RSA: 10 lessons learned about security

gallery

Attacks via social networks at the end of 2007 numbered just above 10,000. At the end of 2008 this had risen to 100,000 and will likely increase further still by the end of this year. Attacks such as Koobface also ran riot during 2009.

6 - Britain needs data breach notification laws

Thales said that businesses would more readily put in place data safeguards like encryption if there was the threat of a public data breach notification, which is used in countries such as Germany.

So far in the UK, the main drivers for companies to make sure that they have the right security safeguards in place focus on payment card compliance in the case of the financial sector, as well as EU data protection laws.

However, it was argued that businesses that hadn’t put in the right protection would be much quicker to do so if they knew that they could be publicly humiliated if they hadn’t made enough of an effort.

7 - Microsoft and Google are never going to agree on anything

Google was conspicuous by its absence at RSA, leaving Internet Explorer general manager Amy Barzdukas to get in a punch over the lack of privacy in the Chrome browser.

But it wasn’t just Google that she was warning about. She said that all browser vendors need to think about privacy and warned website developers that anything they created needed to work with browsers without creating a security risk.

She said: “As we continue to work and move beyond environments where all browsers want to be better on supporting standards, we need to make sure that we are in fact supporting and working as the standards are meant to work.”

8 - We need education about security, not fear

It was only recently that Symantec described the profits that could be made by cyber criminals from fake antivirus as being as high as £850,000 a year, and IE's Barzdukas said that the fear spread by the high profile internet incidents could actually be making things worse.

She said: “These kinds of attacks are successful because we haven’t struck the right balance in how we inform consumers without also terrifying them.”

9 - You can’t buy the Sinowal trojan, but you can get Zeus for $1,000

Sinowal is more than a trojan - it is actually a syndicated criminal group that had made huge profits in different countries. Over 300,000 machines in three years have been infected just by this single threat.

The reason? The security of the internet had changed with the rise of drive-by-downloads which had made Sinowal as well as other trojans spread rapidly. This new technique has also made the rate of infection 10 times higher.

A fraudster outside the organisation wouldn’t be able to buy it, but would look at the Zeus trojan instead, which you could purchase for $1,000.

10 - Criminals have a pile of corporate data already, but are working out what to do with it

Criminals have been attacking corporate networks for years, meaning that that there are thousands of infected employee computers, according to RSA’s Rivner.

If a criminal has a trojan on a employee’s computer, that criminal can see exactly what is going on - and it could spread to an entire network if it is connected in the office.

“Already the fraudster has access to a huge amount of corporate data and government data on their trojan motherships,” said Rivner.

“But today, they don’t care about that – they care more about the financial aspects for online and banking fraud... But they are starting to realise they are sitting on a pot of gold because there are other people who are interested in these types of things.”

Email to a friend

Print this page