Lessons Learned From 2011’s Security Nightmares

Computer Security

Historians will label 2011 as the year when our IT security infrastructure failed us. The RSA and Sony breaches, attacks by Anonymous and LulzSec, even WikiLeaks drove home to the broad marketplace that when it comes to data security, cyber attackers can take down systems and steal data at will.

The worst thing is, we all saw it coming. We’re trapped in a reverse “Groundhog Day” scenario where things keep repeating but get worse instead of better. It brings to mind Winston Churchill’s adage, “Those that fail to learn from history are doomed to repeat it.”

I’m also reminded of the Maginot Line, France’s answer to World War I trench warfare that German tanks blitzed past on their way through Belgium in World War II. With both the Maginot Line and software-based IT security over the past several years, the establishment continued pouring resources into better, more expensive solutions for fighting the last war, instead of preparing for the next one. The difference, of course, is that the French abandoned the Maginot Line after it failed.

We’ve been fighting a new war with old weapons for a while now and our enemies – cybercriminals and Advanced Persistent Threats (APTs) – are breezing past our defenses and occupying our systems. We need a new strategy. We know what works – device-based security that ensures only known devices and users access networks and data. Protecting identity-authenticating encryption keys in hardware keeps the bad guys out.

Then as now, the problem isn’t technology, it’s the will to mobilize. Many vendors care more about quarterly profits and selling their entrenched (pun definitely intended) products instead of collaborating on new approaches to address a common mortal threat.

Eventually, the IT security industry will drop its myopic refusal to consider proven hardware-based security practices from other industries, such as telecommunications and cable. When was the last time you heard about cloned cell phones or stolen cable accounts?

Despite all the bad news this year, I’m still hopeful for 2012. Here are some of my thoughts on what we can expect in the coming year:

1. We will see a significant cyber attack on a major public utility or power grid of significant scope and size.

2. The actual “physicality” (size, type, etc.) of the mobile device will no longer define the device’s functionality. To explain further, whether you have a tablet, smartphone or laptop, the barriers to categorizing a device will blur.

3. Along the same lines, the BYOD phenomenon will continue to flourish and will put tremendous pressure on the software security model.

4. Other government agencies will follow the lead of NSA and DoD in promoting change as it relates to touting and deploying hardware-based security.

5. Major technology players will jump in with Intel (DeepSafe) and Microsoft (Windows 8) in embracing embedded security solutions and best practices.

6. Apple’s IT security model will gain more recognition as a model worth emulating. Surprised? Most people are so absorbed with Apple’s aesthetics and user interfaces that they miss how Apple has created a perfect example of identity-centric security for enterprise networks. As one of the biggest suppliers of consumer IT devices, Apple wants people to access networks securely. So they allow only known users and devices, only five devices per user, every device must run whitelisted applications on an approved OS, and they require DRM for content. Managing one endpoint on their device-centered security model costs a tenth of what many enterprises pay for ineffective network-based security systems. I’d love to see more organizations copy that.

Anyway, let’s hope in 2012 we see large-scale implementation of lessons learned from history’s mistakes and today’s good examples. We’re at a tipping point; it’s our choice now how history will label us.

Since taking the helm as CEO in 2000, Steven Sprague has played an integral role driving the industry transition to embed stronger, hardware-based security into the PC. He holds executive responsibility for all operations within Wave. During his time as CEO he has guided Wave to a position of market leadership in enterprise management of self-encrypting hard drives and Trusted Platform Module security chips. As a popular speaker and IT security thought leader, Steven speaks at dozens of conferences and events each year—educating global audiences about the latest PC hardware security advancements and industry standards (both on behalf of Wave, and in his leadership role with the Trusted Computing Group). His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, enterprise-wide trust management services and more. Steven earned a BS from Cornell University in 1987.