How should the IT security of tomorrow look like ?
For a long time now, those responsible for IT security have relied on a quite simple principle: They separated protected internal areas, controlled and monitored by themselves (the “good” company network), from unprotected external areas, not monitored by them (the “bad” Internet). Between these was the perimeter. Data requiring protection belonged categorically in the internal area.
All data traffic which needed to be transmitted from the internal to external area, or vice versa, had to pass the perimeter. What data left the protected area could as a result be well monitored at the perimeter.Protection at the perimeter assumes that there are secure inner and insecure outer areas which can be clearly separated from each other. This has, however, not been the case for a long time now.
Important resources are today found outside the company borders (Cloud) and usage can basically occur from anywhere (Mobile) – with an increasing tendency. Systems that are actually operated within the inner area, and therefore count as protected, also have numerous access possibilities that circumvent the security mechanisms at the perimeter, be that through encrypted transmissions of data or because they, for example, establish their own wireless Internet connection.
Therefore, while perimeter security is still important for the protection of central internal systems, for a growing portion of the usage of IT systems in companies it is completely ineffective. Gartner estimates that as early as 2018, 25 % of the network traffic from companies will circumvent traditional security measures.Added to this is the fact that detection mechanisms for malware no longer function effectively. A broad analysis of the virus scanners available on the market undertaken by Lastline Labs in 2014 came to the following conclusions:
- Only 51 % of the scanners were capable of detecting new malware samples within two days
- After two weeks, the detection rate had merely improved to 61 %
- Even after a year, 10 % of the scanners still did not detect a range of malware samples
- Some malware samples were never detected
Added to this is the fact that malware is becoming increasingly short-lived. FireEye determined in an investigation that 82 % of malware is distributed within one hour and that it hardly re-surfaces after this, and 70 % of malware is only used in one single attack.
It is neither possible to cleanly separate secure network areas and systems from the insecure ones, nor to adequately prevent the penetration of malware, even in closely monitored systems and networks.And yet, it is clear: IT security is more important than ever before, also given the dramatically growing number of systems connected to the Internet – including critical systems – and the growing importance of data. So what can be done? IT security experts met recently in Cologne for a meeting of the Competence Group Security from eco – Association of the German Internet Industry, and discussed this question and possible approaches to the form IT security will assume in the future.
Starting point for deliberation:
Attacks on IT systems and networks can hardly be effectively prevented with traditional methods – at best they can be impeded. The enemy is already inside the gates. This is why it is all the more important to detect the intruder as quickly as possible and to analyze their actions so as to limit the damage as much as possible, prevent the leakage of important data, correct any possible alterations that have been made, and close any backdoors that have been installed.
Many attacks remain undetected for a period of time – weeks, month or even years can pass before the damage is noticed.In order to provide better protection, it is necessary to have permanent monitoring of the IT systems, networks and data streams, and in addition, the system events must be recorded and the logs retained for some time, in order to allow analysis and also to gain insight in retrospect into the actions of an intruder:
- How did the intruder get into the system?
- Which vulnerabilities aided his intrusion?
- What data has been accessed?
- Has data been leaked?
- Have changes been made?
- Exactly which systems have been affected?
It is also important to have a proactive, forward-looking view of the security of the systems and data in use:
- What are the security risks?
- What could an attacker be interested in?
- Which data is particularly valuable?
Critical systems and data must be especially well protected. For this, it is necessary to have a comprehensive view of company IT systems and an estimation of the importance of individual systems and data sets. Only then can special protection measures be effectively undertaken for these systems and data, without limiting the usability of the IT systems as a whole – which would result in a reduction in the acceptance of the security measures, or make them uneconomical.
Further important points:
- Networked security: Joint action of a range of security tools that exchange information and through this allow a better overview and improve the detection and tracing of attackers.
- Secure identification of systems and people: Who accesses systems and data?
- Consistent use of encryption: Encryption may not prevent access to data in itself, but certainly prevents the unauthorized use and alteration of this data.
Professor Pohlmann, from the Institute for Internet Security from the Westphalia University of Applied Sciences, calls for a paradigm shift in IT security:
- More encryption instead of open data: Fortunately, the acceptance and use of encryption has been increasing since the Snowden revelations, although there is still far too little encryption in use.
- Reliability instead of indifference: Manufacturers and providers should take on complete responsibility for the security of the systems and solutions they offer.
- Certification: Verifiable and verified level of security.
- Proactive rather than reactive security: This leads overall to more robust and more reliable systems.
- Object security instead of perimeter security
- More collaboration rather than separation: Combatting the imbalance between attackers and defenders – e.g. through use of Cloud security solutions.
What is also becoming more important is that IT users must have at least basic knowledge of IT security and an understanding of its requirements. For this, measures are necessary for awareness and training.