SINGAPORE, JULY 18, 2008 Managing information security governance in the traditional sense is no longer sufficient as cyber threats evolve. Such was the message echoed during Oracle's security symposium, where key speakers challenged long-standing notions of data protection.
A PricewaterhouseCoopers 2007 survey revealed that significant information security threats in Singapore came from insiders, third-party security issues, and financial fraud. In particular, only 15 per cent of respondents expressed confidence over third-party security.
Evolving threat landscape
The traditional assumption that just because cybercriminals are unaware of passwords and other sensitive information is security in itself cannot stand today, according to Wong Loke Yeow, Oracle's regional director, Technology Solutions (Security), Asia-Pacific.
Information security threats have significantly evolved since 1996, Wong says. Back then, hackers were mostly amateur and motivated by fame, while attacks were generic and caused relatively minor damage.
He says that today, organised cybercrime is on the rise and most perpetrators are fortune-seekers. Attacks are more targeted, while crimes like identity theft can cause catastrophic damage.
In response, security solutions have also evolved. First generation solutions like firewalls and intrusion detection systems were reactive and mainly focused against threats external to the organisation, Wong says. Second generation solutions added patch management and react faster than first generation ones.
However, he warns that the threats are escalating at a much faster rate than improvements in security solutions. I expect third generation solutions to also deal with internal threats, be proactive, provide end-to-end security, and maximise effectiveness of existing resources.
Wong believes that everyone in the organisation, not only IT staff, should be responsible for information security. A framework of security standards, policies and processes is useless without people to enforce them.
Responding to vulnerabilities
Several recent developments in the web arena have heightened information security concerns, according to Larry Lam, president of Information Systems Audit & Control Association, Singapore.
Lam points to the example of Dan Kaminsky, IOActive's director of penetration testing, who stumbled upon an internet Domain Name System vulnerability earlier this year.
Experts cite a possible scenario where an attacker takes advantage of the flaw to target an internet service provider, and replace entire websites with malicious content.
Kaminsky responded by approaching industry giants like Microsoft, Sun and Cisco for patches to be secretly developed. Consequently, several major vendors simultaneously released their patches early this month.
With increasing threats, information security governance and related regulations may become more prescriptive, Lam says. But if enterprises follow them too closely without occasionally asking whether they make sense for the business, security problems may still ensue.
Improving IT governance
IT governance is a framework and capacity for making and implementing decisions required to manage, control and monitor IT within the business, says Ramesh Moosa, director of advisory services at PricewaterhouseCoopers Singapore.
Sign up for Computerworld eNewsletters.