The Dangers of Consumerization
- The growing sophistication of fraudsters and their ability to stay a step ahead of the latest security solutions;
- The concurrent "consumerization" of the workplace - employees using home PCs for work, work PCs at home, and increased activity in social media.
Such is the advice from John Pescatore, VP and distinguished analyst at Gartner. In an exclusive interview on security trends, threats and solutions, Pescatore discusses:
- The threats that concern him most;
- Encouraging security solutions;
- Trends to watch as we head toward 2011.
Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems, where he started and managed security consulting groups. His previous experience includes 11 years with GTE, as well as employment with NSA and the U.S. Secret Service.
TOM FIELD: John, we spoke first last October about threats and trends, and I guess my question to you up front is: Are we safer now than we were in October of last year?
JOHN PESCATORE: Well, unfortunately, in general I would have to say we are not safer, and it's really because of two trends. One trend is certainly the bad guys, the attacks, the botnet threat and the more complicated targeted attacks that can be very, very damaging and much more difficult to detect or stop. The bad guys have certainly kept up generating new attacks and very complex effective ones.
Probably more important than the trends of the bad guys is actually what has been the trend of the good guys. What's sort of changing in enterprises and businesses is a trend Gartner calls consumerization -- essentially much more demand by users to use their home PC or be allowed to access the Internet in a much more unfettered manner, and use social networking and perhaps use Google apps or Twitter or My Space to get their job done.
So what has really happened is sort of simultaneously businesses are getting driven to have less control over the hardware, the software, the services users use to get their job done, at pretty much the same time the attackers are getting more clever. I guess, unfortunately, I have to say in the past year we've actually seen the dangers go up.
FIELD: Well, John, you anticipated a question I have about consumerization, and that's talking about social media and mobile technology. We discussed this last fall, but since then how have the threats and the solutions evolved?
PESCATORE: Well. if you look at those two different areas ... first social media. There are sort of two different threats; one is they are just websites and they get compromised like every other website gets compromised, whether it is the BBC or Alicia Keys' homepage. They often have vulnerabilities, and websites get compromised and are used to attack users, so that's one area that is part of overall web security that is not really much different with this trend of social networking.
However, what is different is consciously using social media for business purposes, and then the dangers of information leakage of sensitive customer or business information inadvertently being put out onto social networks, or in this trend to consumerization allowing people to use home PC's and sensitive information being there, or conversely using work PC's for more personal purposes. A great story came out that some congressional aides had installed file sharing software -- music stealing software, basically -- on their work PC's to share music, and they didn't realize that that type of software indexed their entire hard drive and it [published] sensitive government reports that happened to be on their hard drive.
So this issue of mixing between personal and business use, and social networks being a prime example of that, a lot more risks on information leakage and very expensive and high business impact disclosure events much more likely.
On the mobile side, a little different story. Much of the sort of new push for mobility has been around smart phones. The iPhone was certainly the poster child, then the iPad, and now the Droid phones coming out. The risks there are a little different. The real risks are physical loss of these devices or the fact that they are fads, and that two years from now or a year from now people will buy a new one and sell their old one and throw it away or whatever, and there is a lot of information stored on these devices, email contacts, that if the device is lost or stolen the information is compromised ,or if it is sold on eBay all the information is there.
So mobility, the major changes since we last talked, have been a lot more penetration and demand for the use of Smart Phones, going down to BlackBerry and some of these newer devices that haven't yet added all the safeguards that typical enterprise needs around mobility.
FIELD: Well the threats have certainly evolved, do you see solutions evolving in these areas as well?
PESCATORE: I think certainly here in 2010 probably the major security story was the attack against Google, the so-called Aurora Attack that was pretty much a straightforward botnet kind of attack that hit them and many others. Now we are seeing solutions evolve and existing security controls evolve to do better jobs against those types of attacks. Certainly, the web security tier, what you do put between your employees and the internet, is the most important part.
In the old days, mostly what we did in web security was try to keep employees away from illegal sites or dangerous sites or porno sites or whatever. Much more important than that tier is looking at what comes back from the sites we do allow employees to go to.
So as I mentioned, websites get compromised quite a bit. We will let our employees go to general news websites or whatever, they get compromised, and these botnet attacks try to download malware onto our employees PC's. The current generation, the latest generation of web security gateways can do a much, much better job in blocking the bad stuff from coming from those compromised websites.
Another very important dimension on web security is your ability to deliver it as a service. What I mean by that is it's one thing to protect your employees when they are sitting at their desks on the network inside your perimeter. What about when they are on their work laptop at the Starbuck's hotspot, or on the hotel cable modem, or at home on their home network? So the ability to make sure that whenever your managed PC's, and laptops in particular, connect to the internet that they will still flow through your two-way web security policy by using web security as a service is very, very key. That has been one of the bigger improvements in the security capabilities to protect laptops, so that has certainly evolved.
We have also seen a number of other solutions starting out today as point solutions to do a better job of detecting targeted threats, and enabling faster reaction to threats. Over the next year or two, we see those things getting absorbed, those advances in detecting these threats, starting to get absorbed into what Gartner calls the Next Generation Firewall, doing much better application identification and control and these web security gateways getting upgraded to do a much better job in dealing with the targeted threats.
So as usual it is sort of the security chess game where the bad guys have the white pieces and get to go first ,and security has to react and go next, but we are seeing movement forward.
FIELD: Beyond consumerization and mobility John, which current threats concern you the most?
PESCATORE: Well, I think that the botnet threat is certainly number one. That has been going on for quite some time. I think that will be the sort of dominant threat delivery mechanism for the next couple of years to take advantage of compromised websites, take advantage of loose security policies on PC's, and multi-staged threats that get on the PC as a small loader that later on brings down the targeted baggage. I think we will see that for the next several years.
Probably after that, start looking at the rise of virtualization and consumption of cloud-based services as certainly another sort of breakage in the way IT is done, just the way the internet was breakage and before it client server was breakage. So whenever you see those major breakages in how IT is delivered, we know new threats will come. and we also know the way security is delivered will have to change.
So in like a couple of years from now, when there is more use of both public and private cloud and a lot more dependence on virtualization, and a lot more attackers who spent more time pounding on hypervisors and virtualization platforms and virtual machines and the like, I think that's, by say 2012, is where we will see sort of the next generation of very dangerous threats coming from.
FIELD: Flipside of that, John: What are the emerging solutions that actually encourage you?
PESCATORE: Well, you know if you think back to when alcohol was illegal and the moonshiners souped up their car engines to go faster than the police, and the police said, "Oh, we can use souped up car engines too." So technologies like virtualization, while they open up new risks and sort of break existing IT configuration management change control, access control kind of processes, they also allow us to do some things in security we couldn't do before.
For example, this issue of detecting targeted threats, something other than signature-based detection; very, very compute intensive to try to investigate, inspect every executable that flies down the wire and do it in real time. But with the ability to pull in cloud-based computing resources, we can do things in a distributive manner. I think we will see solutions coming out that take advantage of virtualization to do things like that.
Already today we see vendors out there with approaches for mimicking target environments and quickly detecting malicious software using virtualization to do that, so I think that will be some of the advances.
I think we are starting to see a little bit of movement towards addressing one of the biggest vulnerabilities we've have and that we've had since the mainframe days really, and that is continued use of reusable passwords. When you look at most of the most dangerous, damaging identity theft kind of attacks out there, essentially they have captured user's passwords, and since those passwords are reusable, the attacker is golden and they can drain your bank account, your credit card or whatever. This recent kafuffle with the iTunes store where somebody compromised iTunes accounts and was able to order lots of software is a good example of that.
If instead of this reusable password we had sort of one-time passwords or stronger authentication such that an attacker who got my password -- it wasn't going to help them the next time they tried it. That is a major, major advance in security, and it has always been hard to get there, but we are starting to see text messaging add-on approaches going beyond reasonable passwords, keystroke, biometrics, the way people type, or profiling of the hardware they use.
We have started to see the steps forward in someday chewing away at the dominance of the very vulnerable reusable password, and I think we will see some advances there in the next two years as well.
FIELD: Interesting you mentioned strong authentication. We are aware that the FFIEC has a subgroup that is talking about strong authentication now. Do you think that we will see further guidance coming down from the regulatory agencies that then might spread out not just in banking but also throughout business?
PESCATORE: Well, the FFIEC came out a while ago and mandated risk-based authentication. It didn't specifically say strong or multi-factor type authentication, and it left the leeway up to businesses to deal with the problem The problem is the consumers are not wild about having to carry something around or plug something into their computer to get things done, nor do today's standard computers make it very easy for them to do that.
So Gartner surveys consistently show consumers are very reluctant to anything that makes their life more complicated. Similarly, businesses are very reluctant to roll out expensive solutions that may cost them tens or hundreds of dollars per customer to roll out, and have their customers hate them and reduce the number of transactions they do.
You know, if car keys had to be the size of Lacrosse sticks, people probably wouldn't drive as much, so there has to be a balance here, and that has been the tough part. Now with the sort of widespread acceptance of cell phones and text messaging, we start to see that as sort of a low resistance path. We have seen many, many banks experimenting with text messaging as that sort of additional form of authentication, certainly in Europe we have seen it quite a bit more.
I think that there is some movement forward, but I don't think there is an ability for government to mandate this type of thing in consumer services. What I would like to see is the government mandate some stronger form of authentication for all citizen interaction with the government. Today you can file your taxes online with the IRS, which is just a reusable PIN number. I would like to see the government sort of show some leadership and up the ante in the strength of authentication for dealing with the government, and then hopefully that will bleed over into private industry.
FIELD: So we find ourselves now in the second half of 2010 already. What trends do we need to be keeping an eye on as we are starting to head into 2011?
PESCATORE: Well, I want to point to the cloud and consumerization trends as the top two. The cloud one, for this reason: If you think back to all of the problems we have been dealing with in the past 10 years, say, sort of since the internet became a standard part of our lives, we've been dealing with software vulnerabilities.
Whether it is the Windows Operating System or Adobe or Oracle or websites, it's all about software vulnerabilities, and the progress that has been made over the past 10 years has been where the software vendors have at least gotten a little bit better. We still have vulnerabilities in their software, we have several out this week in Microsoft alone, but we've gotten better.
The reason we have gotten better is that most of the software vendors have put in secure development lifecycles, they have emphasized security testing during the development of software and improved their processes and so on, but then along comes cloud and consumerization.
Cloud being "oh the software is out in the cloud; we can change it anytime we want" -- that's one of the benefits; we can more quickly update and so on. But how does a secure development lifecycle work in an environment where the software can be changed every day versus a process that requires inspection and change and rigor and so on that would eliminate vulnerabilities? So the cloud trend and the way application development will change unfortunately promise to bring in lots more software vulnerabilities all over again, so that one concerns me.
The consumerization side is sort of a similar issue. When you look at the Googles and the Twitters and the My Spaces especially, even the Apples and others that sell to consumers primarily, two major issues: One, the Googles of the world and Twitters, their revenue is through advertising. Their revenue is through getting people to expose personal information so they can sell ads around it. That is the exact opposite of security. We want to expose as little information as possible. So this trend of advertising support of consumerization and businesses using these services to me that has a lot of problems just built in from the start.
Even when advertising is not involved, when you look at buying products from Apple or even buying Google's business-oriented services, since they are consumer-oriented they never include the sort of manageability and configuration control and auditing and all these types of functions that enterprises need in order to manage their IT and their information to meet the mandate of protecting our customers information.
So, those are the two trends, consumerization and cloud, that I think are going to throw some monkey wrenches in a lot of the advances we have made over the past couple of years.
FIELD: So, for organizations looking to protect themselves and anticipate evolving threats, if you could boil it down what advice would you give to them?
PESCATORE: Well, I would sort of break it up into three different ways. Certainly, you know since I am in the security union, you always have to talk about policy and educating users, and certainly that has to be done, but you can never rely on policy or educating users to protect you against anything. Really, what has to happen in most of these trends, whether it is mobility or consumerization or cloud, the business is heading in that direction for some business advantage, quite often cost reduction. It is cheaper to use web-based email than Microsoft Exchange, or cloud-based computing is cheaper than building your own data center.
So, wherever there are those cost reductions, some part of it has to be dedicated to adding back in the security that has gone away. So, again, if your business is doing the "bring your own PC to work" or "hey, we are looking at cloud computing" or any of these consumer grade applications that save all of this money, the security group has to say "Well, here is the standard security controls that need to be put in to enable the business to take advantage of that and be part of the solution," not coming along later and just detecting the problem.
So again, so much of this is about cost savings, making sure up front we are saying for a small fraction of those cost savings, security can be baked in to minimize many of the risks; that is certainly number one.
And then I would say the number two suggestion is to say for consumerization in particular, have a defined set of standards that you say "Well, okay, if everybody wants to use this latest device, iPad or Droid phones or whatever comes next, as long as it provides these five security functions, we can consider it." But if it doesn't at least include these five (and those five are typically enforce a password, enforce a password timeout time, enforce a password lockout, encrypt the contents on the device, and have an over-the-air kill switch in case the device gets stolen), have your standards defined so you can clearly say, no this device is not ready and this other device we can now at least manage securely and add security on top of it.
If you don't have that defined the pace of consumerization on these new devices flying out, you will never be able to fight off this trend, or you will never be able to enable the business advantage of mobility while making sure security gets baked in.
That's really what it's all about with these trends. Just as we really couldn't say no to the Internet back in the mainframe days, or we couldn't say no to client servers, today we can't say no to these trends. They are out of the box, and they are going to happen, so we have to make sure we get security baked in as early as possible.
FIELD: John, as always I appreciate your time and your insights. Thank you so much.
PESCATORE: Okay great, good to talk to you.
FIELD: We have been talking with John Pescatore with Gartner. For Information Security Media Group, I'm Tom Field. Thank you very much.