A look at 2015: IoT to put new pressures on security

Ixia takes a look at some of the urgent new security threats facing companies and what companies need to do to prepare themselves.

Risk-based security and self-protection has been identified as a key technology trend as we move into the new year. Businesses will need to acknowledge that they cannot provide a 100 per cent secured environment and that more sophisticated risk assessment and mitigation tools will come into importance. According to Gartner, “security-aware application design, dynamic and static application security testing, and runtime application self- protection combined with active context-aware and adaptive access controls” will be crucial in today’s dynamic and digital world.

Naveen Bhat, General Manager, Ixia Asia Pacifc, shares some of the key security trends facing companies in the coming year and steps they need to take to mitigate any risks.

What are some of the most urgent new security threats facing companies and what do companies need to do to prepare themselves in the coming year? The damaging attacks that occurred in the last year were silent but deadly. Stealthy attackers managed to slip by defences or find new ways of launching attacks to get into the network and cause maximum damage via breaches of significant amounts of data.

Legacy testing devices generate only canned traffic and configurations, leading to inaccurate security, stability, and performance results. It is important for companies to test using tools that can create accurate simulations of vulnerable traffic, such as personal information and corporate IP, to ensure that DLP measures work like they’re supposed to. Most organizations run about 30 applications simultaneously across their networks and they need to be able to test under those conditions.

Proper security and performance testing helps organisations to meet compliance requirements and prevent data breaches. Often, organisations overdesign their networks by purchasing any security measures they can get budget for, yet they still experience a security attacks.

Application protocols and security attacks are continuously evolving, so testing tools must remain current as well as to ensure protection. Staying on top of emerging network traffic is a full-time job – one that organisations do not have the time to do – so organisations need test equipment that delivers regular updates for applications and attacks. That lets them harden the resiliency of devices, networks and data centres knowing that the most up-to- date conditions are used.

What has been the most important cyber security breakthrough in 2014 and what breakthroughs or advancements do you expect we’ll see in the near future? What solutions are sorely lacking? Virtualisation and cloud adoption are on the rise. As a result, we have begun to see security solutions that can offer control and defence within virtual environments. The same has also begun to happen for cloud deployments where security must now extend from the premise to the cloud. To enable the confident and secure adoption of cloud within enterprises, the ability to extend security policies and controls across private and public clouds will be key.

What new technologies will attract the most attention from the hacking community? We have yet to see attackers really target mobile platforms, partly because there has been easier targets, such as, Point of Sales system in 2014.

With the pervasive adoption of mobility and more business functions and applications being delivered across mobile platforms, there is a fresh opportunity for attackers moving forward. The danger is that often user’s security hygiene on mobile platforms is not as good. For example, users will access guest networks on mobile devices in hotels and cafes, forgetting that they don’t offer the same level of security assurance as private networks.

What are the biggest security mistakes that companies are making and do you expect they will change? One of the biggest mistakes and on-going weaknesses is people. Behaviours and curiosity are a weak link, which is something that more innovative awareness programmes and training can help with. Secondly, companies are failing to assess security effectively. Too often products and technologies are put in place with an assumption that they will work and protect organisations effectively for the long-term. However, things change over time and often the specifications for a product may not be representative of the way it will perform in an organisation’s network in the future.

Finally, there is still an inadequate focus on security at the higher levels of a company and a lack of discussion or understanding about security strategies and the role that they play in addressing critical business risks.

As the ‘Internet of Things’ becomes a reality, will we start to see the first major attacks on connected devices and how prepared are companies for this? How has the landscape for Internet of Things changed in the past year? There is definitely a lot of buzz around the Internet of Things (IoT). When you consider potential attacks, there is a broad range of things that can be pursued. The more serious incidents will start to occur once sensors or controls that are connected to the IoT are breached, for example, traffic controls or industrial controllers.

While the IOT will provide tremendous benefits for how devices around us work and improve lives, it will be imperative to apply the appropriate security controls depending on the IoT device and the risk its misuse presents.

What new advances or challenges can we expect to see around compromise detection? The challenge is that the more data and events there are, the harder it becomes to see and understand the attacks that are either coming or have already happened. In the future, advances in big data analytics and the ability to make better use of available information, will represent an opportunity for improving threat identification and predictive modelling so organisations can take a significant step forward in enhancing existing security practices.

What advances can we expect to see in authentication? What advances in biometric authentication can we expect to see and how will these technologies see adoption in enterprise? What new challenges and issues will come to the fore as a result? Authentication has been on the verge of moving beyond just passwords to a more effective two factor authentication process for many years. Unfortunately, it has only really been adopted for specific, higher risk use cases.

Until it becomes more user-friendly and cost effective to deploy, two-factor authentication is likely to remain limited in deployment. In the future, advances in mobile devices, sensors and technologies are likely to come to the fore and play a greater role in developing new use cases.

What major laws and regulations around cyber security can we expect to be of concern to enterprises? We will likely see continued momentum around disclosure laws but more regulation about compliance is not necessarily an effective path. For example, there has long-been regulation, such as PCI-DSS, yet in the last year we have seen more retail attacks and breaches than ever before.

What will be the biggest new security challenges for companies around mobile device management? The protection and management of company owned data remains a significant challenge. We have not yet seen significant malware attacks targeted at mobile devices. What we have seen is the mixed use of mobile devices for work and pleasure, which puts business data at risk of being compromised. Mobile device management, encryption, containers and document level protection are all tools that can be used to help tackle this issue.

As security is increasingly out of IT departments’ control, how will trends in cloud and virtualisation affect enterprise security? As cloud and virtualisation evolve, security is likely to get better. To an extent, it is reverse logic that if 1000 organisations try to build and deploy a strong security strategy, there is a lot of variation and different approaches with various levels of staffing. However, if those projects are moved to the cloud, there are just several providers that can develop deep security expertise and have very effective security programmes. Many companies may actually benefit from this transition – especially those whose security efforts have fallen below that which cloud providers can effectively deliver.