Survey finds internal security a concern

Jun 15, 2006

While outside attacks are still a primary concern for security officers, internal network security is becoming more of a concern, according to a study by Deloitte Touche Tohmatsu.

Nearly half of financial institutions reported having experienced an internal breach of security, according to Deloitte's 2006 Global Security Survey released this week.

Though external security breaches still outnumber internal breaches, at 78 percent, the rise of internal breaches shows that security officers may have been putting too much emphasis on keeping outsiders at bay, according to Paul Kurtz, executive director of the Cyber Security Industry Alliance.

"It's been an oversight more than anything," he said. "The idea was always perimeter security."

Many of the most often-reported attacks, such as phishing and pharming, are types of attacks intended to extort monetary gain, a fact that cements the changing prototype of a computer hacker away from the college student in his basement, Kurtz said.

"This survey confirms yet again that the folks behind these attacks are getting even more sophisticated," he said, calling the old stereotype "a thing of the past."

"There's real money to be made here. The attackers are getting more stealthy as they go forward."

Ted DeZabala, a principle in Deloitte & Touche's enterprise risk services group, said that security officers now have to be prepared for attacks that are well organized and multi-pronged.

"We're seeing more sophisticated and more coordinated plans of attack," he said.

DeZabala said companies will have to respond with multiple layers of protection, mixing system resiliency, various forms of encryption and monitoring.

"We're going to see more aggressive monitoring activities to watch traffic and look for anomalies," he said. "That's not new, but it's becoming more sophisticated."

Similarly, he said that encryption for data at rest is a technology that's been around for a while but should see wider implementation soon.

"Only just now we've seen big institutions take these steps and utilize stronger authentication techniques," he said.

Kurtz agreed that encryption is, along with identity management technology, the key points to take from this year's Deloitte study.

"The difference between last year's study and this year's is that the key findings are getting more granular," he said.

Kurtz said that data encryption is becoming an essential security measure.

"There's no reason to put data at risk," he said. "The technology is evolving as well to make it easier and more seamless."

Multi-factor authentication is going to be the key to improving identity management, Kurtz said.

"The evolution from a place where we use password authentication to a place where we use multi-factor authentication is on its way," he said.

He noted that multi-factor authentication provides security not only externally but within an organization as well.

DeZabala said that multi-factor authentication is beneficial but is not a security cure-all.

"Regulatory bodies are pushing multi-factor authentication," he said. "It probably will not prevent that many of these kinds of phishing and pharming attacks. It will get rid of some of the more mundane types of attacks, though."

DeZabala said that user entitlement and employee access systems are a key aspect of identity management, especially for the financial sector.

"They appear to be getting attention in financial services because of the advent of access controls," he said. "The banking industry is interested in them because they have a lot of activity in dealing with user control."

Elsewhere, almost half of respondents called disaster recovery and business continuity a top security initiative, with 88 percent of respondents claiming to have an enterprise-wide business continuity management program in place.

Kurtz said that Hurricane Katrina last year called attention to the need for business recovery and the lack of plans to deal with disaster possibilities.

"I don't think it's nearly as sophisticated as it should be," he said, "but at least security officers are starting to ask the right questions. I bet business continuity will expand for a variety of reasons."

DeZabala said that seeing the damage many companies suffered from Katrina induced many companies to examine the continuity policies they have in place.

"They're rethinking how much risk they're willing to live with," he said.

DeZabala said that the damage from Katrina caught the attention of industry regulators.

"Regulators are pushing for addressing proximity risk, which is the risk that a particular region might be affected by a wide-scale disaster," he said. "Many organizations would probably not put programs in place to deal with a nuclear disaster, for example."

Copyright 2006 by United Press International

Explore further: Ebola.com domain sold for big payout

add to favorites email to friend print save as pdf

Related Stories

Microsoft beefs up security protection in Windows 10

7 hours ago

What Microsoft users in business care deeply about—-a system architecture that supports efforts to get their work done efficiently; a work-centric menu to quickly access projects rather than weather readings ...

Cloning whistle-blower: little change in S. Korea

Oct 24, 2014

The whistle-blower who exposed breakthrough cloning research as a devastating fake says South Korea is still dominated by the values that allowed science fraudster Hwang Woo-suk to become an almost untouchable ...

Apple issues security warning for iCloud

Oct 22, 2014

Apple has posted a new security warning for users of its iCloud online storage service amid reports of a concerted effort to steal passwords and other data from people who use the popular service in China.

Review: Apple Pay in action

Oct 21, 2014

If there ever comes a day I can ditch my wallet and use my phone to pay for everything, I'll look back to my first purchase through Apple Pay: a Big Mac and medium fries for $5.44. That wallet-free day won't ...

MasterCard, Zwipe announce fingerprint-sensor card

Oct 18, 2014

On Friday, MasterCard and Oslo, Norway-based Zwipe announced the launch of a contactless payment card featuring an integrated fingerprint sensor. Say goodbye to PINs. This card, they said, is the world's ...

Banks harvest callers' voiceprints to fight fraud

Oct 13, 2014

(AP)—The caller said her home had burned down and her husband had been badly hurt in the blaze. On the telephone with her bank, she pleaded for a replacement credit card at her new address.

Recommended for you

Ebola.com domain sold for big payout

20 hours ago

The owners of the website Ebola.com have scored a big payday with the outbreak of the epidemic, selling the domain for more than $200,000 in cash and stock.

Facebook goes retro with 'Rooms' chat app

Oct 23, 2014

Facebook on Thursday released an application that lets people create virtual "rooms" to chat about whatever they wish using any name they would like.

User comments : 0