A sense is growing that defenses have gotten stiffer and bad guys are too busy phishing for suckers on Twitter, so what’s the worry? Here it is in boldface, according to Steve Santorelli, a onetime Scotland Yard cybercrime specialist now working for security research firm Team Cymru. “It gets more dangerous for enterprise IT online every day. That’s the reality.”
So why so much IT complacency? Experts point to 10 big myths about safe browsing inside the enterprise:
Myth 1: The enemy is kids. Hah, snorted Santorelli who explained the enemy comes in all ages and most of them are in it to make money. A proof was the late September round-up of around 100 hackers in the U.S., UK, and the Ukraine. The ring bilked businesses of up to $100 million using the Zeus Trojan (a slick key logger). Thrill seeking hackers are out there. The 17 year-old Aussie who hacked into Twitter and sent users to Japanese porno sites is a for instance, but the real danger said Santorelli is the mounting number of for-profit criminals who are intent on looting corporate treasuries.
Myth 2: Updated anti-virus software will keep enterprise computers safe. Rubbish, said Dave Lowenstein, CEO of IT security firm Federated Networks. “It neutralizes at best 25 to 50 percent of threats,” he said. Meaning it misses 50% or more.
Myth 3: Apple computers are safe. Some CIOs say requests to bring in Apple gear is rising. The purported safety angle often is cited, but it’s nonsense, said John Linkous, chief security officer for security firm eiQnetworks. Lack of Macs in business is why they have been ignored. If Apple sells more computers into enterprise, hacker interest will necessarily rise because they follow the money.
Myth 4: Some websites are trustworthy. Security experts pinpoint this as perhaps the prime problem of the moment. Threats increasingly have shifted out of email and onto “trusted” websites. Facebook frequently is cited. Because users’ guards are down their vulnerability rises and if they are using the corporate network, hold on, troubles are brewing.
Myth 5: Gaming consoles are safe. Christopher Boyd, a senior threat researcher for GFI Software, pegged this as a surprise vulnerability at many companies that set up gaming devices in the employee lunchroom and then fail to recognize that it’s a backdoor into the system. Problems are acute with Xbox 360s, but he said other devices also pose risks.
Myth 6: Unmanaged smartphones represent minor risks. Don’t believe it, said Mark Guntrip, a product manager at Cisco, who indicated that smartphones ought to be ever more worrisome to CIOs. As the phones get smarter, with more memory and more processing power, users are indeed browsing with them and that can be a route into the corporate network.
Myth 7: Outside hackers are your prime threat. Not so fast, said LogLogic executive VP Bill Roth who pointed to data that claims 48 percent of all security incidents involve insiders.
Myth 8: Strong passwords are a cure. “Security types will go on about ‘strong’ passwords, but a strong password is just as phishable or keyloggable as a weak one, and if the one strong password applies to many of your accounts, you might find that more than just your Facebook account has been hijacked,” said Tom Newton, an executive with security company SmoothWall.
Myth 9: Tablets are inconsequential security risks. Apple alone has sold some 3.3 million iPads and BlackBerry, Samsung and more are piling on this form factor. Some CIOs continue to think that tablets running mobile phone operating systems are no big deal regarding security. Think again, said Tyler Reguly, lead security engineer for nCircle, a network security and compliance auditing firm.
“Tablets are really changing the game and content will just get harder for enterprises to manage. I’ve been caught by this myself recently. I hadn’t consider the risks of browsing a website using a custom app and was hit by ‘click-jacking’ on a popular social networking site. Unfortunately, tablet apps add another attack surface that is very difficult to lock down.”
Myth 10: “The biggest myth of safe web browsing is the myth of training,” said Anup Ghosh, founder of Invincea, a start-up security company. He claimed that threats have gotten so sophisticated and so camouflaged that they now often fool even sophisticated computer users. That means it just may be impossible to train employees to be safe, said Ghosh.
Are you listening now? This just may be a golden age for cyber criminals, say the experts. For CIOs this means it is time to really do a security inventory. ASAP.
Robert McGarvey – As a busy freelance writer for more than 30 years, Rob McGarveyhas written over 1500 articles for many of the nation’s leading publications―from Reader’s Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain’s New York, and Fortune Magazine.