Organizations have never had so many security risks in so many remote locations, says Pescatore, VP and Distinguished Analyst with Gartner, Inc. Mitigating these risks will be among the primary challenges for information security leaders in 2010. In a discussion of security trends, Pescatore offers insight on:
Pescatore has 31 years of experience in computer, network and information security. Prior to joining Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems, where he started and managed security consulting groups. His previous experience includes 11 years with GTE, as well as employment with NSA and the U.S. Secret Service.
TOM FIELD: What are the top information security issues facing businesses and government agencies as we look to 2010? Hi, I'm Tom Field, Editorial Director with Information Security Media Group. I'm talking today with John Pescatore, Vice President and distinguished analyst with Gartner Inc. John, thanks so much for joining me.
JOHN PESCATORE: Sure, good to be here.
FIELD: John, just to start out, why don't you tell us a bit about yourself and the types of issues you are most focused on these days at Gartner?
PESCATORE: Sure, well my background: I've been in security for something like 31 years now. I went to work for the National Security Agency right out of college in the late '70's. I worked for NSA and the Secret Service and then 11 years for GTE and telecom security, and a couple of years with security vendors, and then here the past 10 years with Gartner. So I have a pretty broad background in security.
At Gartner we have 25 analysts in the security practice, and many of them focused on individual specialty areas within security. I tend to work in the threat area and the areas that pull together multiple security disciplines like dealing with some of the business process changes and threat changes that break the older type systems and the older approaches to security.
FIELD: Now, John, everybody from the president on down this year is talking about cyber security. What do you see is the top information security issues that face businesses and government agencies as we head into the New Year?
PESCATORE: Well, I think there are new challenges and there are some continually old challenges. I mean, one consistent question or message we get from Chief Information Security Officers is around security metrics and trying to answer the CEO or the CIO question, "Are we safe?" You know, that is still a very hard question to answer. It's hard to express that in business terms. There have been a lot of tries just treating security like you would treat other business risks like financial risk, and that hasn't worked.
So I think one major challenge continues for CISO's is just demonstrating the value of the cyber security or information security program, but also trying to give a dashboard look at "Are we safe? Are there problems coming? Are we spending too much or too little?" Now that is a continuing problem.
However, there are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.
So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.
FIELD: John, a few minutes ago you mentioned threats. Which threats concern you the most these days?
PESCATORE: Well, you know if you think back a few years, say into the early 2000's, every attack seemed to be taking advantage of buffer overflow vulnerabilities in software. That went on for several years, and then we got better at finding buffer overflow vulnerabilities in software before we let the software go live. Then after that, now you see command ejection or sequel injection, or cross-site scripting. So what happens is these threat delivery mechanisms usually hang around for a few years.
Right now, really the past two years, this botnet delivery cycle is what concerns me the most. It's really a major, major problem, and this is where user PC's get compromised by visiting a legitimate website that itself had been compromised and download some software on the user PC. That user PC happily goes back to work, talks out to the botnet command control center, downloads a very targeted attack. We published some case studies with some large global commercial businesses that have found on the order of three to five percent of their PC's have bad clients installed, and these are well-protected PC's. When you look at consumer PC's on the order of 30-35 percent of consumer PC's have bad clients installed. That can be used to capture passwords and look for databases and so on. So it's a very clever mechanism. It takes advantage of how hard it is to keep a website secure. How likely users are to click on a website, and if it is a trusted name let it download an active "X" control that does damage or other types of malware. That Botnet delivery mechanism is what concerns me the most. I think it will be the dominant threat delivery mechanism for the next couple of years.
FIELD: So, flipside of that John, what types of solutions give you optimism against these threats?
PESCATORE: Well, what I'm most optimistic about is something we just see the tip of today. You know, if you think back a few years when email viruses and email spam seemed out of control, today email viruses and most spam -- it's down to sort of a dull roar. I mean, email viruses have largely gotten down to a mere nuisance. Email spam depends on what you consider a nuisance, but largely they're down to a dull roar.
Well the major advance there was this idea of email security as a service, as a cloud-based service. So many, many people, the majority of the new revenue in that area comes from companies redirecting their mail messages, flows through email security filtering in the cloud, then their email comes to them. By doing it in the cloud, it wasn't just cheaper but it could take advantage of seeing everything all at once, seeing hundreds of customers' email, much quicker ability to declare something spam or recognize malware attachments in email. So that greatly helped us in the malware. Now email security has one great advantage. It could take a few minutes. Nobody knows if an email message comes in two or three minutes later, so you don't have real time issues. But we are starting to see the capacity and the algorithms and the capabilities to do things like web security filtering in the cloud and other things, site protection in the cloud, and many other security functions that way. So here is the scenario, the biggest challenge today is letting an employee either work from their home PC or even on their corporate laptop connected directly to the internet in a hotel room or on their home network, or on a coffee shop wifi hotspot and access, you know, sales force.com or other things stored out in the cloud.
How do I inject my security policy in that? They're using probably a PC I didn't supply them, they're using their own internet connection, accessing the sensitive data stored out in the cloud. By injecting security as service into that path, just like we did with email, we can actually inject security policy and do web filtering, stop bot clients from being downloaded, notice if one of our users is on a PC that is out there that is communicating back to command and control centers and the likes. So I think by adding security as a service to one of our delivery mechanisms for security, from just software to appliances to also security as a service in a mix, I think that is going to help a lot.
FIELD: We've talked about quite a bit here. We've talked about malware, we've talked about the remote work force, and we talked about social networking. When you look ahead to 2010, what do you think our greatest challenges are going to be in facing these information security threats that we've talked about?
PESCATORE: The consumerization of IT. Again, it's this demand to use these consumer grade things like the Google apps and the Skypes, and the Facebooks, and My Space, and Twitters, and all this for business. We have this whole Gen X/Gen Y thing where this 30-year-old employee who is in his most productive years as an employee grew up using social media, grew up using Skype, he grew up being the CIO of his household, and he doesn't think it's all that tough to manage IT and he's used to doing things his own way. He is used to having more control over the IT uses than typically IT is used to giving. So I think, that's a major, major change. It is sort of like the same change when the PC came about.
Now before the PC, all the apps were down in the basement ... and the user got was a dumb terminal. The PC hit, the user had a lot more control and it took us a long time to get security strategies up where we could protect the managed PC. What we are now seeing is that same wave happening, business being done on unmanaged PC's or iPhones or other Smart Phones, unmanaged social networks in the like. I think that's by far the biggest thing causing breakage to the typical information security program today and into 2010.
FIELD: Now, John, you've spent a lot of time in security, and in fact you've probably seen information security grow up. Your perspective: How do education and training have to evolve to keep pace and help us meet our needs in information security?
PESCATORE: Well, I think there are some definite things to avoid in education and training. There is too much security awareness education and training that's done as a substitute for actual security controls. You know the idea of, 'Well, we told the users not to do that, they shouldn't have done that," and posters in the lunchroom and awareness and education campaigns. If that is all they are for, they don't help us at all. However, the flip side is there have been way too many deployments of security controls without trying to educate the user. I think when we look forward, the focus has to change here on to more sort of safety campaigns versus the typical here's your responsibility type security type campaigns. You know the real issue we see today, most of the time succeed or most data disclosure incidents happen because of a mistake an employee made, not because of malicious insiders, not because of super-duper clever attackers, but really because of a mistake the user made.
They clicked on something they shouldn't have clicked on. They posted a document without realizing the excel spreadsheet; the second half down had all those credit card numbers in it. They did something that would harm them, and it is so easy at the pace of change of IT to do that. You know the example I always use: If you think of the automobile, most of the safety advances in automobiles did not come about because of government regulation.
They came about because the insurance industry started seeing how people were causing crashes by shifting the car out of park without having their foot on the brake, so we build an inner-lock in, or electrocuting themselves when they opened up the TV set to see what was wrong. We built an inner-lock in. So, I think a lot of awareness and education has to be to make people aware of the dangers of some of these things and be matched up with security controls that help stop people from making those dangerous decisions. So it is important to educate people, but we have to realize human behavior will always change much more slowly than the threats do.
FIELD: So, we have to get people to insure their home offices and PDA's.
PESCATORE: Paying the insurance isn't the key thing; the conditions the insurance company makes you meet before they'll issue insurance. You know, you want to get insurance on your house, you have to have a deadbolt lock, you have to have smoke detectors and so on, but that's how actually most safety increases some about. So the insurance is less important than meeting the conditions that would enable you get the insurance.
FIELD: John, as I sit here and look back on some of the big security stories we've seen this year ... It's been Heartland, PCI, recently the Spear Phishing Attacks in mid, small to mid size businesses sort of being fleeced, when you look ahead to 2010, what do you foresee as being some of the top information security stories we are going to paying attention to?
PESCATORE: Well, you know every year, I do sort of a State of the Threats and look back at the past year and presentations for the Gartner client so we'll certainly see more security incidents just like the Heartland's of the world in 2010. Information technology has a lot of moving parts -- human beings will always be human beings -- so there will still be those incidents. However, we have definitely seen several things. We've seen the threats coming from financially motivated attackers, cyber crime, and we've definitely seen more international corporation in what law enforcement usually does, which is go after criminals. I think in 2010 we should see more successful efforts in shutting down some of these organized crime rings that are launching many of these attacks.
I think we'll also see a couple of new forms of attacks. We've already seen the start of social networks being attacked because that is where people now trust their friend's lists and the like coming from those social networks. But things like Twitter being used as launching places for attacks, things like text messaging in general being used for more and more ways of either launching attacks or tricking people to come to compromised systems, I think we'll see growth in that area in 2010. But I think the other thing -- 2010 might be a little too early -- but as you look at a lot of the pressure for things to go green, reduce energy consumption. We see a lot of initiatives like the Smart Grid and the power Industries in the US and many other countries, and we see a lot of newer technologies like ZigBee and other forms of wireless and the like being talked about as ways to enable a lot of this green technology and Smart Grid type systems with very immature protocols, which always worries me. Similarly, when you look at virtualization, we have seen a lot of rushed data center virtualization.
We see a lot of rushed cloud computing that is essentially just virtualization a little further away than your own data center, and many of the underlying technologies used in virtualization are sort of first generation.
So I think 2010 into 2011 will be the start where we start to see vulnerabilities found in all these virtualization and Smart Grid technologies and other forms of wireless, and inevitability new technologies new vulnerabilities, and the attackers leap on those very, very quickly. So I think that is probably some of the new things we will see.
FIELD: One last question for you John. If you could boil it down, what single piece of advice would you offer to organizations that are looking to improve their information security strategies? In other words, what is most overlooked in what they are doing now?
PESCATORE: Well I always break this into two broad categories. One is looking at the security controls you've been doing for a long time and getting more efficient, reducing the cost of delivering the old stable security. You know things like anti-viral, anti-spyware, anti-firewall, these are pretty mature technologies. We should be forcing vendors to either give us the same capabilities at lower costs or incorporate protection against the new threats at the same price, so more efficient and sort of the stable parts to free up some of the security budget to go after early protection against these newer threats. The biggest mistake always being made is thinking defensive in depth means continuing to spend on everything I was spending on and asking for more money.
That doesn't work in business. That doesn't work in IT. That's not going to work in security. So focusing on, Gartner says look at platforms. On your desktop you should have an end-point protection platform, not six or seven different security agents costing you hundreds of dollars per desktop. Similarly an email, web, firewall level has platforms rather than scattered point products there. Look at a platform approach at each level, not one big box doing everything, but platforms at these logical levels. That will reduce the cost of that fee towards being able to delivery security as a service. Think about how are you going to protect mobile users, how are you going to deal with these new wave threats without having some capability like security as a service that you can inject out into the way people are doing business.
Then the final thing is, there are some good security metrics. People are always looking for a killer answers -- the one single security metric -- but there are some real good ones that you can use to demonstrate the maturity of your security program, the risk level you are currently at against the current threats in the like. Pick two or three key security metrics that both can demonstrate the value and the status of the security program, but also give you an indication of where you can change and institutionalize those. Just start reporting on a monthly, tack them to the outside of a CIO's wall just like he does for the service level of the network the availability of the storage farm or whatever. Make sure security is routinely reporting on metrics.
FIELD: John, I appreciate your time and your insight today. Thank you very much.
PESCATORE: Okay, great, good to talk to you.
FIELD: We've been talking with John Pescatore, Vice-President and distinguished analyst with Gartner Inc. For Information Security Media Group, I'm Tom Field. Thank you very much.