Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Mar 11, 2011

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management.

When asked if the only true hope for a secure Internet and the elimination of corporate data leakage begins with our children since the current generation’s track record speaks for itself, Dean Turner, the director for Symantec Security Response’s global intelligence network, smiles and responds: “We’re probably the first generation to have grown up in the analog and digital world. That digital world has changed us. Your analog-self would never go down to the community centre and post pictures of yourself half-naked and then publicly declare you’re going on vacation.”

Not to make light of what is a serious issue, but if the answer to improved cyber security is generational, Turner admits his younger 20-something brother has already said to him ‘this isn’t your Internet anymore’.

“Yes, there is a generational component to this. But not all information should be protected,” he insisted. “That’s where we’re headed. We have to make a conscious decision about what information we’re prepared to lose. You have to assume that people are crawling all over your computer right now . . . you need to assume that you are always under attack.”

He said to identify the business’s crown jewels, put strong, enforceable security policies in place, and restrict the flow of information between different classifications of individuals. Turner also discussed the Stuxnet malware and data security in general with ComputerWorld Canada while attending the 12th Annual Privacy & Security Conference in Victoria, B.C., in February. When asked if he thought Stuxnet and its impact is well understood he responded instantly, “In no way, shape or form.” “We’re talking about a threat here that was designed to target critical infrastructures. If we’re talking about most businesses in Canada, most of their focus is not going to be on something that would affect critical infrastructure,” he said. Large industrial-based sectors, such as oil and gas, have certainly sat up and taken notice, but by and large, individuals “are a little confused” by it all. Charles King, principal analyst with Pund-IT Inc. agrees the ramifications of Stuxnet remains largely misunderstood.

“While security admins are certainly aware of Stuxnet, full understanding of it is still evolving. Due to the apparent political intentions related to its development, the entire story may never be known,” he said. “Not sure I’d call it a game-changer but Stuxnet did arrive as it’s becoming increasingly clear that governments around the world are attempting to surreptitiously leverage the Internet both for their own economic and political gain and to attack or inhibit those they consider rivals and enemies.”

Turner added as individuals, we must also assume our information is continuously under assault. If you do that, you’re likely to be more cautious about what personal data you share online.

People should understand that the information they consider their own is of interest and value to others and in many more ways than they might imagine, King said. “A file or account that you might consider a black velvet rendition of Elvis may, to the right (or wrong) people, qualify as a valuable masterpiece.” David Senf, director of IDC Canada Ltd.’s infrastructure solutions group in Toronto, agreed that an organization’s data is always under attack.

“Security admins and those on the front line have a good understanding of the scope of the threats that their organization is under. But as you go up the ladder in that organization to find those holding the purse strings that could release money and buy more security solutions, they’re understanding is very limited,” he said. “They’ll believe they’re under one-tenth of the number of threats that those lower down in the organization believe that they’re under. The flipside to that is, only 15 per cent of organizations in this country believe they’re highly likely to lose data from such an attack.” Later, during a panel discussion at the conference, Turner repeated his message of establishing a selective data protection strategy by protecting only what is worth safekeeping. “What is game over for you in a business sense if that information gets out? You have to think about that because we’re all inter-connected at this point and it all has an impact on the bottom line of your business.”

Senf said the policies most firms have in place as it pertains to security is not related to the sensitivity of its data. “Very few firms do data classification,” he remarked. “They need to be doing security risk management to understand what their assets are and what the vulnerabilities are.”

Prioritization seems the logical approach because most organizations’ data resources are so vast and complex, King agreed. “However, effective prioritization requires a comprehensive approach to information management, and despite the best intentions, valuable or critical information may still slip through the net,” he added.

-- Lahey is an online community manager at in Vancouver OR Lahey is a Vancouver-based freelance writer. Follow him on Twitter: @LiamLahey

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter,

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 |

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more


Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Web site so organizations can easily accept electronic contributions and purchases online
read more

Jan 18.08 | Silent Banker Trojan..Banking in Silence

Beware the Silent Banker Trojan which sits quietly between your computer and your online banking to steal away payments. It can silently change the user-entered destination bank account details to the attacker's account details instead. read more

Jan 14.08 | November 6, 2007 92 Convio Clients Hit In Security Breach

November 6, 2007 92 Convio Clients Hit In Security Breach
Firm says no financial data was accessed
By Mark Hrywna The NonProfit Times read more