How do you keep security one step ahead of innovation?
While innovation is, by its nature, about creating capability, its true potential comes only when people and businesses adopt new technologies. With the best will in the world, in general this process is haphazard - nobody has advance knowledge of what will be accepted into the mainstream, either in terms of broad categories or specific instances.
Right now for example we are seeing the continued rise of the smart phone. Despite being initiated by Blackberry, catalysed by Apple and reinforced by Microsoft, Google's Android has come from nowhere to become the world's most used mobile operating system. Asking how Google achieved this is the wrong question, because it's unlikely anyone could replicate the steps - all we can really do is understand how it happened, in terms of the company's decisions and the contextual factors involved.
Meanwhile, from the perspective of the bad guys of course, it just doesn't make economic sense to focus on niche technologies. Microsoft Windows used to be the main target for malware attacks, perhaps in part due to the company's reputation at the time, but mostly, simply because that was what everyone was using. Whilst mobile attacks are still in their infancy for several reasons, we have seen Android receiving increased attention, as Symantec Technical Director Eric Chien documented in his October report, "Motivations of Recent Android Malware."
It's not just as simple as single technologies however. In the rich fabric we call IT, any one new innovation can completely change the pattern of how we use our kit, or indeed rip a gaping hole in it, or do nothing at all. Consider, for example, the arrival of Bluetooth on mobile devices. This was, at one point, considered to be a major potential threat - not because of Bluetooth itself, but because of how advanced features such as pairing and information sharing could impact existing mobile devices. In the end activity by cybercriminals did not live up to the pessimistic expectations, and the holes were plugged with smarter use of time-outs in pairing software.
The risk, for both security vendors and for end-user organisations, is either locking doors that have no need to be closed, or worse, finding that the horse has already bolted. Appropriate security response is all about timing - there isn't enough resource in the world to counter every potential risk, so inevitably, those which have a greater probability and impact will have to be prioritised. This can't be a simple case of "if in doubt, leave it out" however. In a nutshell, here's five ways that can give a more appropriate starting point for keeping one step ahead of cybercrime, in the face of innovation.
1. Keep on top of what's going on in terms of innovation. When it comes to technology security, saying "I didn't know" is never a good defence. However this isn't just about keeping tabs on the bad guys, but also keeping a focus on what is made possible by new technologies.
2. Identify when technologies reach a critical point. The question of when a capability becomes mainstream is difficult to answer, but generally, if the broadsheet newspapers, your neighbours and your children are using it, then it may be time to check it is secure. Equally, it's not just about when technology becomes critical to others, but also when does it become critical to you. Both are different but very important: putting both together defines the business risk.
3. Think how the bad guys would look at the situation. Yes, many potential security holes exist with new technology, but how precisely can money, fortune or fame be created from exploiting them? What are the opportunities for social engineering or simply hacking into core systems and data? Where are the weaker links in the chain?
4. Define proportionate responses. Security has always been a balancing act - with the cost of mitigation sometimes seen as outweighing the potential cost should something go wrong. Solutions are never as simple as deploying technology - rather, good security is about putting in place policies, processes and tools that are appropriate to the risk.
5. Be quick to respond. You don't have to wait until a major incident happens on your own doorstep. When clear examples of new threats appear, it is never too early to at least assess their potential impact on your own environment and decide whether you should do something about them. Remember - as the pace of innovation increases, so does business demand for new capabilities. Go back several years and IT would have had months scheduled to perform due diligence, to map a strategy, to test and deploy. Today's businesses are demanding that new technologies go live in weeks, or even days!
Being Symantec you'd expect us to have a comprehensive set of capabilities to protect all kinds of organisations against the prevalent threats, acres mobile devices and elsewhere. At Vision we announced a major update to our mobile device and management strategy, and we shall continue to evolve our product lines based on new threats as they emerge. Equally important however is for organisations to know how to act, and react, in the face of constantly changing technology. If you have any hints, tips or best practices you'd like to share, let us know.