Contents
Editorial
Tribune
Guest contributor
Hot topics
Business cases
Solutions
Experts voice
At a glance
Quick poll
Events
PDF version
 

Subscribe to
Bull Direct:


 

Archives
N°32  |  December   2008
Experts voice

The future of IT security
By Lionel Mourer, Director of the Security Consulting Group at Bull

L. Mourer

Five key challenges for future security

Mobility, Cloud Computing, m-payments, social networking and virtual worlds... where will the new threats come from?

A quick tour of some issues that will becoming increasingly important in the future.

 

The threats that weigh down on information systems are constantly evolving... No-one really knows where tomorrow’s cyber-pirates will focus their attacks, but the latest studies throw light on hundreds of imminent dangers. Here is a rapid snapshot of some of them:

  • Already, virtual worlds and social networks are everywhere, and so far they have not stopped evolving... or tempting Net pirates to a greater and greater extent. Just by way of example, every day the transactions carried out on Second Life represent over a million US$! Inevitably, that is going to attract greedy people… What is more, Web 2.0 makes it much easier than before to incorporate malicious code into the pages people visit. Attacks will be increasingly carefully targeted, with the aim of stealing people’s identities and transferring financial assets from the virtual world to the real one…

  • By the end of 2008, the human race will own four billion mobile phones! The mind boggles at this figure, and inevitably it will attract some ‘crooks’. At the same time, even though attack software that results in denial of service already exists ‘in the lab’, it is less likely that it will become widespread. Today’s hackers are driven more by greed than a desire for celebrity! But banks are beginning to offer services (such as payments, transaction validation, etc.) via mobile networks – so the phone acts as the terminal, with its operating system, its applications and its own weaknesses… The market for mobile payments (or ‘m-payment’) is still in its infancy, but should promise a great future…

  • At the moment, there is no limit in sight to mobility! Portable computers are constantly taking a larger share of the market – not to mention ‘smartphones’ and other intelligent mobile devices. In fact, the mobile user is increasingly well connected, and is becoming a sought-after target. Nowadays, when you pick up a ‘mobile’ device, you have access to the whole information system, with all the attendant privileges…  Usually, it is mobile users who are given the most extensive access within the enterprise. As a result, here too, all kinds of crooks and thieves (not just organized criminal gangs, but sometimes also competitors, even government agencies…) are looking for ‘openings’ to access the organization’s critical or confidential information

  • In the wake of the distributed computing revolution, the vision of re-centralization is coming back into view, with ‘Cloud Computing’, software-as-a-service (SAAS), ‘Software+Services’… delivering computing on demand just as simply as water or electricity. This is a major step forward. Just so long as the ‘computing power plants’ of the future do not become ideal targets for hackers or terrorists... In 2008, a simple power failure cut off access to business data stored on Amazon EC2 for thousands of companies. You can just imagine the economic impact of a concerted, large-scale attack…

  • And finally, let us briefly explore more ‘exotic’ threats that might nevertheless pose real problems to organizations, even society as a whole. For example, rigging of voting machines or modification of traffic information for GPS systems… On this last point, just imagine a vehicle fleet, managed using GPS, with drivers who think they are ‘on the right route’, but who in fact have been diverted right into the path of an actual robbery... Or a hijacker sending a false GPS signal to a plane in mid flight, to display an incorrect position and time. Which could drive two aircraft into a mid-air collision!... The techniques to do this already exist, even though they remain almost inaccessible to anyone and everyone…

There is no limit to human imagination – for better or for worse – and that includes crooks and hijackers… Which is why it has never been so vital to carry on identifying the risks, implementing an appropriate level of protection depending on the relevant business processes, and keep watch, constantly, resolutely... keep watch for what may be around the corner...
Bull has the solutions and expertise to help you evolve your information system and apply the best practices in order to align your IS on your business processes and improve efficiency.

SEND TO A FRIEND

The user at the heart of future security
By Emmanuel Forgues, Globull Product Manager, Bull

L. Mourer
With the revolution in mobile working, the world is undergoing a paradigm shift: moving away from security focused on computing systems, to security focused on information. A look towards the future.
 

In recent years we have been witnessing a radical change in the way people communicate. New technologies are transforming the way users behave, as they find themselves in a whirlwind where their work and private lives increasing merge. Take the example of an airline company, which asks its customers to print out their own tickets at home: an ingenious solution to the management of its records. With hundreds of millions of people now signed up for high-speed broadband Internet services, people in almost all the world’s developed economies can easily envisage tele-working. But how are users finding this transition? And how are the IT Departments in the companies they work for providing support for this new breed of workers? This could be a fantastic opportunity to rethink the whole working environment, to focus in on what is really essential: data and its environment.

Even though just a few years ago we were prepared to wait for hours or even days for a message to arrive (by fax or mail), today it has become virtually unacceptable even to wait an hour for an answer. Current technology is now sufficient for more rapid and effective decision-making. We are moving away from working methods that require close physical collaboration, towards a new order where we are exchanging data with each other using systems that move around with their users. Instead of finding themselves in just one location where they work, users now find themselves in the center of an ‘information bubble’, which moves around with them, along with all that they need to stay connected with each other. So IT Departments must now be capable of securing mobile users’ working environments, wherever they are operating.

Access to communications technologies (voice and data), and the ubiquitous use of computers in the home are pushing users sometimes to work from home, connected to the information systems of the organization they work for. IT Departments are already so heavily involved in their ways of thinking about services and security, that they are restricted when it comes to including the plethora of devices used by this new generation of workers – like smartphones, thin clients, ultra-portable computers, netbooks... – in their information system protection strategies.
In the search for mobility, users are often tempted to use various different solutions, from USB keys to netbooks. But this multiplication of data goes dangerously hand in hand with an increase in the risks involved:

  1. The physical or logical theft of sensitive data, using viruses, worms, etc
  2. Poor synchronization of data after it has been changed 
  3. Mixing up of sensitive data with personal information or other sources of confusion
  4. Data loss...

News reports clearly demonstrate that access to competitor’s know-how is a source of power, and that there are more and more different ways to get it. We can readily cite two types of methods:

  • Exploiting human or technological weaknesses
    For example, the ‘Storm’ superworm takes advantage of a disk or USB connection to propagate itself. Removing the storage medium and loading it on another computer provides an opportunity for the virus to run, and so infect a new machine. The proliferation of viruses is also a result of the proliferation of different storage media... data now wanders about so much outside the enterprise! And this information is out of control... so much so that an unscrupulous State can even catch up on delays in its technological progress using professional cyber-spies.
  • Methods that take advantage of the law
    ‘Counter terrorism’ measures put in place by the USA after 11 September 2001 authorize the transfer of personal data in the form of PNRs (Passenger Names Records) from airline companies to the American authorities, with the agreement of the European authorities also being granted on 28 May 2003. This includes the passenger’s name, how they paid for their ticket, credit card number, phone number, billing address, dietary preferences... More recently, on 29 August 2008 the Court of Appeals extended the rights of American customs officials to search items of electronic equipment (computers, portables, MP3 players, PDAs…) of people entering USA territory. Even though such devices may contain data that is important and even confidential to the traveler or the organization they work for, that data may become public as a result. So without arousing any suspicion, that data could be divulged to a third-party with the aim of translating or decrypting it. 

    In order to foil (or at least to try to foil) such attempts to access sensitive or personal data, there exists a whole arsenal of impressive tools and services for business. It would be tedious to list them all but, to illustrate the point, here is just a snapshot of some of them:
  • Software protection
    Within and outside his or her business, the user has to protect against malicious attacks. Spyware, root-kits, storms, e-genies, scareware, ransware, exploits... all these different kinds of malware (malicious software) exist for one reason, and one reason only: to access data and take advantage of it financially. Unfortunately, today, even the best anti-virus or firewall solutions cannot provide total, instantaneous protection. A window of opportunity (whether large or small) still exists between the point at which an attack appears and the moment when the user is protected by a software publisher’s solution. The user has to bear in mind that anti-virus software does not make his computer completely impenetrable... All the more so since these days malware is getting ever quicker at exploiting security loopholes.

In 1999, a weakness was typically exploited less than 10-15 days after it was discovered. 
By 2003, it had fallen to 15 minutes.

survival 2003

In 2008, we should expect it to take less than four minutes...

survival 2008

  • Protecting network connections
    In order to make the link between the workstation and the enterprise’s network access, there are various methods of authentication and authorization available: user’s secret PIN number, dongles that generate a PIN, biometrics… Because of the multitude of different levels of security that organizations want, all these methods offer different degrees of security. Using a secret PIN number is, for example, significantly more confidential than biometrics, which usually involves the user providing a fingerprint to use a particular piece of hardware.
  • Protecting data
    Software encryption: With the growing number of times that information is accessed, the need to encrypt a user’s data is of prime importance. Effective encryption is based, above all, on generating an unpredictable random number. And that is where one of the biggest challenges in IT security lies, because generating such a code is unimaginably complex for most users. Once this code has been generated, data encryption can start, often to the detriment of computer resources and, in certain instances, making its use restrictive. All software-based solutions which require the user to input their code onto a keypad or keyboard are vulnerable to keyloggers. Once the information has been captured, the PIN code is sent to be analyzed (‘broken’) by the author of the malware.
    Hardware encryption: These kinds of solutions can generate random number codes that are very hard to predict, unlike software solutions. In fact, this kind of solution is less onerous, but also provides much stronger guarantees when it comes to the safety of the encryption. In order to ensure maximum protection, the code generated must never for a moment go outside the relevant piece of hardware… thus making it vulnerable. Such a device is therefore practically inviolable, even by IT security professionals.

These days, data protection solutions are very often associated with the user’s hardware, but closely enough with his or her data. When it comes to mobile working, users are going to use hardware that is not their own. But they can ‘recreate’ their working environment using innovative new so-called ‘desktop online’ solutions: this makes it possible to work anywhere, as long as he or she has access to their own data and to the Internet. But despite all this, the protection is not yet strong enough to guarantee maximum security when data is being transferred or stored.
What is needed is for the data (whether private or work-related) must be able to ‘follow’ the user, without any risk that it may be degraded or become accessible to third parties. Regardless of the hardware (smartphone, ultraPC, laptop...) globull, launched by Bull in mid 2008, lets users go wherever they want, along with all their data and their working environment in the most secure possible way that there is. So the host computer effectively becomes a commodity, which not only helps businesses save money when it comes to managing their IT hardware resources, but also enhances user productivity and ability to generate profits. Today, Bull is ready to introduce the notion that the host machine will become a simple platform, through which users can connect to their own, ultra-protected environments... thus becoming ultra-mobile themselves.

For more information

 

SEND TO A FRIEND
 
Contact  |  Site map  |  Legal  |  Privacy