New Strategies Are Needed to Shield the Most Sensitive Data

/ Source: SecurityNewsDaily

Cybercriminals are casting larger, more menacing nets, and if the security community fails to overhaul its approach to protecting sensitive data, the results could be catastrophic, experts say.

Along with the traditional phishing scams and Facebook hoaxes, 2010 saw the rise of Stuxnet, a dangerous piece of malware designed to infiltrate and take down industrial control systems. Along with the infamous Zeus trojan, which hackers deployed this year to steal millions of dollars from online banking accounts across the world, and "Spear Phishing" attacks targeting governments and businesses, 2010 changed the face of international cybercrime as hackers armed themselves with new weapons capable of pinpoint accuracy.

"As the Google–China attack and the Stuxnet worm incident demonstrate, security threats have become increasingly borderless and international in nature," said Patricia Titus, vice president and chief information security officer (CISO) with the IT and security firm Unisys.

Citing the recent WikiLeaks cables, Titus said she expects 2011 to bring even more targeted, damaging attacks aimed at critical infrastructure as well as government organizations and financial institutions.

To that end, she said it’s imperative that security professionals develop new methods of defense to combat the changing threat landscape.

"We need to start thinking about data protection differently," Titus told SecurityNewsDaily. "Organizations have to stop valuing all data as equal, and start adopting risk-management policy based on threats and data types."

This goes sharply against traditional security policy, which values all data equally and creates one uniform plan to protect it all, she said.

Titus told SecurityNewsDaily that information that is most sensitive to a bank – customer PIN information, for example -- should be valued as a higher priority than information that isn’t as crucial to the bank and its customers’ security. It’s up to the IT professionals working at each company to determine the various levels of importance of that company’s data, and to develop a security plan accordingly.

"IT professionals need to get their head out of the IT sandbox and look at what their business does – they need to think like CEOs and categorize data."

Nicolas Christin is the associate director of the Information Networking Institute and a professor at Carnegie Mellon’s CyLab. He agrees with Titus’ assertion that prioritizing data will help keep users secure. Christin told SecurityNewsDaily that, in the face of severe, highly organized nation-state attacks, it would be foolish and financially ruinous to try to secure everything equally.

"I think it’s a good strategy," Christin said. "There are different types of attackers that you face: One type of attacker is the super-powerful nation-state, what Google was facing with China. These attackers have very specific targets and would not try to attack data on a daily basis. There’s a difference between critical and non-critical attacks, and if you try to protect critical and non-critical the same, you’ll end up spending way too much money. No business executive is going to give you the green light for that."

The way the security community is going to stay ahead of the game – especially as the scope and nature of the game changes -- is through innovative thinking, Titus said.

"We haven’t had a lot of innovation in the security world," Titus told SecurityNewsDaily. “We need more if we want to get further in front of the bad guys penetrating our systems every moment."