access to their facilities and data. But physical security alone simply doesn’t cut it anymore.

As the White House cybersecurity proposal mentioned, critical infrastructure assets like the electricity grid are now network-enabled — controlled through the Internet. Too often they are wide open to cyber threats, threats with which they haven’t contended in the past. Coordinated attacks against an unprotected critical asset can take down the access control system, making it easier for hackers to then gain access to more central controls to a facility. In worst-case scenarios, an attack could bring down nuclear plants or disrupt the entire nation’s energy grid.

The threat isn’t merely theoretical. For example, back in September 2010, Iran came under the attack of the Stuxnet worm. The worm searched for software made by a well-known European company, and was routinely used to control systems in industrial facilities such as power plants. The worm can reprogram a critical infrastructural control computer’s commands, and issue it a new set of instructions. Many experts agreed that the worm attack was actually an act of cyber warfare.

FBI Director Robert Mueller put it quite clearly when he said at a recent security conference, “A cyber attack could have the same impact as a well-placed bomb.” It is clear that businesses that operate, service and own critical infrastructure have reason to be concerned about cyber attacks and need to start thinking about ways to secure the cyber dimensions of the infrastructure without causing issues with service.

As my colleague, Patricia Titus, CISO for Unisys, said recently, “Resources will need access permissions. Information (including e-mails!) will need to be encrypted. Device use will have to be monitored — including desktops, laptops, smartphones, tablets; anything that taps the organization’s data. Firewalls will have to get smarter to monitor all information, to ensure sophisticated techniques are not being used.”

At the end of the day, whether we like it or not, we need to understand that there will unfortunately be more frequent and more complex coordinated attacks against not only online assets like websites, but also the Internet-enabled systems that manage our nation’s critical infrastructure. All the stakeholders need to work toward a coordinated response that ties in both physical and cyber security if we are to protect ourselves from the diverse range of threats emerging in today’s Web-enabled world.

Here it is. Just click the image to enlarge it, and please feel free to share the permalink with your personal and business networks. If you’re a blogger, you have the right to feature this on your blog without asking for our permission, provided you credit Unisys for the chart. The infographic nutshells the entire constellation of the U.S. information. In moments you’ll have an understanding of the top-line issues, and then you’re free to slice and dice all the data on the Unisys Security Index website.

So how has our sense of security changed over the last decade?

Well, in the lead up to the 10th anniversary of 9/11 we decided to find out. As part of the latest Unisys Security Index™ we asked Australians if they were more or less concerned about key security issues than they were in 2001. The survey questions were fielded in February, so it was before the death of Osama Bin Laden. I must also stress that the responses reflect the views here in Australia, and quite different responses might be given in other countries if the question was asked there.

The research found that in the 10 years since the 9/11 terrorist attacks, more Australians say they have become more concerned about the threat of identity theft, financial fraud, and environmental disasters than those who say they have become more concerned about the threat of terrorist attacks such as airline hijackings or suicide bombs.

Three out of four Australians (76 percent) responded that they are more concerned today about credit card data being stolen, two in three (66 percent) are more concerned today about the risk of an environmental disaster, and 59 percent are more concerned about companies losing their personal or financial details.

Conversely, only 51 percent of Australians said they are more concerned today than 10 years ago about the threat of a suicide bomb in Australia and 42 percent expressed increased concern about airline hijackings.

These results reflect that today’s security environment has evolved significantly since the 2001 terrorist attacks, which dominated the media and social psyche at the time. While there is still a general awareness of traditional national security issues, more contemporary issues such as identity theft and environmental concerns today have a greater immediacy for a larger number of Australians.

Many Australians have personally experienced, or know of someone else who has been a victim of, some form of identity theft, whether it be credit card data theft or someone else obtaining and using your personal details, so we are well aware of the risk. Similarly, public awareness campaigns such as last week’s Privacy Awareness Week initiative, which was run across Asia Pacific, as well as reminders from banks and credit card providers all help to keep this issue top of mind. And this is a good thing — being aware of the issue prompts you take action to prevent yourself becoming a victim. To borrow a phrase, it means you can be alert but not alarmed.

The increased concern regarding the risk of environmental disaster is clearly a response to heightened awareness of the natural disasters that are typical in the Australian environment. In the last year we have dealt with floods, bushfires, droughts, and even an earthquake, and witnessed our regional neighbors cope with earthquakes, tsunamis, and landslides.

That said, don’t forget that nearly half of the Australians polled said that they are more concerned about the risk of a suicide bomb in Australia than they were 10 years ago.

So it would appear that we have a heightened awareness about the many security issues we face today. Yet as a nation we are not panicked. In fact Australia recorded the second lowest level of overall security concern among the 12 countries where the research is conducted globally, with only the Netherlands more relaxed than us.

I even heard a caller on a talk-back radio show say that her 18-year-old son queried what all the fuss was over Osama Bin Ladin’s death. Shocking? Not when you consider he would have only be eight years old when 9/11 so dominated our psyche and the media. He’s far more likely to be aware of — or been impacted by — the Sony PlayStation identity breach and events like the Queensland floods or Christchurch earthquake.

At this point in time, Australians believe immediate security risks to the individual outweigh concern about terrorism. It will be interesting to see how recent events will be reflected in the next Unisys Security Index.