Wargaming reveals WG Labs » Wargaming has launched WG Labs, a lean and agile platform designed to foster innovation within the v... Criminals spying on high-value targets in Ukrain... » ESET is today issuing an analysis on Operation Potao Express, the cyberespionage group behind the Wi... University of Derby helps secure more than £1.9m... » Vigilance can report that the University of Derby, in collaboration with a number of police forces, ... Thales and Zettaset partner to deliver big data en... » Thales and Zettaset have launched a standards-based data encryption and key management solution desi... Imation provides new levels of data security » Using Lock & Key, organisations can enhance their security strategies by requiring a second factor o... Disjointed technologies biggest threat facing UK ... » Lack of qualified staff named second biggest challenge with user access and vulnerability management... PALFINGER records significant revenue growth and... » - Market success in Europe, North America, CIS and China boosted the Group's revenue by 14.1 per cen... AlienVault announces availability of updated open ... » LONDON, UK: AlienVault announced the general availability of an updated version of Open Threat Excha... BeyondTrust introduces first commercial least pr... » PHOENIX: BeyondTrust has announced the release of PowerBroker for Mac to address security and compli... Free mobile app helps integrators work more effici... » OTTAWA, ONTARIO: March Networks has launched a new version of its industry-first GURU Smartphone App...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

London: It’s that time of year again when the IT security industry looks at how the year has developed and predicts what is in store for the industry. Venafi CEO Jeff Hudson, the leading provider of enterprise key and certificate management (EKCM) solutions, suggests that 2013 should be the year when you take control of your IT systems with the explosion of BYOD and cloud computing.

 

1. Flame and Stuxnet-style malware attacks will continue

“Many pundits, leading media outlets and even some security experts are reporting that enterprises needn't be overly concerned about Flame and Stuxnet-style malware attacks, citing the fact that they were executed by well-funded espionage intelligence groups whose target was hostile nation states and not businesses,” said Jeff Hudson. “However, our view is that companies should be concerned, as unfortunately the tools and techniques for executing these types of attacks are now in the hands of common criminals and rogue entities. In the coming year, these types of attacks are likely to increase especially against enterprise organisations, and are likely to result in significant and costly public breaches and unplanned outages. Therefore, companies should protect themselves against the likes of Flame and Stuxnet-style malware attacks.”

2. The 4G explosion must be managed sensibly

Many would argue that with BYOD and cloud computing, the IT department has less control than ever over how and from where employees access their data. The notion of “perimeter-based security” is gone, and information must be protected wherever it is accessed. This will be exacerbated with the explosion of 4G in the UK giving users for the first time a near-desktop experience on their mobile devices, thanks to the higher connectivity speeds. More users accessing data from their portable devices and from more unsecure networks also means many more security certificates to manage for the IT professionals. This could be a huge headache for those companies that have no idea how many certificates and encryption keys they have, where these are, or whose responsibility the management of these certificates falls under. Hudson advises: “Organisations must mitigate risk and have control over who has access to sensitive information, which means managing trust instruments for all users across the entire network - including mobile devices. If not applied, then 4G could spell disaster for many companies, instead of it being truly liberating for many staff out in the field.”

3. ICO will impose its first cloud computing data protection fine

In September of this year (http://bit.ly/UNwRqQ) the ICO issued specific guidelines relating to cloud computing – advocating that companies going into the cloud need to have total control, auditability and use encryption with robust key management. The data protection regulator says that businesses will need to comply with the law and has published a guide, which seeks to act as a source of best practice for those organisations considering and/or using a cloud-computing environment.

Based on the ICO's previous track record, Venafi believes these guidelines are a polite pre-cursor to the imposition of financial penalties against organisations that fail to protect their cloud-based data.

Against a backdrop of a specific reference in the confidentiality section of the ICO's cloud computing guidelines - which asks the pertinent questions: “Is all communications in transit encrypted?”, “Is it appropriate to encrypt your data at rest?” and “What key management is in place?” - Venafi advises IT security professionals within UK organisations that, in order to answer these questions - and meet the required levels of governance – organisations will need to define, and implement, a robust key management process with sound access and audit controls.

Venafi also warns that the guidelines – which extend to a fairly sparse 21 page document – leave the issue of key management, which is an integral part of corporate IT security and governance, as a potentially grey area.

Companies looking for optimum advice on good key management governance in this regard can visit www.venafi.com/best-practices/.

4. Cybercriminals to go after highest-value targets – trust instruments at risk

The use of Public Key Infrastructure (PKI), digital certificates and SSH encryption keys is ingrained within the modern enterprise. These security instruments are critical for securing data in transit, protecting ecommerce and providing system and user authentication. Yet a series of security events that have taken place over the past couple of years have exposed that third-party trust providers are high-value targets for the hacker community. Certificate authority compromises are no longer hypothetical, and are likely on the rise. Venafi warns that organisations should have business continuity plans in place in case of compromise – to quickly and easily switch from one trust-instrument provider to another.

In most cases hackers compromise systems to steal data. Intellectual property, financial data and personal data can all be taken and use to gain financial reward, expose secrets, and to harm reputations. Most security is involved in protecting the data from compromise. If the bad guys are on the inside, how can the data be protected? The best answer is to encrypt the data whether it is at rest or in motion