How has IT security evolved overtime?
In the last ten years, there have been a number of fundamental shifts in technology and its use that require equally fundamental shifts in attitudes towards security. Information technology has evolved from purely a means of systems automation into an essential characteristic of society. The kind of quality, reliability and availability that has traditionally been associated only with power and water utilities is now essential for the technology used to deliver government and business services running in cyberspace.
Technology is changing rapidly, and another fundamental shift is occurring with the emergence of cloud computing. Cloud computing enables individuals and organizations to access application services and data from anywhere via a web interface; it is essentially an application service provider model of delivery with attitude. The economies possible through use of cloud, rather than internal IT solutions, will inevitably see the majority of businesses and, increasingly, governments running in the cloud within the next few years. This substantially changes the ways in which organizations can affect and manage both their IT function and security in their systems.
Today’s security standards were developed in a world in which computers were subject to fraud and other criminal activities by individuals inside and, in some cases, outside the organization. However, this has changed in the last few years with the rapid increase in organized cyber crime through the emergence of robot networks (botnets), which enable criminal activity to be conducted on an unprecedented global scale and can also be used as force multipliers to deliver massive denial-of-service attacks (DDoS) on targeted businesses—at a level at which nations are increasingly at risk of being cut off from the global Internet.
With improvements in technology and capability, organized attackers are much more easily able to cause disruption and fraud. There are a number of specific steps that can be taken to improve the situation and redress somewhat the woeful state of affairs in which the information security industry finds itself.
Given the number of vulnerabilities that exist in new applications (as demonstrated by the numerous security patches that are issued by major software vendors), the plethora of tools available to cause mayhem across organizations connected to the Internet, and the growing knowledge and capability of the user community, government and industry are avoiding major incidents through luck rather than good judgement.
The frequency and severity of issues will only increase, Higher bandwidth and increased computing power may extend the ferocity of any concerted attack, and every IP-enabled device could become a potential threat—not just home computers, but also household appliances, cars and mobile phones. In cyberspace, one’s refrigerator could be a hostile agent.
Cyber threats are changing from individual hackers through organized crime and terrorist-based attacks to national- or state-sponsored cyber attacks, the level of danger is correspondingly increasing. Thus, while individuals may cause mayhem, it has been largely unsustainable and contained. Now an attack may result in widespread destruction and an ongoing undermining of state sovereignty.
Organizations must stay informed about attack trends and specific-to-them security exposures, and be able to react to these. In addition, testing systems against known security exposures provides a defense-in-depth approach to managing such vulnerabilities. A simple penetration test of an organization’s external systems will reveal configuration issues or unapplied patches. Hardening systems is another technique used to limit exposure from vendor-delivered vulnerabilities, by closing unused connections and checking for password vulnerabilities, dormant accounts and other weaknesses that may be exploited by any number of readily available attack tools.
By understanding the business and the operational environment, it is possible to develop a security model that is effective and sustainable. Generic security models have been developed over the years based on physical security controls to protect information and systems that are housed in a single or defined location as well as an electronic perimeter to protect systems that are complete in themselves; however, these models no longer apply. With the advent of virtual companies that exist predominantly on the Internet, with staff members working in a variety of locations, and with information on mobile devices and in the public cloud ,traditional models can protect only a fraction of the business information. Most of the security expenditure today is focused on some form of compliance and not on protecting the critical business information.
Technology needs to be architect-ed to reduce the propensity for attacks in cyberspace. This will require a fundamental rethink of the way services are provided to the network. There is no single solution or panacea to the issues of systems security, nor should there be. Each organization should assess what its needs are, how it intends to conduct its business activities and what the risks are to that process. There are plethora’s of highly capable solutions that can then be implemented and, more important, maintained.
Security technology continues to be complex and unwieldy, and not well aligned with consumer needs. Having to remember multiple IDs and complex passwords is a major inconvenience and a cause of many security issues. Posting personal information to public sites continues to be a contributing factor to identity theft. Firewalls protect what information is left behind inside the corporate electronic perimeter, but do little to protect the vast amount of business-sensitive information outside. Intrusion detection systems detect yesterday’s problems, but not tomorrow’s problems. Security models, architectures and technologies need to reflect these concerns.
Multiple activities within the business do not mean that there should be multiple security architectures to support them. Having a single, consistent and persistent approach that is proven and flexible is much easier to maintain. However, this does require a good understanding of the business objectives, the operational market and the risks the business faces. Hence, the security model must recognize that protection of services and information in itself is not enough; the company must be able to recover from failure and continue to operate at a level expected by its operating partners and customers. Moreover, it must be able to demonstrate that capability on a continuous basis.
Lack of security measures and poorly skilled professionals are giving strength to attackers. Cyber security professionals have failed to show their potential skills to overcome this rising issue, either they are not well known about the defending strategies or their knowledge and skills are not enough to do so. According to research, the world is facing a shortage of skilled cyber security professionals, and the threat will increase further in coming years.
Organizations around the world are working on intend to stop such kind of attacks somehow. Nevertheless, hackers are one-step ahead because of their significantly growing and revolutionizing techniques. But, the future InfoSec professional will defend and help us to make a better cyber world.