ICT security will never be perfect


There is no silver bullet to perfect cybersecurity and a determined attacker will always find a way into an IT system.

This is according to Window Snyder, CEO and founder of In Every Hand, speaking at the ITWeb Security Summit, in Midrand, this week.

She noted that a company will only become aware of a problem when it’s too late.
“We want security to be perfect, but it will never be, even if we do everything that best practices tell us to and even if we’ve done all the security research and developed a security life cycle over all the processes. A determined attacker will find an opportunity, exploit a vulnerability and there’s very little we can do about that.”

How much security is too much? Snyder, formerly chief of security at Mozilla and senior security strategist at Microsoft, said organisations need to evaluate the real value derived from security, versus the cost and user frustration in deploying the security systems.

The security industry has become better at developing anti-virus software; however, Snyder pointed out that malware and viruses are evolving so rapidly that security software only protects against older threats at the baseline.

Snyder said many companies go overboard in securing their systems and infrastructure, but even tough security mechanisms can be easily defeated.
“The security industry needs to be more methodical. In the past, we had a much more intuitive approach to detecting vulnerabilities. Through threat modelling, we can identify ways of procedurally defining where the areas of highest risk are.”

Snyder is co-author of Threat Modeling, a manual for security architecture analysis in software applications.

SA security skills fall short

Meanwhile, Yvette du Toit, manager of risk advice for Ernst & Young, in her presentation to the ITWeb Security Summit averred that there is a huge security skills shortage in SA and the security testing industry is largely unregulated.

“The business environment is continuously changing and so is cyber crime,” said

Du Toit, who sits on the board of the Council of Registered Ethical Security Testers (Crest). The non-profit organisation, based in the UK, aims to maintain a high quality in the provision of commercial security penetration testing services.

“The aim of Crest is to represent the information security testing industry and offer a provable level of assurance as to the competency of organisations and individuals within those organisations.”

Du Toit noted that Crest intends to act as the voice for the security testing industry, to address the issues around an organisation’s security. She hopes to start an arm of Crest in SA.

According to Du Toit the number of threats is increasing because of the exponential growth of data residing on the Internet. “Software is more complex and hacking tools are far more sophisticated. Businesses are looking at securing data rather then focusing as much as they did on infrastructure.”

Security is far more pervasive and increasingly being seen as an enabler to do business on a much wider level. However, Du Toit pointed out that the biggest shift a business can make in security is around building awareness.

Security, as well as governance, risk and compliance, has changed from being viewed from a single point to a multi-dimensional risk management approach. Chief technology officers are becoming more hands-on in defining the security strategy, she added.

“Security is not just an IT function. Security needs to be a business enabler to do things better and run smoother. This allows for a fuller understanding of what the business needs are, as well as its risks.”