by Michael Rushinsky of Sallie Mae
What are the highest security risks and threats that are coming down the pike facing all market verticals and why? How do CISOs effectively and efficiently manage the ever-evolving information security risk landscape and adequately mitigate that which we cannot control?
As I and several other information security executives discussed recently at the EC-Council CISO Summit, we must take a risk-based approach to proactively manage future security challenges to address the highest risks and effectively prioritize our efforts and financial spending. We need to meticulously balance the tradeoffs of risk vs. reward and tactical vs. strategic.
We are all in the midst of ever-changing technologies and paradigm shifts that carry inherent security challenges: mobile computing, WiFi, 3G/4G, multimedia, cloud computing, social media, personal devices, HTTP tunneling, increasing regulatory governance, etc.
While there are many looming challenges for the CISO, these are the top three which the EC-Council CISO Summit panel found to be the most immediate and far-reaching:
Authentication – Authentication continues to be one of the highest areas of security risk. We know there is a leapfrog effect of the white hats implementing stronger authentication methods and the black hats finding ways to defeat them. Traditional token-based two-factor authentication has had a long lifespan, and rightly so, but what’s next? Out-of-band (OoB) is the next evolution of strong multi-factor authentication. Basically, OoB is two or more factors of a) something you know (password, PIN, passphrase), b) something you have (token, ATM card, phone), and c) something you are (biometrics).
OoB is the use of mutually exclusive independent communication networks to authenticate an individual or entity such as the public Internet and the public switched telephone network (PSTN).
The real key is the ability to do this using end-users’ native phones, mobile or landline, without requiring any software or hardware installation and providing the same smooth user experience regardless of telephone type. The result is a pure native interactive voice response (IVR) type solution that is completely ubiquitous, regardless of the telephone type.
The recent update by the FFIEC to their Authentication in an Internet Banking Environment further supports this direction. CISOs need to begin investing in OoB pilots for traditional workforce remote access as well as customer and business partner facing Web applications, as well as internal administrative access to critical technologies. Additionally, strong authentication is the enabling prerequisite for safe and sound single-sign-on federated identity management and trusting SAML assertions.
Cyber warfare – This risk can take many forms, ranging from traditional fraud to espionage and organized crime. The nature of the global Internet is such that the international cyber warfare issue is really a domestic issue. For example, apply the insider threat philosophy — “The goal of an outsider is to first become an insider and then see what they can accomplish”– to the international cyber warfare issue: “The goal of a foreign perpetrator is to first become a domestic perpetrator and then see what they can accomplish.”
This problem is exacerbated by domestic botnets where foreign perpetrators can launch large scale precision attacks on U.S. targets that appear to originate domestically. A pseudo-proxy-type attack.
Mobile workforce – Finally, CISOs must balance the tradeoffs between enabling the mobile workforce. The advent of smartphones and the BYOD phenomenon means our workforce will continue to have personally owned devices with digital cameras, Web browsers, personal email, social media, etc. inside the workplace.
Continued prohibition of these personal avenues will no longer address the security risks. CISOs must embrace these technologies within the workplace and formulate strategies and solutions to adequately mitigate the data leak risks by controlling the flow of sensitive company data and information.
Michael Rushinsky is the director of Corporate Information Security at Sallie Mae. Michael’s responsibilities include ensuring the appropriate security posture is maintained for all Sallie Mae information systems and programs. Prior to Sallie Mae, Michael was the CISO at Irwin Financial Corporation with enterprise-wide responsibility for information and physical security, privacy, and business continuity/pandemic planning & disaster recovery. Michael coined the phrase, “A bit of data, a wealth of information” while coordinating the technology aspects of an international telemedicine event led by world-renowned cardiologist and surgeon Dr. Michael DeBakey.