Being a Late Adapter in Security is Not An Option

By Richard Stiennon

(Back to article)

I remember the reactions I would get from IT managers in the early days of the Internet. Two memorable statements come to mind; one from a VP. When I showed him my business card with an email address on it and predicted that he would soon have one too, he said “I will never need one of those.”

Then there was the networking engineer who told me ITT Automotive would never need more that a T1 to the Internet. These statements are laughable now but back then it demonstrated that “never” is about two months in the corporate IT world.

There are some decisions that can be made that really do set technology direction for several years. What desktop or server platform to use? What routing infrastructure? What ERP solution?

But security is different. Here is why:

There are three drivers that cause change in the security space. Change that must be reacted to and preferably should be anticipated.

Microsoft. Far from introducing the solution Microsoft is the cause of wide-spread vulnerabilities. And it is not all the fault of cumbersome or sloppy programming. The real fault is the world domination of Windows as a computing platform.

This means that a single vulnerability, say RPC DCOM or Windows Metafile, leads to the fast and furious spread of worms and viruses and enticement for cyber criminals and hackers.

Advances in Web applications. If you have not tuned into what is going on in this space dig into it now. It is all about exposed APIs to Web applications and the mash-ups that are putting them all together.

Look into Web 2.0 and “mash-ups.” Look at Salesforce, Appxchange or Google API’s as examples. Of course these are rolling out without any thought to security so there will be new product vendors to go back and protect mission-critical, business-generating applications as these become prevalent.

Threats. And finally and most importantly threats are growing and more real than ever before. Just look back over the last two years to understand the next two years.

Two years ago cyber crime was a theme of science fiction. Now it is the single greatest threat to cyber security, both individually and for corporations.

There is now a market for identities (basically credit card information or the underlying data needed to apply for a new credit card or loan). This has created a demand for large quantities of identities that hackers find on servers, stolen laptops, or maybe even by dumpster diving.

If your organization has any such information anywhere on your network you have just lost any “security by obscurity” you may have enjoyed. You will be subject to hack attempts both from external sources and internal.

The solution may involve making out-of-budget investments. But you need to do it. Waiting is not an option.

Web properties have grown tremendously in value. Cyber extortionists that threaten to use distributed denial of service (DDoS) attacks against your infrastructure are now discovering that value and testing your preparedness with their threatening emails.

And finally, targeted attacks using custom Trojan horses have been demonstrated successfully. First against Sumitomo Mitsui Bank in London last year and then in the now infamous Israeli Trojan fiasco.

So, why is late adaptation not an option? I have heard the following statements from companies that have a late adaptation policy:

  • “We do not purchase any products in their first year of availability.”
  • “We do not purchase products from vendors who are not in Mega Analyst Firm’s Meticulous Matrix (MAFMM).”
  • “We do not purchase products that are not EAL4 certified (or any other certification).”
  • “We only purchase services from companies that are ISO 9XXX compliant."
  • While this attitude may work for infrastructure IT products and services, it can be risky when it comes to security.

    Because new threats tend to arise from early warning to endemic in 12-24 months you will not be able to protect yourself unless your security investment policy is more liberal. And if you your advisors tell you to “hold off”, "wait and see”, “use the incumbent it is not great but good enough,” it might be time to get new advisors.

    Richard Stiennon is founder and chief research analyst at IT Harvest. Richard's blog can be found at http://blogs.zdnet.com/threatchaos.