Comments for Think Tank Study Shows Top Web Trends Are Security Risks

Think Tank Study Shows Top Web Trends Are Security Risks

2009-11-26T05:00:16Z

Mobile technology, virtualization, the social web, cloud computing - a think tank study has all our good friends on a hit list.

The study, which shows primary security and privacy concerns of U.S. government IT leaders, is making the rounds among military and government bloggers. Policy makers are being told that the applications we know and love are dangerous and pose gaping security loopholes for cyberterrorism. Is a Big Brother overprotective meltdown? Or are our advances really causing greater risks for all users?

]]> The infosec-focused Ponemon Institute polled 217 senior-level IT executives located in various federal organizations. They called out these as the top 5 trends in Internet technologies that - at least from their POVs - put businesses, governments, and users at risk:

79% Unstructured data
71% Cyber terrorism
63% Mobility
52% Web 2.0
44% Virtualization

Some of these trends are quite longstanding; however, they still cause a great deal of concern among our friends in infosec. Data breach (40%), cyber crime (40%), cloud computing (39%), outsourcing (34%) and open source applications (18%) also top the study's list of security vulnerabilities as seen through the eyes of government IT pros.

However, Vivek Kundra, a 2.0 champion and federal CIO, said in a recent post, "Our policies lag behind new trends, causing unnecessary restrictions on the use of new technology...

'This technology supports every mission our government performs - from defending our borders to protecting the environment. IT is essential for the government to do its work, and it is essential that we have access to the latest and most innovative technologies."

It's sad and frightening to see mobile tech, social networks, and cloud computing called out alongside cyber crime and cyberterrorism as perceived threats to data security. But how much validity do U.S. leaders' fears carry?

The Ponemon Institute reports, "IT operations and IT security professionals identified cloud computing, outsourcing of sensitive information to third parties, external threat of
organized cyber criminal syndicates, cyber terrorism, and a mobile workforce... We believe the findings from this study provide government organizations with guidance on which threats are more critical than others to address."

What do you think about the assessment of these high-profile and popular trends being identified as threats by IT execs in government? Is this a case of out-of-touch government bigwigs cracking down on the social web when black hat hackers are truly to blame? Or are so-called social media experts remiss in their duties to ensure that any products they roll out are secure enough for across-the-board use?

Or is it a little bit of both?

Most importantly, how do we solve the problem of ensuring that government and corporate sensitive information remains secure while users get to enjoy the benefits of Internet-based applications?

We welcome your comments below.

Comment from Joel on 2009-11-26

2009-11-26T09:20:06Z

Many security issues with the wifi connection.

Comment from Virtualisation Hub on 2009-11-26

2009-11-26T09:51:54Z

Have a look at the Virtualisation Hub theres some great articles about security issues in here http://www.itproportal.com/ibm/

Comment from KevinChong on 2009-11-26

2009-11-26T10:57:23Z

Security and antivirus is important to internet now.

Comment from anshutandon on 2009-11-26

2009-11-26T12:37:49Z

bunkum

Comment from Anthony on 2009-11-26

2009-11-26T13:29:59Z

The earth is round, the sun rises in the east, ice is cold.....

Nice pic of the drill instructor from one of my favourite movies of all time Full Metal Jacket.

Comment from Charles on 2009-11-26

2009-11-26T16:56:45Z

Black Hats and White Hats will continue to be at each other's throats. That's no reason to limit what we as developers and users can do with the technology that we possess.

Comment from The Sentinal on 2009-11-26

2009-11-27T05:54:09Z

There is no such thing as safe Web data ... If your data is connected to the outside world then eventually someone will hack it ... a key is a key and they can all be copied one way or another ... Even the security agencies have clusters of computers who task is to crack encryption ... so if you can't trust the supposed good guys then who can you trust?

Comment from Anon on 2009-11-27

2009-11-27T15:26:32Z

From this article:

"The Ponemon Institute reports, 'IT operations and IT security professionals identified cloud computing, outsourcing of sensitive information to third parties, external threat of
organized cyber criminal syndicates, cyber terrorism, and a mobile workforce... '" ... "Is this a case of out-of-touch government bigwigs cracking down on the social web when black hat hackers are truly to blame?"

What do social media have to do with cloud computing and outsourcing of sensitive information? Nothing at all.

Cloud computing (which is one specific form of outsourcing of information) is a security risk for individuals as much as for the government and businesses. When your data leaves your control, you have no idea who's looking at it or what they are doing with it, and no way of knowing how secure or at risk it really is. Of course that's a top security risk. And, no, the government, companies and individuals ought not be exposing themselves to that risk.

As far as social media go, though, the government should also not be involved with these in any significant way. It is not the business of the government to stamp particular social media outlets with their stamp of approval, nor should they allow these outlets to filter or color official government information or interactions with government. The government should communicate directly with the people via official government sites and not through third-party intermediaries.

Comment from Alexander on 2009-11-27

2009-11-27T19:47:42Z

The Ponemon study in question reflected the perceptions of security risks of the government IT executives surveyed, not research that demonstrated where cybersecurity has proven weak, Jolie.

I wrote about this earlier this month, when the study was released, and interviewed CA's Dave Hansen about the findings:
http://itknowledgeexchange.techtarget.com/it-compliance/study-links-outsourcing-mobile-workforce-and-cyberterrorism-threats/

It might be worth mentioning to your readers, in that vein, that his employer, CA Inc. sponsored the research.

Why is any of that sad or frightening, Jolie? Whose "POVs" don't support the contention that Web application security isn't particularly good right now, and that the use of it by agencies exposed them to greater risk?

The OWASP conference I attended in DC recently showed again and again how vulnerable social networks and mobile applications are to to hacking and social engineering.

It would be, perhaps, more frightening if the risks of outsourcing, an increasingly mobile workforce and cyberterrorism weren't perceived as growing threats by government IT execs. Most government data breaches have come from lost laptops, USB drives loaded with malware or network penetration. Bad code in the supply chain or reliance on third-party vendors for security aren't minor concerns.

Anonymous, above, makes a strong point regarding the use of third-party intermediaries or cloud computing, in terms of the greater risk surface that it exposes for agencies. Where he/she misses the study's point is in the perceived risk of unstructured data, as cited in the study.

That's a direct outgrowth of enterprise social computing systems, which have been increasingly used in government, or in external social networks. In either case, the concern is that classified, proprietary or otherwise sensitive data will leak.

I'm not sure how "we solve the problem," other than making sure that sensitive information isn't enter into insecure systems, that laptops are encrypted and that Web application developers build security into their software at the outset, so that governments, nonprofits and private citizens alike can trust them enough to rely upon them in emergencies.

I don't think that the "social media experts" are at fault here - that description usually doesn't include a thorough grounding in infosec. The federal CIO council recently released a document governing the secure use of social media in government that addresses many of those issues.

On the other fronts, maybe it's time to stop loving the trends and making friends with the apps? They're all just tools. If we're lucky, people will use them to effect good in society. Sometimes, bad actors will put them to malicious use.

Regardless of whether we're in 2.0 or some other iteration of a tech epoch, my bet is that that will remain true.

Comment from lordmorgul on 2009-12-03

2009-12-03T20:53:26Z

It is pretty clear that some of the respondents to this poll did not understand the questions which they are answering...

Are we to understand that these supposed IT leaders (one would think/hope technically savvy people) believe 'web2.0' (a collection of technologies that change presenation of data) are a higher security risk than data breaches (active efforts from crackers)? I think they must think web2.0 means something it does not.

Comment from JasonM80 on 2009-12-06

2009-12-07T00:09:29Z

As Alexander points out, this study "... reflected the perceptions of security risks of the government IT executives surveyed, not research that demonstrated where cybersecurity has proven weak..."

lordmorgul continues "It is pretty clear that some of the respondents to this poll did not understand the questions which they are answering..."

There are a lot of misconceptions around some of the newer technologies in this survey, such as Web 2.0 and Cloud Computing. While they certainly can be the source of security threats (as much as simply connecting a computer to a network), it is very much up to the implementation and usage. If poor coding practices or faulty proceedures are followed, these, like almost anything else, can be huge security holes. However, with the right precautions in place, they don't have to be. (Data encryption and data access at a granular level, for instance, are among the precautions that can significantly improve data security.)

(I am contracted by M80, working with Microsoft to promote Windows Azure)

Comment from Security Software on 2010-01-14

2010-01-14T14:07:18Z

It seems natural that the greater the rend the greater the security risk will be. These hackers are not dumb people. They are authoring their code to take advantage not only of long thriving techs like AV (fake AV) and email, but for newer tech like Social Media apps and the cloud. This will never end as long as hackers are at least moderately aware of the state of things.