The dark cloud looming over the information security industry at this year's RSA Conference was unmistakable. The questions about whether information security is on the right path continue to echo loudly.
Leading up to the conference, luminary and CISO of Yahoo, Alex Stamos, published an article about how information security vendors were failing.
As Amit Yoran, CEO of RSA, kicked off his keynote speech, he quipped, "[M]y stumbling around here in the dark is a pretty good metaphor for anyone trying to protect and defend a digital infrastructure today." He proclaimed that as the world enters a new era of technical advancement, "[W]e stand in the dark ages of information security."
The concept of the defensive perimeter, which is the basis of modern security practice, is failing us. Protecting digital information extends beyond the confines of a walled garden. Yoran points out that, while most recognize this, very few are doing anything about it.
In other words, many companies still rely too heavily on technology designed to keep the attackers out. While those technologies can be effective, they're not silver bullets. Businesses still struggle with protecting digital data and securing their brands.
Evolving digital threats such as website malware, malvertising, defacement, phishing and SSL breakdowns have moved beyond areas of concern to become major sources of insecurity. According to the Verizon Breach Report, 70% of web-based attacks were not targeting the company that owned the website, but the site visitors themselves.
This is because cyber criminals are after customer information, i.e. credit card info, login credentials, PII, PHI, bank account numbers, etc. It's all useful and can all be monetized on the black market.
Digital channels are effective attack vectors since they can be used to target specific user populations with automated, inexpensive and highly effective exploits. Cyber criminals can easily compromise trusted, name-brand websites via third-party code hacks or malvertisements.
In terms of the future of information security, the outcome isn't certain. Many vendors still push out point solutions and compete on features rather than innovations. Businesses keep worrying about their own security and are leaving customers unprotected. In the meantime, no one seems to be getting any safer. How long will this continue, and what are the alternatives?