Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cyber-Security in 2013: Software, People Still Have Vulnerabilities

    By
    Sean Michael Kerner
    -
    October 7, 2013
    Share
    Facebook
    Twitter
    Linkedin
      enterprise security

      Both cyber-security awareness and the security threat landscape itself have changed over the past decade, but some of the basics about how individuals and enterprises can stay secure have not. October 2013 marks the 10th anniversary of National Cyber Security Awareness Month, which is all about helping educate users and enterprises on how best to secure themselves against online threats.

      John Pescatore, director of the SANS Institute, a research an education organization, has seen security threats come and go across his 30 year career in the IT security market, which includes time spent as a Gartner analyst. The simple reality of cyber-security in 2013 is that software continues to have lots vulnerabilities, and people continue to have lots of vulnerabilities, Pescatore told eWEEK.

      “Each year, we try and change some behavior on the user side, and each year attacks are becoming much more targeted and clever,” Pescatore said.

      While vulnerabilities persist, there are a number of key areas for cyber-security awareness on which Pescatore wants to shed light.

      The rise in the use of social media in recent years has made it a fertile ground for attackers to farm for data that can lead to effective social engineering attacks. In a social engineering attack, the attacker uses information that appears to be legitimate in a bid to deceive the user into giving up a piece of information or clicking on a malicious link. Pescatore advises that users need to be conscious and aware of the information they give out on Twitter and Facebook as it could be used for malicious intents.

      Stealing passwords is also becoming increasingly common, but there is a defense for that, too. As a best practice, Pescatore recommends that users make full use of two-factor authentication systems to protect themselves. With two-factor authentication, instead of just having a single username/password combination, a second password that is randomly generated is required for access. Twitter, Google, LinkedIn, PayPal and Facebook are among the many online services that offer two-factor authentication options for users.

      System Security

      Ten years ago, IT security professionals warned users not to click on suspicious links. It’s a warning that is still unheeded by many, which begs the question—can IT security vendors protect users against malicious links?

      Operating systems on the mobile devices that people use every day in 2013 are in fact doing a reasonable job of protecting users against malicious links, Pescatore said. “It really just is mostly still Microsoft Windows where we have this problem,” he added.

      On Windows, the user expectation has long been that when you click on something, it is automatically executed, which is not how most mobile operating systems now work, Pescatore explained.

      “For people reading their email on an iPhone/iPad, they’re actually pretty safe,” he said.

      Software Engineering

      Another sad truth about the state of IT security in 2013 is that many of the same classes of flaws that existed in 2003 are still popular and are regularly exploited. The root cause of that might well have to do with flaws in how software is developed.

      “Software engineering is an oxymoron,” Pescatore said. “Software development is not an engineering discipline.”

      In contrast to a traditional engineering discipline—where, for example, a precise calculation can be made to determine the load a bridge can handle—Pescatore said the same precision for security doesn’t exist in software development. The issue today is not about being able to entirely eliminate classes of software vulnerabilities; rather, it’s about being able to shield people from flaws effectively, he added.

      One of the effective shield approaches that Pescatore advocates is the use of Web Application Firewall (WAF) technology. With a WAF, rules can be written that prevent Web application exploitation. There are also cloud-based services, including ones from Akamai, Incapsula and CloudFlare, among others that provide WAF as a service.

      Resource Spend

      When it comes to deciding where to invest resources to build security awareness, Pescatore has a very specific ratio.

      “If you have a dollar to spend on awareness training, spend 90 cents of it training your system administrators to set up systems correctly,” Pescatore said. “Then, with the remaining 10 cents from the dollar, figure out what you can do for the end user.”

      System administrators are high-value targets and are the gatekeepers of enterprise IT, Pescatore said, adding that when it comes to the end users, transferring responsibility to the user by some form of security awareness isn’t going to solve the problem.

      “We have had awareness programs about viruses for 25 years now, what magically now will cause someone to change their behavior?” Pescatore said. “Safety programs can never just rely on warning the user, they have to put protections in place.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×