For many years, complying with government standards and industry regulations was seen as an obligatory check box in the lengthy list of IT security tasks. However, recent changes in the security ecosystem are leading to a rethinking of this approach.

2011 saw a record number of cyber security attacks and associated breaches with very public disclosures including Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security – often with discovery after the fact.

Risk-based security

The 2012 Global State of Information Security Survey, which was conducted by PwC surveying more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies in place that are able to confront an advanced persistent threat (APT). This does not come as a surprise, considering three years of budget constraints that led to degradation in core security capabilities

Considering the current economic climate and impasse in Congress, a dramatic change in prior years' budget limitations across the commercial and public sectors appears unrealistic; however, the increased threat levels will lead to a budget realignment toward security. Security professionals will be asked not to deploy additional security solutions, but instead to find better ways to leverage existing investments in security tools. The revised objective of many organizations today is to develop a risk-based rather than compliance-driven approach to determining the business' investment decisions.

According to a 2011 survey, more organizations are focusing on managing risk, not just security. In fact, 57 percent of survey respondents had already shifted to a risk-based approach, employing a formal enterprise risk management process or methodology. 61 percent of respondents indicated that they will put even more value on a risk-driven strategy going forward.

This data is complemented by independent market research studies, which show that more organizations recognize that instead of looking at governance, risk, and compliance (GRC) from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. In this context, the market sees the emergence of the role of the business information security officer (BISO) to reflect the fact that regional resources are the real subject matter experts when it comes to risk associated to particular business units.

Making risk visible, measurable, and actionable

The dilemma that organizations are facing is that their current security and vulnerability measures are unable to keep up with evolving threats, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business. Thus, it is often impossible to make risk visible, measurable, and actionable.

However, as mentioned before, using real time risk analysis is essential to optimize business performance and make better investment decisions. Therefore, organizations should explore software tools that are able to aggregate data from existing security tools and information management applications. These tools not only provide advanced reporting capabilities, but interconnectivity to ensure that remediation actions can be triggered and followed through easily. At the same time, the tools are tying compliance and security automation together, thereby extending the traditional GRC capabilities. Leveraging these tools allows organizations to implement a holistic view of security, while pursuing automation of the GRC process. This approach is being labeled “security risk management,” rather than “GRC” and yields the following benefits:

• Reduces risk by making threats and vulnerabilities visible and actionable; enables organizations to prioritize and address high-risk security vulnerabilities before breaches occur
• Reduces cost by streamlining processes to leverage automation and reduce redundant, manual efforts
• Provides reports and metrics to measure effectiveness and efficiency

Patch management can prevent most of the malware currently exploiting software vulnerabilities, so why isn't the technology being used everywhere?

Part of the problem is the misconception that if you run your anti-virus (AV) software regularly and update the operating system, you are covered. Reality begs to differ. While AV software derails a lot of potentially harmful attacks, it is only one component of a comprehensive security solution. Updating the OS is important, but it doesn't cover holes in applications and browsers that hackers, cyber criminals and other assorted IT malefactors are adept at exploiting.

Simply put, a truly comprehensive security strategy includes automated, centralized patch management software designed to handle a multitude of patches issued by multiple vendors at different times; a system to perform the necessary tests before applying patches; and the tools to conduct software audits on a regular basis. The execution of which, for far too long, has been a challenge for many small and midsized businesses, and completely out of reach for your average home user.

This needs to change.

The software patching function could be accomplished much more easily for most home and business users if security hardware and software vendors (including AV, firewall, gateway appliance and PC utility companies) integrated patch management into their solutions. It's hard to think of a better fit between complementary technologies, but even though patch management has been available for the better part of a decade, most security vendors still don't offer it among their growing slate of features.

For their part, service-focused companies such as ISPs (internet service providers), MSPs (managed service providers) and RMM (remote monitoring and management) vendors have been successfully integrating patch management into their offerings, thereby taking pressure off their customers to keep systems safe, while also establishing incremental service revenue opportunities for themselves.

Managing a stream of patches

Keeping up with the stream of patches in the course of year is a daunting task for any IT administrator, let alone your average home user. Vendors follow their own schedules, issuing patches monthly, quarterly or as needed. Microsoft alone issued close to 100 updates last year.

Most software applications and systems nowadays do come with auto-update mechanisms for downloadable patches. However, updaters operate independently of each other, taking up resources and bogging down systems, and require users to run them manually. They are time-consuming, requiring application shutdowns and system restarts, so it's easy to see why many users put them off.

“Automated patch management...prevents upward of 90 percent of software attacks.”

Automated patch management solves this problem, and in so doing, prevents upward of 90 percent of software attacks, mostly affecting home computers. Consider that most bots – responsible for untold spam, DDOS and phishing attacks targeting corporate networks – are essentially thousands of infected home PCs, and it becomes clear how increasingly intertwined corporate security is to the security of the average home user.

There's not only an industry imperative to address here, but there's also a tremendous market opportunity for security vendors to seize.

Six pack of trouble

Think of patch management as a flu shot. Like the flu, computer viruses and malware evolve constantly. Just as your body has to adapt to fight off infection, so does your IT environment. A vaccine helps your body adjust, and that is what a patch management system does for your network.

A recent Center for Strategic and International Studies (CSIS) study made a strong case for patch management. The study, conducted over a three-month period, found that simply applying the most recent patches to six software packages on Windows machines could prevent 99.8 percent of malware infections. The six packages are Java JRE (responsible for 37 percent), Adobe Reader/Acrobat (32 percent), Adobe Flash (16 percent), Microsoft internet Explorer (10 percent), Windows HCP (three percent) and Apple Quicktime (two percent).

For anybody using a computer or managing an entire network, automated patch management is clearly a tremendous benefit, protecting their systems and data while saving them money. A network free of viruses is, of course, more cost-effective than one requiring remediation after an infection.

Patch management should be a fundamental component of any comprehensive security solution. It's something ISPs, MSPs and RMM vendors understand, though we can't yet say the same for a broad array of other security vendors, who should proactively strengthen their products with integrated patch management to better protect their business and consumer customers.

If they don't, users and service providers should pressure them to do so. If they succeed, it would be a win for everyone.

---

Scott Hagenus is vice president of strategic relationships at GFI Software. Learn more at www.gfi.com or by sending email to atg@gfi.com.

In the past two years, two rogue traders, Jerome Kerviel at Société Générale, and then just recently, Kweku Adoboli at UBS, cost their respective financial institutions more than $9B by making unauthorized trades.

And let's not forget Julian Assange. WikiLeaks gave new meaning to the concept of insider threat by providing a convenient vehicle to empower staff at government agencies and public/private corporations to quickly and instantly hand over their privileged information to the world.

Insider threats are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the U.K. as they are in the United States. They appear just as innocuous in Poughkeepsie as they do in Perth.

Yet despite these costly, high-profile breaches, hacker attacks are far more publicized than insider attacks. Last summer Anonymous and LulzSec attacks splashed news headlines, and undoubtedly more people could name Anonymous than they could Kweku Adoboli.

As I meet with executives of large corporations, they have one request of our company: Keep us out of the Wall Street Journal. Don't let me be the CEO who lost all of my customer's credit card data.

The richness and sensitivity of this information, much of it personal to the consumer, has led to a series of legislative efforts to ensure it is secured. The enactments of Sarbanes –Oxley, PCI-DSS, Basel II and a host of standards throughout the world have emphasized the importance, and indeed require us to secure the assets of our customers.

Billions of dollars have been spent over the last few decades on corporate information technology security in order to “keep the bad guys out,” but it turns out the bigger threat was and always has been, found within the network perimeter. The so-called “insider threat,” the trusted employee, contractor or partner, that can cost an organization more on a daily and/or per-incident basis than any outside hacker could hope for.

Whether we like it or not, “good people can do bad things” intentionally, accidentally, or indirectly.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas and wiped corporate mailboxes.

Employee terminations are, unfortunately, a necessary evil for corporations. The Gucci America case, and many others like it, calls attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. Email, network and application accounts must be swiftly deactivated. Employees granted administrative privileges while at the company could also pose an even greater threat. 

Human nature is the weakest link when it comes to the intersection of people, processes and technology. And, all too often it's the tendency of almost the entire IT industry – vendors, analysts and press – to ignore this.

You can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts "bad guy looking to do bad things," but alas it is only in cartoons and movies where you can always find the stereotypical bad guy.

In real-life enterprises, insiders look like you and me – just regular employees doing their job and collecting their paycheck. That's why securing the perimeter within is so important.

---

Brian Anderson is CMO at BeyondTrust. Brian co-authored the first definitive book on insider threat mitigation with BeyondTrust CEO John Mutch, called Preventing Good People from Doing Bad Things.

Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices makes securing the information on the tool a priority.

A survey conducted in January 2012 by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94 percent of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to corporate networks. Increased employee productivity and mobility are the main benefits for organizations that allow these devices in the workplace, but those benefits come with their own set of risks.

The threats associated with mobile devices can come in many forms, including:

• Mobile operating system – Every OS, including Android, iOS, BlackBerry and Windows, comes with its own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and Wi-Fi hotspot usage.
• Employees – The lack of security awareness among employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.
• Personal mobile devices – The consumerization of IT brings another layer of complexity as more employees want to leverage their personal mobile device for business purposes. While companies begin to accept the “BYOD” (bring your own device) trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.

The first step businesses should consider when safeguarding against these security challenges is to develop and enforce best practices and corporate policies for the mobile enterprise. This should include a list of approved devices that can access corporate data, the types of data that can be stored on mobile devices and taken out of a corporate environment, which types of mobile apps can be downloaded onto devices, procedure for theft or loss of a device, a routine for updating operating systems patches, requiring mobile passwords, as well as having the capability to wipe a lost or stolen device.

Mobile device usage in the workplace is a trend that has staying power because it un-tethers employees from their offices, allowing them to work more efficiently while on the go. As with any emerging trend, organizations will need to be careful about striking the right balance between mobility that empowers employees and the new security concerns that arise from it.

As an information security professional, there are two security issues that I continually hear about when talking to IT organizations today: protecting against malware and advanced persistent threats (APTs), and securing data in virtual and cloud environments.

Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives.

As a result, long-term coordinated attacks can often exploit inadequate defenses over a period of time. In many cases, these attacks are well disguised and designed to undermine typical security controls deployed within many organizations. Often these attackers are well-funded, financially motivated and in some cases nationally sponsored (by China, in particular).

These entities have changed the game by leveraging new types of attacks that traditional systems can't easily detect. With APT, we require a fundamental change in mindset by IT professionals to a state of sustained vigilance. There are no “quick fixes” for APTs and no single product is a cure-all.

Organizations need skills and tools to find patterns, correlate activities across applications and infrastructure, and conduct forensic analysis to find the clues that you may be compromised or that you are about to be compromised. They need to be able to do this in real time, and most organizations do not have the visibility, solutions or skill sets to best protect themselves against these kinds of sophisticated attackers. The information needed to detect attacks exists within the enterprise regardless of whether the attack is by an external party or an insider. Organizations that are not proactively collecting and analyzing this information lack the visibility needed to detect and respond to threats.

Virtual and cloud computing

Securing data, both personal and corporate, within virtual and cloud environments without the ability to implement and monitor controls presents a significant challenge for IT security personnel. As virtualization and cloud technologies continue to expand – due largely to the need to lower costs in IT – this trend has required us to grow, and in some cases, change our approach to security monitoring.

Not all virtual and cloud environments offer customers the ability to implement and manage effective security controls, and this can pose tremendous risk, particularly as many service providers do not guarantee the security of data stored within their environment, and the owner of the data generally retains liability if a breach does occur.

Organizations must understand that outsourcing IT does not transfer responsibility for data or liability associated with its security. Companies can mitigate the risks somewhat here through carefully structured contracts with clear SLAs, but that is not a failsafe by any means.

It may be difficult to implement parallel security controls so that confidential data accessed on the network is treated in the same fashion outside of your organization. End-users cannot be expected to know the location of an application or how to avoid placing sensitive data in a virtual or outsourced repository that may not have adequate controls in place. So, while there is no question about the ease and convenience of virtualization, these services may prevent IT from applying needed security controls, allow end-users to unintentionally expose confidential personal and corporate data, and ultimately put the business at risk of liability.

IT cannot stop this trend of business users contracting discreet services to support their objectives. IT needs to enforce protection at the data level, regardless of where it is located. Whether this is infrastructure or platform as a service and the organization maintains control of the systems, this can be addressed as an extension to current enterprise monitoring. Where the organization gives up control of the infrastructure for the benefits of SaaS, the risks must be addressed through a carefully structured contractual agreement, which includes terms for auditing and reporting. Without such protection, the organization is exposed as employees move critical information to cloud services.

Considerations for any security program

As new threats and deployment models increasingly impact organizations' security strategies, it is important to formulate a security model that accounts for these changes.

Ultimately we need to change our view of “trusted” users and focus on the behavior rather than the user. For that reason, a “zero trust” model is the most appropriate approach if organizations are to fully protect data and systems. In this context, no user is blindly trusted. Activity must be continuously monitored and identity continuously verified. The approach of controlling rights through an overall identity/role lifecycle, and the monitoring of those rights through continuous monitoring will ultimately help better ensure that corporate data is protected against new threats that routinely impact organizations worldwide.

Verdasys believes global enterprises will most probably face the following data security challenges in 2012, listed in the order of most difficulty to manage:

1. Targeted cyber attacks
2. Insider threats
3. Intellectual property containment

As this list refers to data threats with a proven potential to severely impact a business's bottom line if left unaddressed, the relatively benign “threat” of failing a compliance audit did not make the cut.

These potentially existential threats are not only prioritized by how hard they are to solve, but are also in order of their urgency to be solved. This is based on the “top down” theory of data security that says the most difficult threat requires a solution that will, by definition, mitigate all other risks of lesser complexity. For instance, to prevent insider threats one must have found a practical solution for auditing and controlling enterprise uses of intellectual property (presuming that is the primary data target of a malicious insider). Likewise, to protect intellectual property, one must have found a practical solution to audit and control all data types, and so on. A “bottom up” model does little good if it requires implementing layers of disparate technology to solve progressively harder problems, as this simply incurs greater costs without making you any safer.

If you agree with the logic of top-down defense, then you must defeat the apex predator of corporate data. In 2012, this is undoubtedly targeted cyber threats – aka the advanced persistent threat (APT).

It used to be that stopping a malicious insider from stealing trade secrets was the hardest data security challenge to solve, but APT trumps that threat by being, in effect, an invisible malicious insider. So, if you haven't found a way to identify and track how IP is used, then you wouldn't be able to monitor or enforce how a trusted employee uses that IP, which means you wouldn't be able to detect when a trusted “user” account controlled by APT is stealing it, and so on.

What are APT threats and why are they so dangerous to companies? To start, if your organization has intellectual property (IP) that can be exploited by a global competitor, there's a good chance a purpose-built APT mission to steal it is already under way. Perpetrators of APT attacks are hackers and programmers with world-class skills that are backed by “investors” with essentially unlimited resources (i.e., nation-states) which will not stop until they gain an economic or political edge with your proprietary data.

But what makes APT so challenging to solve is that a successful attack requires it to operate freely within a network forever, so it must be highly customized (at great expense) to be undetectable by typical signature-based security technologies. Unfortunately, this means that virtually all traditional signature-based anti-virus and firewall products, along with most web/email security, intrusion prevention and disk encryption technologies that companies have implemented over the last 20 years are effectively useless to stop an APT attack. Companies targeted by APT will need to upgrade their defenses strategy to include multiple, integrated layers of extremely sensitive anomaly detection and mitigation.

How do you stop an APT attack? First, you must be able to continuously track any intellectual property over its entire lifecycle. This means tagging files in such a way that it cannot be tampered with or lost, no matter how the content may be manipulated, shared or transformed. Then, you must be able to identify your privileged users and categorize them by their right to handle data of certain sensitivity (e.g., IT administrator). This means having a policy management system enforced independently of a user's other network privileges. Next, your data protection technology must be able to recognize IP by policy, and control it based on each user's data handling privileges.

At that point, you can be assured of mitigating two key APT risks, even if the attack has not been previously detected. The first one ensures that tagged IP will remain protected if APT attempts to access it with a hijacked account (regardless of system privileges) with insufficient data usage rights. The second is that even IP accessed by an account with sufficient rights could still be contained by policy (e.g., encryption or blocking) if an attempt is made to export the data to an unauthorized destination. In either case, a reporting system which continuously audits all user account activities allows you to know exactly when and how anyone – or anything – attempts to handle IP, and could be an effective tripwire if your network has been compromised.

Finally, you must be able to merge enterprise anomaly detection on workstations, servers and network traffic using policy rules created to identify specific and subtle APT tactics. This trove of enterprise event telemetry should ideally conform within an integrated policy management/data mining system that can sift through legitimate “noise” to isolate and manage multiple anomalous or threatening events (either connected or separate) simultaneously. They key to an APT security strategy is that you only need to stop one stage of an APT attack to thwart the entire mission. If a particular security layer fails to detect something, you'll still be OK as long as the another layer sees it.  

Nobody said tackling these issues was going to be easy, but the threats are only getting worse (search “cyber attack” to see why). The good news is that the technical pieces exist from which to create a security mesh woven tightly enough to trap APT before it can complete its mission, and thus also solve insider threats and IP protection challenges without affecting the business process. Will the best defense be 100 percent effective? No, but it prevents you from being a constant victim. Besides, it is 100 percent certain that doing nothing will cause one or more of these security challenges to inflict serious – maybe permanent – harm to your business.

The sun rising tomorrow morning is almost as inevitable as the cloud's integration within every enterprise in 2012. Now that the “if” portion of the cloud question has been answered, the populace is now moving onto the next stage when discussing migrating to a cloud collaboration platform like Google Apps or Office 365: Is it secure?

The ensuing conversation is usually focused around the vulnerabilities and strengths of the infrastructure, whether or not the cloud application provider can see customer data and whether hackers can attain access to all of the information a cloud provider manages. Once those fears have been allayed, the cloud security conversation is over. The only problem is that these discussions overlook one critical fact: cloud security isn't really about the cloud. It's about people.

The complexities of the cloud bank

Think of the cloud as a bank. Banks have security guards, video cameras and high-tech intrusion prevention systems to keep your money safe. However, all of these systems won't be able to keep a penny in your account if you give your debit card number and PIN out to everyone. This illustrates the user's small, but essential, role in security.

The cloud operates in much the same way. Google, for example, has a stellar track record for protecting data stored in Google Apps. How many times have they lost customer data? Exactly zero. Information that has been lost within Google Apps is always due to a company or user's failure to comprehend the platform's collaboration intricacies. It's not about the security of the infrastructure, it's about how users share data both internally and externally. All the security certifications in the world are irrelevant if an employee shares the salary spreadsheet with everyone in the company or customer credit card info with anyone on the Internet.

Prior to the cloud, IT departments spent a huge amount of time, effort and money on controlling access to data on-premise for things like e-Discovery, governance, risk management and compliance (eGRC). IT staffs used a host of solutions like data leakage prevention, enterprise risk management or network access control to control how information flowed into and out of the corporate architecture. There was a defined border that could be guarded to prevent hackers and insider threats alike. But the public cloud doesn't come equipped with any such point that can be fortified which makes cloud data security an altogether different animal.

Cloud data security = secure collaboration

Collaboration is one of the cloud's primary benefits for enterprises. Unfortunately, it's also one of the major security vulnerabilities as access and usage rights permissions for files are largely left to the users. IT administrators who have long wielded the power in the data security equation now find themselves in a reactionary position. Like on-premise, fundamental cloud eGRC best practices start with understanding how information is flowing throughout the organization, both internally and externally.

Data security traditionally has been viewed as a Wild West movie: the “white hats” attempt to keep confidential information secure while “black hats” try to take it away by any cunning and nefarious means necessary. The cloud makes that viewpoint obsolete. Cloud platforms' high level of security allows enterprises to focus on the finer points of data security. In other words, organizations have to guard the money, not the bank itself. This is a much easier proposition as IT administrators can now focus on access and usage rights for specific documents rather than securing every endpoint and server.

Focusing on implementing the same IT controls for data in Google Apps and Office 365 as the data that used to sit on on-premise file servers is the gateway to experiencing the cost savings and collaboration benefits of the cloud.The best part is that this strategy will equal the level of security of your on-premise infrastructure, if not surpass it.

Virtualization is changing the way IT is delivered today and the implications of this transition are endless. Virtualization is essentially taking a physical server and dividing it into multiple simulated or “virtual” servers – aka virtual machines (VMs) running on a single physical server. Now you have fewer boxes that are better used, with lower operational costs and conserved resources. As with many new and less tested methods of computing, there are often data thieves, cyber lurkers and hackers looking for undiscovered vulnerabilities in networks. With organizations deploying virtualization and increasingly moving toward the cloud, security becomes a greater concern.  

With that in mind, CIOs have to make security a priority. Recent breaches, like the Wi-Fi network hack[SS1]  in the Seattle area, where an open wireless network was hacked and sensitive data was stolen, and Sony's PS3 data hack, illustrate that large data centers using virtualization are just as susceptible to an attack as traditional physical data centers.

The reality is that migrating to virtual environments poses equal security risks to physical environments for several reasons:

• Virtualization software can contain vulnerabilities and require patching just like any other application. This means patching another layer of software in addition to the pre-existing operating system (e.g., Microsoft).
• Cyber criminals are employing VM-aware malware that can spread unnoticed and unchecked among VMs due to lack of visibility into the vast amount of traffic between machines on the same server – where they often co-exist. They are like self-contained “black boxes,” which allows VM-aware malware to unknowingly spread to physical servers when moving VMs or applications.
• As VMs are added to the network, most do not automatically have security policies applied to them. In fact, many IT organizations may be unaware of the rogue VMs popping up across their environment that ultimately put their business at increased risk.

The virtual environment is very different from the “physical” data center where networks, servers and applications can be easily secured and monitored. Because of these concerns, companies are implementing security software designed for the physical environment and integrating the software into the VMs (also called virtual appliances), hoping they are protected in the “virtual world.” This approach may not effectively address malware and attacks that are VM-aware because it provides no visibility into VM movement and security policies that aren't portable.

Create a more secure environment by keeping the following best practices in mind:

• Implement comprehensive security policies for safeguarding networks and applications mean that protection is the same for both physical and virtual resources. That is the only way to have the same degree of protection for sensitive data and resources. No one wants to take a step backward when attacks are becoming more complex.
• Avoid reliance on virtual appliances as they do not always offer viable protection. They are not able to travel with VMs throughout the network and are too bare to provide protection that adequately preserves server resources. The ultimate goal of integrating VMs is to make better use of resources, so why use a virtual appliance and lose out on all the savings of virtualization?
• Integrating full virtual network asset and configuration tracking solutions allows security administrators to configure comprehensive security policies and obtain vital information comparable to that of a physical network. In order to effectively secure VMs, visibility into how they are connected and their communication paths are needed, just like in a physical network between two servers.
• Running a comprehensive, deep-packet inspection outside of the VMs preserves computing resources for applications without sacrificing security. The procedure also allows security administrators to focus on security, while at the same time allowing server administrators to focus on VMs.
• Deploying an automated security solution allows the network to adapt to changes in virtual environments, such as introducing a new virtual machine, thus creating continuous protection of both the physical and virtual landscape.

Day in and day out, security is becoming a critical consideration for CIOs. However, comprehensive protection can be achieved if the time is taken to integrate security from the beginning.

We all know that while cloud computing offers significant benefits, security and protecting private data are the main concern for organizations considering moving to the cloud. Yet, the front-line defense – the cloud server firewall – often goes unused or is misused, resulting in a significant security threat.

One of the main cloud computing security issues often not discussed is that administrators need to keep ports open (e.g., SSH or RDP) so they can connect to and manage their servers. With these ports open, anyone – including hackers – can gain control simply by guessing (or brute forcing) the administrator credentials.

According to a recent report by the Ponemon Institute titled "Managing Firewall Risks in the Cloud," 54 percent of IT personnel say they have no knowledge of the risk of open firewall ports on cloud servers. IT folks admit they just don't yet fully understand the dynamics of cloud infrastructure and its risk. They know that traditional, on-premise security fails to cover virtual and cloud environments. And they know that there really isn't a robust security toolset available from cloud providers. In fact, the cloud has grown so quickly that what's available from cloud providers is often limited, complex and manually operated, and is – of course – isolated to each provider's cloud.

It's not surprising there's a general lack of knowledge and confusion. If you think about the traditional data center, every server is behind the corporate perimeter (and firewall). So, if an administrator leaves SSH open on a server there, it's not a great risk. (This is like leaving your car unlocked in your locked garage.) When that same server is moved to the cloud, it's outside that corporate perimeter/firewall, and keeping those ports open now introduces an abundance of risk. (This is like leaving your car unlocked in a public parking lot.)

According to the Ponemon Institute study on cloud security, 39 percent of IT security personnel said that they thought the cloud provider would inform them if their cloud servers were hacked. We call these folks “wishful thinkers.” Perhaps even more concerning, 42 percent said they wouldn't know if their cloud server was hacked, and of those that know, 19 percent said they already have been. So clearly there's a big gap in cloud security, a misconception of who's responsible, and this issue is the top inhibitor to customer adoption. It all adds up to one thing: Service providers need to offer more security services to their customers.

By offering security services (i.e., those that the customer can opt-in, deploy and self-manage), providers will address the security issue head-on without eating into their margin or taking responsibility themselves. In fact, by making services such as encryption, firewalling and identity management available as a premium add-on, providers will increase their margins, differentiate their services and accelerate cloud adoption.

What enterprises need from their providers is the ability to centralize automated firewall management across all their servers and clouds. Automation makes security as elastic as the cloud infrastructure, and centralization eliminates gaps in security and processes and makes security administrators' lives much easier. This holds true for anyone who has a hosted, dedicated or virtual private server.

As a technologist, it's terrific to see cloud computing grow so rapidly. As a security guy, it's concerning to see that this explosive growth has come at a sacrifice to security. I've talked with a lot of security folks, and they tell me they're struggling to catch up with the developers and infrastructure teams which are quickly migrating their enterprises to the cloud. New solutions are needed to help them catch up, approaches that give cloud providers the tools to protect their customers.

The rise of television brought with it the golden age of mass marketing. Businesses selling consumer goods would pay large sums of money to have their ads featured during prime viewing hours and during popular programs. This continues today with extravagant Super Bowl ad space.  Over the last decade, with the explosion of online content and sophisticated database mining, advertisers became more aware of demographic information that would allow them to become more targeted in their approach. Today, with the prevalence of internet access and the amount of time consumers spend online, advertisers have moved away from mass marketing programs and are more focused on targeted and personalized marketing.

The evolution of online attacks seems to mirror the progression advertising has taken. In the beginning, hacking was done for fun and hackers were driven by a spirit of adventure. However, some hackers soon realized the potential for personal financial gain from their hacking. Thus, the birth of trojan horses, keyloggers and malware distributed via spam messages. Much like television commercials of old, these attacks were broadly distributed; the strategy being to hit as many people as possible in the hopes a small percentage would download the malware. In general, this shotgun-type strategy was successful as unsuspecting victims would click on malicious links and have their account information, passwords or identity sent to a hacker's developing database. Black-hat hackers could focus on quickly creating simple, and oftentimes, low quality malware and, due to the sheer distribution volume, this method was profitable.

Just as we are seeing an increase in personalized targeted advertising, we are now seeing the rise of targeted attacks. In the past, this method of hacking was considered unprofitable as it took too long to create a targeted attack, thus reducing the profit margin. With the lowering cost of producing high quality malware, large customer database breaches, coupled with the surge in hacktivism, means we will begin seeing more targeted attacks in the future.

While the goals of criminal gangs and hacktivists may differ (profit vs. issues awareness), they are using similar tactics – malicious code designed for a specific targeted attack. The reason for the coming rise in targeted attacks is two-fold:

1. targeting certain types of businesses has become a profitable endeavor, and
2. social issues are once again spurring hackers into action.

Why is it now profitable to target specific account when it once was not considered a lucrative strategy? One reason may be the success security professionals have had with educating employees and technology users regarding online threats. It isn't that the creation of high-quality malware has become easier, it is that getting users to fall for their scams has become more difficult, making broad-based attacks less profitable. As a result, hackers are finding it more profitable to target a specific company or organization with an attack designed to steal data. These attacks are harder to defend against as they often involve rather sophisticated social engineering approaches and often are harder for common email spam scanners or content filters to detect. They depend on SQL injections and the infection of web applications or common social media sites, such as Facebook, rather than spam or malicious websites.

On the other side of the spectrum are hacktivists who are targeting a specific organization, not for profit but for social awareness. These socially minded hackers know that a high-profile security breach can damage the reputation of what they deem a socially irresponsible organization or bring down the network of a company the hacktivist believes is responsible for some injustice. It is the technological equivalent of protesting outside of the organization's office – and even more effective as it can quickly generate a global media buzz online when successful.

The number of targeted attacks will only increase in 2012 as users become more aware of broad-based threats, hacktivists become more active, and black-hat hackers create more sophisticated malware. For the general consumer and business, watching for these new approaches and taking control of your security policy enforcement should be a focus for your New Year's resolutions.