Survey finds internal security a concern

While outside attacks are still a primary concern for security officers, internal network security is becoming more of a concern, according to a study by Deloitte Touche Tohmatsu.

Nearly half of financial institutions reported having experienced an internal breach of security, according to Deloitte's 2006 Global Security Survey released this week.

Though external security breaches still outnumber internal breaches, at 78 percent, the rise of internal breaches shows that security officers may have been putting too much emphasis on keeping outsiders at bay, according to Paul Kurtz, executive director of the Cyber Security Industry Alliance.

"It's been an oversight more than anything," he said. "The idea was always perimeter security."

Many of the most often-reported attacks, such as phishing and pharming, are types of attacks intended to extort monetary gain, a fact that cements the changing prototype of a computer hacker away from the college student in his basement, Kurtz said.

"This survey confirms yet again that the folks behind these attacks are getting even more sophisticated," he said, calling the old stereotype "a thing of the past."

"There's real money to be made here. The attackers are getting more stealthy as they go forward."

Ted DeZabala, a principle in Deloitte & Touche's enterprise risk services group, said that security officers now have to be prepared for attacks that are well organized and multi-pronged.

"We're seeing more sophisticated and more coordinated plans of attack," he said.

DeZabala said companies will have to respond with multiple layers of protection, mixing system resiliency, various forms of encryption and monitoring.

"We're going to see more aggressive monitoring activities to watch traffic and look for anomalies," he said. "That's not new, but it's becoming more sophisticated."

Similarly, he said that encryption for data at rest is a technology that's been around for a while but should see wider implementation soon.

"Only just now we've seen big institutions take these steps and utilize stronger authentication techniques," he said.

Kurtz agreed that encryption is, along with identity management technology, the key points to take from this year's Deloitte study.

"The difference between last year's study and this year's is that the key findings are getting more granular," he said.

Kurtz said that data encryption is becoming an essential security measure.

"There's no reason to put data at risk," he said. "The technology is evolving as well to make it easier and more seamless."

Multi-factor authentication is going to be the key to improving identity management, Kurtz said.

"The evolution from a place where we use password authentication to a place where we use multi-factor authentication is on its way," he said.

He noted that multi-factor authentication provides security not only externally but within an organization as well.

DeZabala said that multi-factor authentication is beneficial but is not a security cure-all.

"Regulatory bodies are pushing multi-factor authentication," he said. "It probably will not prevent that many of these kinds of phishing and pharming attacks. It will get rid of some of the more mundane types of attacks, though."

DeZabala said that user entitlement and employee access systems are a key aspect of identity management, especially for the financial sector.

"They appear to be getting attention in financial services because of the advent of access controls," he said. "The banking industry is interested in them because they have a lot of activity in dealing with user control."

Elsewhere, almost half of respondents called disaster recovery and business continuity a top security initiative, with 88 percent of respondents claiming to have an enterprise-wide business continuity management program in place.

Kurtz said that Hurricane Katrina last year called attention to the need for business recovery and the lack of plans to deal with disaster possibilities.

"I don't think it's nearly as sophisticated as it should be," he said, "but at least security officers are starting to ask the right questions. I bet business continuity will expand for a variety of reasons."

DeZabala said that seeing the damage many companies suffered from Katrina induced many companies to examine the continuity policies they have in place.

"They're rethinking how much risk they're willing to live with," he said.

DeZabala said that the damage from Katrina caught the attention of industry regulators.

"Regulators are pushing for addressing proximity risk, which is the risk that a particular region might be affected by a wide-scale disaster," he said. "Many organizations would probably not put programs in place to deal with a nuclear disaster, for example."

Copyright 2006 by United Press International

Related stories:

Citibank ATM breach reveals PIN security problems
(AP) -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores this year and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
Wake-up call to business: Tighten up on information security
According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce of 24.4 million and account for 51.9% of the £2,600 billion UK turnover. Bruce Hallas, a specialist in information security, said "SMEs are particularly prone to poor or even non-existent information security. As awareness of the importance of information security increases, the SMEs stand to lose competitiveness, potentially losing contracts with existing clients and suffering the financial consequences that are increasingly arising from information security incidents."
Chill out, your computer knows what’s best for you
Computers are starting to become more human-centric, anticipating your needs and smoothly acting to meet them. Much of the progress can be attributed to work done by European researchers.

Samsung Introduces 90-Nanometer High Performance Smart Card IC
Samsung Electronics Co., Ltd., a leader in advanced semiconductor technology, announced today its 90-nanometer smart card IC with high data storage capacity for subscriber identity module (SIM) cards and mobile TV applications.
NIST shows on-card fingerprint match is secure, speedy
A fingerprint identification technology for use in Personal Identification Verification (PIV) cards that offers improved protection from identity theft meets the standardized accuracy criteria for federal identification cards according to researchers at the National Institute of Standards and Technology.
Researchers Discover New Way to Store Information Via DNA
Researchers at UC Riverside have found a way to get into your body and your bloodstream. No, they’re not spiritual gurus or B-movie mad scientists. Nathaniel G. Portney, Yonghui Wu, Stefano Lonardi, and Mihri Ozkan from UCR’s departments of Bioengineering, Computer Science and Engineering, Biochemistry, and Electrical Engineering, and the Center for Nanoscale Science and Engineering, are just talented when it comes to manipulating DNA.
'Smart' holograms help patients help themselves
Patients with diabetes, cardiac problems, kidney disorders or high blood pressure could benefit from the development of new hologram technology. The new "smart" holograms, which can detect changes in, for example, blood-glucose levels, should make self-diagnosis much simpler, cheaper and more reliable, write Chris Lowe and Cynthia Larbey in February’s Physics World.
Hitachi develops finger vein authentication technology for steering wheels
Hitachi, Ltd. announced today the development of finger vein authentication technology which provides authorized driver verification in a fraction of a second just by gripping the steering wheel.

News discussion:

Technology news