Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
billp

Insecure at any Speed

by Super Contributor on ‎06-29-2011 03:09 PM

In an earlier post, I mentioned that the tech industry is trending toward a wider variety of access devices (PCs, laptops, pads, smartphones, etc) and a rise in cloud-based services and data storage. You probably heard someone talking about those trends twice before breakfast today, so I’ll consider that point made and move on.

 

I recently came across an article talking about the decentralization of workers – people doing jobs that were once thought of as in-person-only but that are now done remotely. One example cited was a golf pro who would have clients send video of their swing and would offer feedback, without ever meeting face-to-face. So now we can work from wherever we are (BTW, if you need me tomorrow, I’ll be by the pool near cabana 3), but what does that mean for the security of our data?

 

Well, if you've read anything about or from Juniper in the past week, then you’ve probably seen this one:

“In a survey of 583 U.S. businesses, released this week by Juniper Networks Inc., fully 90% of respondents said their company fell victim to a cyber attack in the past year, costing each an average of US$500,000 to overcome.”

(that quote was taken from the Financial Post article attributed above, but if you don’t like that one I could probably find ten different online sources that are sharing that survey… it was disturbing to say the least!)

 

That gives us confirmation that we can work insecurely anywhere – now I definitely need a drink. But how serious are these guys? What level of genius do we need to throw at them to protect ourselves?

 

For the answer to that question, we’ll turn to our good friends at Verizon. Every year they publish some summary results of their data breach investigations; for 2011 they teamed up with the US Secret Service and the Dutch High-Tech Crime Unit… I think that’s enough mental horsepower going into one report that we should pay attention, no?

 

The report is a pretty good read and has some interesting statistics – 83% of their breach investigations ended up being “targets of opportunity” for the hackers who attacked them, and 92% of attacks were “not highly difficult” (targets of opportunity + not highly difficult = mostly drive-by hacking rather than focused efforts to take down particular companies). Most of the breaches were in smaller organizations (10-100 employees), and 83% were attacks by purely external entities (no internal/partner component).

 

The highlight for me is actually a comment posted by the author following the online article (not contained within the report) where he says 'The classic example of an “essential control” that is often neglected is changing default credentials. We’ve been citing this for several years now and everyone receives that like “duh – of course we do that.” However, the fact of the matter remains that it was the #1 method of intrusion in 2008, top 5 in 2009, and #1 in 2010. Taking these “no brainers” and making sure implemented (sic) with “no exceptions” can be monotonous and boring work, but we’ve come to believe it pays off.' 

 

Yep, it’s still the same old story – patch your systems and change your passwords regularly. Continue to update your security systems, use defense-in-depth, periodically refresh your security architecture and all that good stuff, but DON’T FORGET THE BASICS. It’s not sexy and it’s not exciting, but it still works.

 

 

 



Comments
by Dug S(anon) on ‎06-30-2011 08:13 AM - last edited on ‎06-30-2011 09:01 AM by Administrator Administrator

People really are the new network perimeter!

 

It's no surprise organizations have such trouble keeping attackers out when it's so easy to gain insider access by going after users' computers and credentials.

 

I totally agree with the back-to-basics focus on security fundamentals, but patching systems and changing passwords doesn't help with infected endpoints (via phishing campaigns, drive-by malware, and trojaned PDF/Office documents). No amount of security education can prepare a user to defend the organization against a zero-day Flash exploit embedded in a spreadsheet from their coworker.

 

Check out Duo Security for a nice complement to the Juniper IVE that protects against fraudulent logins using an out-of-band, trusted path for verification - the user's own phone! Two-factor authentication is a basic control for remote access, and we've made it trivially easy to set up (15 minute IVE config with no hardware or software) and manage (no  accounts to set up, users add their own devices).

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Paul Bristow
Senior Director
Product Management

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Henrik Davidsson
Director
Security Sales

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Steve Hanna
Distinguished Engineer

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.