By Kris Tanaka
SecureWorld Media
"Once upon a time we were able to simply block stuff coming into our organizations - in essence isolating our networks," said Bill Gardner. "And life was good."
But of course, then we had to start letting everything in.
Gardner, VP of product management at Spikes Security, is referring to web browsers - one of the biggest challenges for security professionals. According to the Ponemon Institute, 80 percent of security professionals said web-borne malware attacks were what kept them up at night.
During "Architecting the Holy Grail of Network Security," SecureWorld's Feb. 16 web conference, Gardner, along with Michael Roling, CISO of the State of Missouri, Brian O'Hara, VISO of Do It Best Corp. and Marc Crudgington, CISO and VP of Information Security at Woodforest National Bank, discussed how you can protect your company against today's top attack vector - currently one of the easiest access points for cybercriminals.
"The bad guys are really good at picking the low hanging fruit," Gardner said.
How can you mitigate browser attacks? Roling said in theory, good cyber hygeine, which includes patch management, plugin mangement and access management, should go a long way. In addition, he said awareness training, in order to educate end users about possible threats, should be an important component of any security plan.
However, Roling said the reality that security professionals face is that it is diffcult to manage off-network or mobile devices, as well as users' dependencies on legacy browers and plugins. "Hardening" end users against web-based threats is also challenging, he said.
Gardner added that one of the core problems with browser attacks is that web browsers provide a very large attack surface.
"There are many hundreds of thousands, if not millions, of lines of code in modern browsers and supporting systems," he said. "And of course it takes only one mistake in any of those lines of code to open up the possiblity for a hacker to turn that code to his advantage."
O'Hara agreed that coding is an area that needs more attention.
"There's been a huge lack of secure coding training in our computer science programs all over the country," he said. "We still don't know how to write secure coding."
To help narrow the gap, O'Hara recommended that security professionals work more closely with development teams, encouraging them to think about security during that process, following security best practices.
Crudgington added that organizations also need to implement what he calls, "Defense In-Depth 2.0," which focuses on bringing in security practices and information from a macro perspective, not just a local viewpoint.
Although web-browser security challenges may seem to be overwhelming at the moment, Gardner said he feels that we are going to see a new era of security in the next three to five years, where we will get ahead of the bad guys and make some real progress.
"This is not a one-sided battle," he said. "Hackers are smart, they're well-funded, they're focused, but so are we."
--------------------------------------------------------------------
Did you miss the live broadcast? You can still view the program at your convenience on-demand and earn CPE credits. Do you have questions for the panel? Please feel free to use the comment area below.
