At the Hacker Halted conference in Atlanta, Carl W. Herberger, vice president of security at Radware, discussed Thursday the importance of cutting through that fog as organizations try to defend their environments. In part, he said, that involves not taking a narrow view of attacker motives or methods. Security pros should avoid focusing on one or two motivations of attackers and using that to define their organization's risk profile, he said during his presentation.
While not taking into account different motivations of attackers can impact security, so too can focusing on a single method of attack. When attacks come flying, they are increasingly coming from more than one direction; in other words, he explained, attackers are using multiple vectors.
In the face of this reality, realistic tests of an organization's ability to handle multi-vector attacks are paramount, he explained after his talk. Most companies however are not doing that, he said.
"They are doing one test," he said. "Let me do a SQL injection and see I how do it. Let me see if I can handle maybe a DoS [denial-of-service] attack. Let me see if I can handle an intrusion event. Let me see if I can handle a scan. Why don't you do them all at the same time and see if you can handle them. That's a different notion."
"Yet that's the way the world is right now," he added.
Another aspect of security that sometimes is overlooked has to do with issues of performance.
"It's not normal security understanding. Normally security, we scan for vulnerabilities and we know patches and we know misconfigurations - hardening procedures. We don't go and ask normal questions like hey, 'what's the max load on this application from connections per second'."Carl W. Herberger, Vice President of Security at Radware
"You have to have devices that basically protect those assumptions," he said. "That's the difference between really an availability technology and a security technology. Availability technology will say, let's suppose what we're trying to say is that our environment is designed for a million connections per second. There needs to be something that protects that assumption that's upfront, otherwise what will happen is the device that has that limitation will fail."
Linked to this issue is the ever-growing Internet of Things. According to Gartner, the Internet of Things will consist of 26 billion devices by 2020. This new reality will create higher levels of complexity as organizations try to evaluate their operating environment as more and more devices connect, said Herberger.
As these devices connect to networks and to each other, the opportunity for man-in-the-middle attacks and for attackers to try to leverage these devices will rise, he said.
"These devices are not very strong with either security or with auditing. So if I can get the entire thermostat infrastructure to attack somebody, why would I not do that? It's hard to audit them. They don't have auditing capabilities. They don't have security capabilities. If it's grandma's house, grandma doesn't care as long as the thermostat's working, right. So I think it's a huge issue."
Moreover, much of the machine to machine communication is not going to happen over HTTP, he added.
"Much of our inspection for security is on the HTTP layer - it's not on these other layers," he said. "So of course it's a backdoor -it's great backdoor [into a user's environment]."