A newly released survey of around 100 IT resellers, conducted by UBM for Safenet, a data protection vendor, found the industry understandably spooked by the events of 2012 and looking for more sophisticated authentication procedures for 2012.
"The State of Authentication" (which can be downloaded here) paints a grim picture of anxiety levels among clients of the vendors surveyed. It's hardly surprising that over 50 percent are more concerned about breaches than they were a year ago. As discussed before in this space, some enterprises are being repeatedly hit by precisely targeted persistent threats. High profile targets, according to some analysts, can be divided into those who know they've been hit, and those yet to find out.
Inappropriate data access (presumably incorporating advanced persistent threats) leads the field of problems reported by clients. Other major headaches include phishing, malicious code attacks, and -- at a less sophisticated level -- plain, old-fashioned device loss. Again, more than half the resellers' customers reported each of these problems.
More positively, clients (over 70 percent) seem keen to get to grips with new authentication solutions. They are interested in doing more than just making passwords longer and hoping for the best. Nevertheless, there seems to be confusion about just what type of procedure might constitute an improvement.
According to the resellers, their markets are fairly evenly divided in their interest in software authentication, secure browser solutions, and certificate-based authentication, with knowledge-based and biometric solutions lagging somewhat behind.
What we're witnessing, of course, is a lack of leadership from the security community, which is deeply and sincerely concerned by the current vulnerability of cyberspace, but hesitant to place all its chips on another solution -- like antivirus shields or SSL certificates -- which may prove porous.
For all the market's interest in software authentication, that seems to remain a challenge as much as a solution. We've recently witnessed a systemic failure of the third party certificates that are intended to authenticate online identities. Secure browsers essentially sandbox any processes that start to run, protecting the rest of the system.
This can be done by running a virtual secure browser within Windows, or by leveraging a browser that uses an entirely different operating system: If you're not even using Windows, the theory goes, the bad guys will pass you by, looking for lower-hanging fruit. The problem is that the more enterprise adopts secure browsers, the more incentive there will be to develop methods for hacking them.
The best advice for both vendors and clients seems to be the adoption of layered security systems with as many elements as possible. This won't mean impregnable systems; it will mean systems that are too secure to be worth breaching, given all the unprotected systems out there.
Unfortunately, the customers of vendors interviewed in this survey place extremely high importance on factors like ease of deployment and management, low cost, user friendliness, and interoperability with existing systems. All of these concerns seem to suggest that security should be kept as dumbed down as possible.
the fact that they are asking the very people who know the least about, and have the most to loose, on the subject of cyber-security tells me that the polsters know nothing on this subject either. Of course people want it to be easy. But easy is synonomous with vulnerable. The 10 immutable laws of computer security says "computer security, by it's very nature is inconvenient". We have seen what convenience has brought. It's time for a little inconvenient security measures to be put in place...
The problem is that Internet security isn't the same as physical security. When someone does a break-and-enter, the results are pretty obvious. Cybercrooks might not even do immediate damage, instead just using the machine as a zombie. This it the big security challenge because the impacts are much less obvious despite being more dangerous.
I have a feeling that if an individuals accounts are hacked into and noticed, they will certainly care much more about the passwords that they use from then on. Most individuals don't have allot to loose, or at least they don't think that they do. Once something happens, from then on people will take steps to make sure it does not happen again.
I remember a time when it was normal for people to not lock there homes or vehicles where I grew up. One year a couple things were stolen from some homes. From then on everyone locked there doors and took precautions to prevent theft.
I understand the security community's issues, there's so many threats out there from so many different directions that it makes recommendations difficult.
Still, there's good reason why the market wants its security dumbed down, and it's not because users are stupid. It's simple human nature -- it's difficult to get people to adopt inconvenient security practices when they never see a direct benefit. I can't tell if my longer password is thwarting hackers, or if my following procedure protected the company from 23 different attacks. All I know is that if I'm careful, I'm less likely to be a victim. When it comes to users who are less educated about security, all they know is that instead of doing something simple before getting work done, they have to do something that's requires a little more effort -- which would be an issue except they frequently have to apply that little extra effort, which over time seems like a whole lot more effort.
I think perhaps part of the solution would be applying some gamification techniques. What if the security system could estimate how many attacks I'm stopping by using proper security techniques? That extra bit of feedback makes that extra bit of effort have a little bit of meaning. "I see, every character I add to my password increases its security by X, and stops Y more attacks". Or, "The suspected phishing email I forwarded to our security people was confirmed, and I stopped 254 potential breaches".
Granted, it's not going to turn security time into fun time, and not everyone's going to care... but at least it brings a little more meaning to all the procedures.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Cybercriminals don't hesitate when they see an opportunity to spread malware. Not even when it means exploiting as horrific an event as the Boston Marathon bombing.
With the advent of low-cost Web cameras and broadband network connections, home security systems have become a hot business. In addition to traditional security suppliers, like ADT, the market is attracting telcos, cable companies, and energy providers, thereby creating an area of increasing competition.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Mozilla's Firefox OS could be a major advance in building smartphones and tablets with a more cloud-friendly and open interface, but there are still questions of performance and security that will have to be managed.
Watching TV is not healthy for you, according to conventional wisdom. Well, that may soon change. Comcast and United Healthcare are now delivering diabetes prevention videos on-demand to high-risk patients. The partnership illustrates how healthcare may be delivered in the future.
Self-driving cars are being tested in Nevada, but can this technology work optimally without Internet integration, and can we offer integration without improving security considerably? In fact, all M2M is a potential risk until security is tightened.
The Murdoch/News International scandal has all the elements of the digital age, from phone-hacking through embarrassing emails to agile digital reporting.
The Internet has changed the way that companies market products. Now "Likes" and thumbs up carry a lot of weight. So perhaps it's not surprising that a black market technique has emerged whereby some Websites offer to boost ratings in exchange for cash.
Malware designed to infect Google Android smartphones has increased dramatically, and now the government is stepping in. The National Security Agency has developed SE Android, a system that tries to close up its security holes.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
