How to deal with 3 big corporate security concerns

BOSTON -- Virtualization, mobility and social networking were flagged as posing most security risk to businesses, partly because there is no accepted set of best practices yet to protect them, IT Roadmap attendees were told.

These three technologies have left traditional corporate security models in tatters, often lacking flexibility to keep up with threats designed to exploit weaknesses in each, John Burke, an analyst with Nemertes Research, told attendees at Network World's IT Roadmap event this week.

The issues are worth paying attention to, he says, because the technology behind virtualization, mobility and social networks is making significant inroads. A Nemertes Research survey finds 67% of businesses have telework policies that call for how to use inherently dangerous public Wi-Fi networks using mobile devices. And 46% say use of personal mobile technology in corporate networks influences IT decisions.

TESTS: How we tested virtualization security

In the largest corporations, 68% of the corporate workload gets done on virtual machines.

Social computing and mobile devices combine to create a primary avenue for data loss because enterprises are blind to mobile use of social computing. There are no tools for separating who can access what social networks on their mobile devices, Burke says.

Virtualization blurs the duties of security, server, networking, storage and systems workers, and in that blurring, important tasks can be lost, he says. "Keeping the virtual environment performing well may lead to security policies not being enforced," he says.

Less than 20% of organizations surveyed specify virtual security that peers into the host server. There seems to be a disconnect, though, because 51.9% rank their virtual security as excellent, perhaps because they haven't seen it compromised yet.

So far businesses have been slow to expand data centers to the cloud, with less than 10% having done so, according to a survey last spring. But preliminary results of a survey this year have that jumping to 18% or 19%, and that doubling is expected to continue for the next year or two.

"You're making it part of what you need to worry about for security," Burke says. "Security for virtual environments seems to be ill-defined."

To effectively battle new threats, businesses need to set up comprehensive, overarching security plans that incorporate tools that integrate policy to as many devices as possible. This is important both to consistency of policies and to making the task manageable for IT staff.

Businesses need to build visibility into traffic into virtual environments and among virtual machines, and Burke suggests virtual firewalls and IDS/IPS products to accomplish this.

Social computing controls require identity management so privileges can be meted out to those who need them. Who gets what privileges requires input from business unit leaders who best know the needs of their workers, Burke says.

A network proxy outside the data center is needed, he says, to create an audit trail of what mobile devices are up to. This may be necessary for regulators, but is also important if businesses hope to secure data center resources.

Conventional threats include phishing attacks bent on ID theft and compromise of corporate intellectual property, cross-site scripting and SQL injection attacks, polymorphic malware and botnets, Burke says.

"They target your network for attack then they fire the shotgun and try everything," he says. That includes tricks like dropping thumb drives with malware on board at coffee shops frequented by corporate employees in hopes they'll plug them in to their mobile devices. It also includes monitoring employees' activities on Facebook and other social networks in hopes of gleaning valuable corporate data or a means for accessing it.

Adversaries are also becoming more sophisticated, dividing the chores involved in exploits into specialized fields such as finding vulnerabilities, creating exploit tools to take advantage of them, creating attack vehicles such as botnets, carrying out the exploit and stealing data and finally cashing in on the stolen data.

Compliance itself can be viewed as a threat, Burke says, because businesses not only face penalties for failure to meet standards, they also face damage to their public reputations if regulations force them to reveal when their networks have been breached.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags unified communicationsapplicationsNetworkingwirelesshardware systemsNemertes Researchsocial networkingData CenterinternetvirtualizationsecurityWeb 2.0softwarecollaborationsocial media

More about FacebookIPSLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts