The current cybersecurity landscape of guerrilla warfare
Companies are still grappling with IT security as criminals are constantly finding new ways of breaking in. Richard Bird is a security expert with Ping Identity, he believes the landscape has changed, and our mindset toward security needs to change as well. Karen Roby spoke with Richard about some of the things company leaders need to keep in mind. The following is an edited transcript of the interview.
Richard Bird: When we think about a firewall, we know that the term firewall was a word that was invented in 20 B.C. by Emperor Augustus. It was a wall that actually protected a library in Rome to keep the enemy from burning it down. Still the same thing that we use today, 2000 years later, to describe how we keep people out of our companies from an enterprise security standpoint. So we always have built security based upon a defensive posture and traditional warfare. And when we think about what's happened in the last six to nine years, the landscape for the bad actors has shifted to guerrilla warfare. Get in, sneak in, don't be discovered, look like somebody else, act like somebody else, and then get things that don't belong to you and leave. And many times leave without us even knowing about it. Because the landscape changed to guerrilla warfare, it's the reason that we've seen so much success in breaches of people just taking over other people's accounts. And we've lost sight of the importance of the human being in the equation, all of our data protection laws are about protecting stuff. There is no protection law in consumer privacy protection today in the United States that says, "You need to protect your customer's identity so that way you're sure that the customer is who they say they are when they ask for the data as it belongs to them inside of your systems."
See: How to protect against 10 common browser threats (free PDF) (TechRepublic)
Karen Roby: Many experts believe authentication is the answer, and company leaders need to change their line of thinking when it comes to IT security.
Richard Bird: I think you're starting to see a lot of folks that are making what was probably the most important connection to make all through the process of information security, which is, what does it look like in the analog? What does it look like in the real world? I never ever in the real world have somebody show up on their first day of work and hand them a key ring with 400 keys on it, and I only know what maybe half of them actually do. And some of them really belong to somebody else, but they're taking on a new job, and I give them to you and say, "Go have fun. Find out what you have access to." We don't have anything like that within the physical realm, but we have something exactly like that in information security on a day to day basis when people start a new job or they transfer into a position. So we're seeing a lot of thinking from a business standpoint about, "Why don't I stop doing that?" And, "Why don't I create processes or create demands that make sure that people only have access to what they're supposed to have access to and are doing what they're supposed to be doing? When we think about some of the technologies that are rising up in this space, they're really oriented around authentication, making sure that, again, you are who you say you are from the time that you enter your login session. So from the time that you walk in through that digital door until the time that you leave.
Where there's a big gap today is, even with things like multi-factor authentication, which many but not the vast majority of companies are adopting today, when we bring them to the equation, a lot of companies stop there because they act as if multi-factor authentication is the end of security. In truth, when we think about what's being designed and innovated right now, multi-factor authentication is the beginning of security. And we're starting to see companies that are putting a focus and attention on being able to use information and data to continuously authenticate you in session from the time you enter until the time that you leave. Not just checking once, but checking continuously to make sure that you're doing what you're supposed to be doing.