Security is compromised every day, whether the result of a bad password or someone from inside the company or from outside getting into the network to steal data.
These words of warning came from Adam Meyers, principal of the information assurance division at SRA International, maker of technology tools and services. Meyers spoke last Tuesday at the SC World Congress in New York.
Further complicating the situation is the fact that even though there are a lot of tools to address these sorts of compromises, the more technology added to a network, the more problems that could spring up.
“As we bring in new technology, we increase the attack surface of organizations because they’re implemented so quickly, and there’s no chance for security to be developed,” Meyers said.
He pointed to applications with a lot of untested issues, like AJAX and Facebook.
“It’s a problem because a number of the newest technologies, particularly Web 2.0 and social networking, are implemented before they’re secure,” he said.
Because of such nuisances as drive-by malware, an organization can have the most secure email system in the world, but an employee could still easily download malware while surfing the web, he said.
“The way that malware can get on the network is growing,” said Meyers, who runs a team of 10 at the U.S. State Department that reverse engineers coding that comes into the system. “There’s an arms race between operating systems and malware. We’ve identified the fact that there are problems on the network, but we have to patch to remediate.”
But, even when running patches, there still are likely to be problems because not everyone is connected at all times, he said.
Ultimately, there is no technology fix for human problems, he said.
“User awareness is a big issue,” meyers said. “Some users do not know about threats.”
These problems are not going away, he said. But there was a silver lining for the early morning crowd of technologists.
“The good news is it will keep us employed for a long time,” he said. “And tools can help.”