Tim Buckley Owen Security - where do the risks really lie?
Jinfo Blog

29th February 2012

By Tim Buckley Owen

Abstract

Many of us fail to change our passwords regularly and even use the same one across many sites thereby potentially compromising security. IBM is looking to offer a solution, but this may solve only half the problem.

Item

Weary resignation may well be the reaction to a new survey suggesting that only about a quarter of us change our passwords regularly and over half almost never do. But as IBM announces a new product to help organisations protect themselves from security threats, other evidence suggests that we need to take a much more nuanced view of the problem.

The password survey comes courtesy of Moscow-based computer forensic specialist ElcomSoft. It also finds that over half of respondents would never bother to change the password automatically allocated to them.

Like so many such offerings, it’s self-serving; naturally the company has a solution, in the form of its Proactive Password Auditor tool. And the Register newsletter issues a similar warning in a report covering both ElcomSoft and another survey, from American cloud security firm Ping Identity.

According to the Register Ping’s survey shows that, in their efforts to remember maybe four to eight passwords, over half of people will write them down, and will regularly use the same one across multiple sites. As the Register points out, Ping markets its own solution too, so has a vested interest in talking up the problem – but, it adds, “this doesn’t mean it’s wrong though”.

So, with practices such as these potentially exposing organisations to ever greater risk of data breaches, is it time to revisit the defences at our command? If so, enter IBM, with new capabilities for its QRadar security intelligence platform.

IBM’s aim is to offer organisations a single platform that will combine deep analytics with real-time data feeds to help them proactively protect themselves from sophisticated and complex security threats. The issue for big corporations, though, is where those threats really lie.

Take something like a denial of service attack. As an article by Thomas Rid and Peter McBurney of King’s College, London, in the Royal United Services Institute Journal demonstrates, they’re easy to mount and may cause a bank, for example, a great deal of embarrassment allied to the risk of espionage.

But, they add, they’re also to relatively easy to defend against, and unlikely to do any serious damage to systems. To be really effective, cyber weapons need to be highly specific to selected targets, making the game probably not worth the candle.

In any case, there may be easier weapons. The Economist reports that a Wall Street programmer, imprisoned for taking proprietary trading code from his old employer Goldman Sachs for use by his new one, has now been judged to have committed no crime – because the trading system was not licensed or offered for sale.

Why go to the trouble of mounting a cyber attack when the lawyers will help you take corporate secrets anyway?


« Blog