The 2013 security horror in Hong Kong

Reading the coverage of the recent breach of Adobe passwords, we learned that 1.9 million users used "123456" as their password. That's right: out of 38 million cracked passwords, almost two million adults used passwords more suited to five-year-olds.

Some of these people are corporate users--are they working at your company? Using Adobe products on machines attached to your corporate network?

Horror movie

Describing security is like describing a horror movie--literally. Some people process film-horror as actual horror, it scares them, you can't even talk about it. You say "The ghost emerges from the..." and they stick their fingers in their ears.

I don't want to horrify you, but a "rainbow table" is a cyberthreat you should know about, if only because it will motivate you to create strong, unique passwords every time a password is needed. It's a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. In other words, a powerful tool the bad guys use to break into your accounts and steal your data.

Needless to say, cybercriminals don't need precomputed tables to crack "123456." Why waste time, when users make it so easy? And there are worse things out there--much worse.

Harden. Your. Weak. Points.

Security means more than "a firewall." It means educating your employees--and ensuring that the corporate network is protected from a security threat you may not see coming: the Disgruntled Employee. According to Reuters, Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press. Sources said he told other staff he needed the information to carry out his job as a computer systems administrator.

Security is never "one-size-fits-all" and many enterprises now have a board-level CSO or CISO to oversee security policy. If your firm doesn't have one, maybe now's the time to think about budgeting for that position. And yes, you need a managed service (or device supported 24/7) to monitor and block malicious traffic up to the application layer.

Let's ditch the infantilism of "123456" and take a look at some more evolved security strategies.

2013 trends

"With the increasing popularity of virtualization and cloud technologies," said APAC security specialist manager Andy Leung of Juniper Networks, "enterprises are using cloud-based applications and services, or moving some of their infrastructure to datacenters." Leung also said that BYOD is becoming part of standard business operations.

"Cybercriminals always look to exploit new vulnerabilities associated with the emergence and rapid growth of new technologies," said Linda Hui, managing director, Hong Kong and Taiwan, F5 Networks. "It's all been about apps, mobile, public cloud and big data in 2013 and this is where the new cyberthreats to enterprise security originate."

"Mobile devices are getting infected, and sensitive data is being stolen via virus-riddled apps from unsanctioned mobile markets," said Hui. "Organizations have little to no control or visibility into employee-owned devices and further issues are caused due to the blurring of corporate and personal data."

Top of user-agendas"The top keys are always the same three things," said Leung. "Increase employee productivity--such as BYOD initiatives. Improve the business by adopting more competitive strategies such as cloud. And control costs, with emphasis on decreasing opex--for example, a complete end-to-end security strategy that can be integrated seamlessly."

F5's Hui agrees. "It's a perfect storm for enterprises," she said, "having to fight new and increasingly complex cyberattacks brought on by a wave of technology transformations such as cloud and mobile while dealing with budget pressure."

2013 concerns"As enterprises move applications and infrastructure to cloud or datacenters," said Leung, "they're concerned about service interruptions and data being compromised by hackers. We have seen increased uptake of security products that aim to protect Web-based applications and also defending Internet attacks like DDoS."

"We've seen high demand for flexible, certified Web application firewalls and comprehensive, policy-based Web application security that can address emerging threats at the application level," said Hui. "This combination significantly reduces the risk of damage to IP, data, and Web applications."

Corporates open wallet for security"Security, especially dealing with new challenges associated with mobile and BYOD, is definitely a priority spend despite resources being squeezed as businesses look for efficiency savings across the board," said Hui.

Juniper's Leung agrees: "We feel that the IT market is tough these days, but corporate spending in security is still increasing. As corporates invest in new platforms like mobile devices and cloud--which make business transactions more effective and ubiquitous--the need to protect and secure these channels are also important."

"Organizations cannot be sloppy on cybersecurity as that will threaten the business with severe compromise from an operational or public relations perspective," cautioned Hui. "Security spend needs to rise to deal with new and increasingly complex threats in an new IT environment infused with apps, mobile, public cloud and big data."

Trends in 2014"With adoption of new technologies like virtualization, cloud, BYOD, or even SDN, enterprises need an integrated strategy to manage end-to-end security across their infrastructure," said Leung. "A security breach in any part of their operation-chain can be disastrous."

"A comprehensive, multi-layered security approach is best to mitigate cyberattacks," said Hui. "For an effective defense against cyberattacks, enterprises should have the following covered in their security framework: access layer, application layer, network layer and compliance."

"If enterprises still manage their security in individual silos, opex is a burden for the operation," said Leung from Juniper. His simple advice for enterprises: plan out an integrated security strategy ahead of time.

"The continued mass adoption of SaaS, mobile and big data-infused public cloud IT programs will be the biggest market challenges in 2014," said Hui from F5. "This will result in an increasingly dispersed organization and one that is harder to securely manage. Users, devices, applications and data centers are now often located outside the traditional business perimeter, and the growing complexity of managing access and authentication puts an ever increasing burden on IT infrastructure and management costs."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about 24/7Adobe SystemsAPACCSOF5F5 NetworksJuniperJuniperNSAReuters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place