Security pros forgetting the basics, complains expert

All IT security conferences have one thing in common: Speakers have dozens of ghastly, yet funny, stories of blunders.

Kellman Meghu, Check Point Software’s Toronto-based head of security engineering, told a couple at a keynote during the annual SecTor conference in the city on Wednesday.

Kellman Meghu. ITWC staff photo
Kellman Meghu: “It’s almost embarrassing.” ITWC staff photo

Like the vendor who installed a cash dispensing machine in an undisclosed mall with its IP address clearly visible on a label on the front of the device. Nearby were two Ethernet ports. A colleague of Meghu’s  was able to connect to the machine at night and download a list credit card numbers used that day — in fact, he could command the device’s printer to print them out.

Then there are the researchers at the University of Michigan who in August revealed they could hack into an unencrypted wireless controller in a municipality overseeing nearly 100 networked traffic lights  and change their timing.

“I thought we solved this problem,” Meghu complained. “I thought we knew the basics. And this is what concerns me. How many times have you seen (IT) security failures — we’ve seen tons at this conference — that really came back to stuff we already know and we should have taken care of?  It’s almost embarrassing.”

With the Internet of Things, soon everything will connect to the Internet, he said. “And what really frightens me is we’re going to repeat all the problems mistakes we made in the 80s and 90s again” of connecting devices to the network and then worrying about security, “except now we’re going to do with the critical devices connected to very important things”

“The way this is going in the next  couple of years, very critical systems like heating and dams and that are going to be connected they’re going to make some bad mistakes we probably shouldn’t and someone’s going to die –potentially a lot of people will die — and this will cease to be funny.”

He blames vendors in part, but also IT departments and who talk grandly about security strategy, but end up asking the “stupidest” questions about device performance  in requests for proposals and proof of concepts like “how fast can you forward a packet,” and “describe your power system.”

That’s because a lot of organizations think all security appliances are the same and that policy controls will make a system tight.

Instead, he said, IT security should start at the business logic layer find out what the organization needs –what data needs to be protected, who needs access, what devices they have can have access — and work from there. Around it gets wrapped threat protection products for pre- and post-intrusion. The last thing that should be discussed is performance.

“We need to migrate to a concept of understanding people and devices and applications and data,” he said in an interview. “That must be what your (security) policy  is about. These devices are fully capable of understanding that concept and protecting on it. I just don’t think as an industry we’re using it enough.… If you don’t have a policy like this  you’re not going to be able to secure your environment because it’s going to be wide open” to attackers.

Despite the continuing stories of data breaches and blunders, “I’d like to think there’s a positive way ahead.,” he said. “I’m already seeing a shift in the industry where security companies are less inclined to compete against each other and starting to work together… Attackers have advantages over us because they work together to make their malware better. But we don’t work together to make our security products work better.”

On the other hand, Check Point hasn’t joined the fledgling Cyber Security Consortium or the Cyber Defense Consortium. That’s because they are sharing similar malware feeds, not threat intelligence, he replied.

As for the readiness of Canadian enterprises to face cyber threats, he said “there’s a lot of really good security people in these companies, but they’re not empowered to do what they need to do. They may not have the visibility at the higher level they should. They’re doing the best they can with what they have, but at a business level its still a bit of a challenge to get (executive) mind share to say ‘This is important to your business’.. because we’re still a cost centre to them. Nobody wants to talk about that, they want to talk about how to make more money. We’re the depressing side that costs them money.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now