Risks beyond mobile: Crossing national boundaries or using the cloud
Dunkelberger says you should accept that fact that if you are sending data across national boundaries -- such as designing products in one country and building it in another -- governments and competitors can read the proprietary data you may be sending back and forth unless you are using point-to-point encryption. This is true for desktop and wired communication -- not just for wireless or mobile devices.
The increasingly popular cloud-computing option is also risky, Dunkelberger says. The technology is a boon to de-perimeterized executives who want to access corporate applications outside the firewall, but that means sensitive data also lives outside the firewall, beyond your control. If your company uses SaaS (software as a service) or other cloud-type offering, you should ask the service provider how it secures its applications when federated across 50 different systems, Dunkelberger advises. "Do not put [intellectual property] on a SaaS service," he warns.
Traditional Web security products and services filter URLs and can inspect malicious files on downloadable objects. However, now more often Web sites are streaming AJAX-based and other Web applications that launch without user interaction. Most security software checks the file only after it has been downloaded; such software does not protect against malicious code running in the cloud.
"Security professionals should look at security in the cloud and specifically Web security in the cloud, which is critical to being able to protect users on the Web when they leave the office perimeter and access the Web in hotels, airports, at home, or in the office on laptop and mobile device," says Paul Judge, CTO at Purewire, a Web SaaS company.
The more hops that data travels, the greater the risk of it being intercepted, say most security experts. And you may be surprised how many hops data travels. You can use a Unix utility called TraceRoute to track the route taken by packets across an IP network. In one quick test, going from one computer to CNN.com took 12 hops -- each a potential entry point to cyberthieves.
According to Core Security's Kellerman, there are a huge number of hacking programs available for electronic espionage. "It is a regular arms bazaar. It's like the Dark Ages with mercenaries for hire," he says.
Both organized crime gangs and sovereign nations have made a business of stealing intellectual property, such as trade secrets, by conducting cyberespionage. Such espionage is worth hundreds of billions of dollars in business, and unsurprisingly major criminal syndicates from the Chinese Triad to the Russian mafia are heavily involved in hacking, says Kellerman. Even the Brazilian drug underworld is getting involved because, as it turns out, it is easier and safer to hack a system and sell the information than it is to grow, process, and distribute cocaine. And cyberespionage is more profitable as well.
The result, Kellerman says: "We are hemorrhaging data."
The answer -- in addition to rethinking what information you make available through unsecure devices and networks in the first place -- is to get real about which of your security systems are actually working as it should. It's not just about having a firewall or a virus scanner, he says, but vetting, assessing, assuring, and testing to demonstrate that they are functioning. "In other words, make sure that your dogs bark."