Secured in the software stack
As the focus of security has shifted away from the perimeter it has nonetheless remained network-centric. However, there are other vectors for attack
IT security has come a long way. In the early days, simple unencrypted passwords were as much as was ever asked for, with the real ‘security’, such as it was, provided by the relative lack of people who used or understood computers. Later, firewalls became standard, aiming to protect networks from outside intrusion, while anti-virus software aimed to stop the inadvertent spread of malicious software.
Today, as the technology landscape has changed – everyone online all the time – these approaches have been augmented and replaced by a wider range of technologies.
Asked what he saw as the principal cyber threats to businesses today, Peter Rose, group chief technology officer of TEKenable, offered four. The obvious things remain threats, he said, such as phishing and unpatched and outdated systems, but there are also two other areas that often go unseen.
“One is insecure bespoke software solutions. The other is the fact that there is, frankly, too much security software on the market,” he said.
Indeed, software insecurity has been a problem for as long as software has existed. Few of us can be unaware of the long list of Windows vulnerabilities, for example. In reality, this is only the tip of the iceberg: a significant proportion of software – noteworthy developer Bruce Perens once put the figure at 90 per cent of software out there in the wild – is developed and used in-house to meet specific needs. With so much bespoke software in operation this poses the question: is it secure?
It also poses another question, Rose said: has anyone even thought about its security?
“What we see in a lot of [security] applications is that companies simply think of roles and access for uses, not for other vectors for attack. It’s running behind a security box with blue flashing lights, so it is considered secure, but is it?,” he said.
One solution would be to build security into tenders and contracts, he said. Industry standards, such as the ISO/IEC 27001 information security certification, exist, so it is not an arduous task to demand developers attain it.
“You’d be surprised how many [software] companies out there don't have ISO 27001, and I don't understand why they would ignore that,” he said.
Rose’s second point, that the sheer volume of security solutions on the market would make anyone’s head spin, also deserves consideration.
“There is such a bewildering range of packages and options out there that it's almost a full-time job understanding the options. You’re facing into thousands and thousands of options. I've been to shows where there might be 100 or 150 vendors exhibiting, each claiming to be the best and each overlapping with some of their competitors,” he said.
As implementation of security solutions takes time and costs money, it tends to stick around. As a result, Rose said, businesses want to know they have best-in-class solutions, but it is almost impossible to know.
“Where are the benchmarks? You end up with the sales literature. The National Cybersecurity Centre in Britain benchmarks tools for military and security use. It would be great if an organisation did that for everyone else, but to be genuinely independent of commercial organisations,” he said.
Rose said that today’s IT landscape made the perimeter less important. In some cases, such as companies that were all-in on the cloud, it was irrelevant.
“Our perimeter is remote working, BYOD mobile devices and SaaS,” he said. “In cases like ours, the traditional castle and moat around a LAN no longer matters”.
This means that security needs to focus not on the perimeter, but on the data and devices.
“We can't control the network on which our machines connect in from. What we can do is control the machine with centrally enforced security policies and software deployment. In effect we create a virtual LAN,” he said.
Security vendors have responded to these kinds of developments with new technologies such as threat hunting and artificial intelligence (AI). But how widespread is their use?
“For larger companies threat hunting would be pretty standard because they have big infrastructures, so unless they look for people, they won’t find any bad actors who have got in without tripping the tripwires,” he said.
AI, however, is used significantly less than it would seem in light of the acres of coverage dedicated to it. Rose said that where it was used, it tended to be used to analyse what people were doing on a network on a day-to-day basis, seeking out anomalies.
“AI is being used a fair amount in terms of behavioural analytics, but is it common? Is it standard? No.”