by Rodney Gedda

Days of individual security over, says IIA chief

Mar 29, 2011
Cloud SecurityData and Information SecurityPrivacy

People solely relying on patching and upgrades are leading themselves into a false sense of security and individual protection is no longer sufficient in the age of multi-vector attacks, according to the president of the Internet Industry Association of Australia.

Most people rely on operating system and software updates – including security patches – to gain a perception of security, but with increasing sophistication of cyber attacks this single-minded approach is no longer sufficient, according to IIA chief executive Peter Coroneos.

“What is a concern is the capacity of individual users to manage their own security and that time has passed,” Coroneos said.

“Patching and updating software is still necessary but it is not enough.”

Coroneos said vendors need to intervene at the network level and need to provide security tools at a multiple levels to help secure people from the multiple levels of threats that are emerging.

The rise of cloud computing is also adding another dimension to the security problem.

“If you look back 15 years ago we were talking about thin clients and now we are seeing an increase in migrations to the Cloud,” he said.

“However, there are issues with the Cloud, including data protection and security.”

“It reminds me of a Monty Python skit where a building is being held up by trust. It’s only standing up because people are believing it will stand up and Cloud computing is clearly within that frame.”

According to Coroneos, people need to ask if Cloud applications are secure and private and a problem is few client products are applicable in Cloud environments.

“As an industry we need to ensure Cloud services are safe and trustworthy because if it isn’t we are in trouble as a society, not just the IT industry.”

The AIIA has its own iCode initiative for securing online access via ISPs.

“If you turn the clock back 15 years ago ISPs were relying on a tool provided by the ACMA to notify people of an insecure PC,” Coroneos said.

“We codified that and now 90 per cent of local ISPs are participating without any legislation, which is a unique thing around Internet governance. The ISPs see it as a win-win.”

He said it is not in the vendors’ interest to see infected users and good security also lowers the cost of support.

iCode was launched in June went live on December 1 last year.

“Since then we have had enquiries from government and organisations worldwide,” Coroneos said, adding most zombie botnets are not originating in Australia.

TrustDefender co-founder and CEO, Ted Egan, said end-point security and authentication is not enough today as there are more threats emerging around the type of session being initiated by a client.

“We can reach out to a device with an unknown security health,” Egan said.

“One credit union customer has been running end-point security for three years and has already experienced authentication token security.”

TrustDefender conducts it research and development in Sydney Australia. Although the company has yet to get any of the “big four” banks as customers, Egan said it has secured contracts with large financial institutions in Europe.

The AIIA’s Coroneos said consumers need to increasingly adopt a multi-layered approach to security and can’t rely on a single vendor.

“For example, a man-in-the-middle attack can result in a user not knowing if a trojan has used existing authentication to transfer funds from an account,” he said.

Coroneos said as criminals find it more difficult to target tier-1 financial insitutions they will look to smaller, tier-2 companies.

Follow Rodney Gedda on Twitter: @rodneygedda

Follow CIO Australia on Twitter: @CIO_Australia