By Tonny Mwendwa
It is on a lazy afternoon and a financial institution's firewall has just been breached, leading to a monetary loss through 'cyberspace'. On the other end of the city, an insurance firm has lost a material amount of money through fraud perpetuated by identity theft.
These scenarios are replicated in almost every facet of business in which processes have been highly automated with information security not keeping pace with the evolving nature of applications.
The expectation that private information will remain secure is challenged by the popularity of social networks, which encourage the interactive sharing of information by users.
According to the Sophos Threat Report of 2011, social networking spam and malware attacks are on the rise. Imagine the potential danger of a robber being able to gather sensitive personal information about a cash supervisor in a bank from a social network site, leaving the supervisor and the bank potentially vulnerable to an attack through it’s employee. Information security needs to become a core competency for any organisation. Organisations need to dispel the notion that information security is now less important owing to improvement in attitudes towards security and security design.
Sensitive information
One of the emerging IT trends is social networking. While organisations may prudently opt to take the path of not getting socially connected, chances are high that a bulk of their employees will be ‘socially networked’.
The major problem with social media is people’s willingness to share information about themselves on the Internet, which provides a convenient method for attackers to identify specific groups and individuals that work for the organisation that they intend to attack.
An attacker might easily infiltrate a social network to obtain technical details or befriend individuals to discover sensitive information that might result in further access into the target network or organisation.
There is a growing misconception that firewalls will provide all the necessary border security needed. However, the application landscape has changed dramatically, creating the challenge of application classification.
The problem is not the growing diversity of applications, but the inability to strictly and consistently classify the firewalls as good or bad. Although a few are clearly low risk and often reward, others are clearly high risk. Most, however, lie somewhere in between.
Moreover, which end of the spectrum these applications fall on can vary from scenario to scenario, even user to user or session to session.
Although firewalls are deployed in-line at critical network junctions, most are far-sighted. They can see the general shape of things, but not the finer details of what is actually happening. They rely on a convention rather than requirement.
Network traffic
For example, a given port corresponds to a given service (e.g., TCP port 80 corresponds to HTTP). As such, they are also incapable of distinguishing between different applications that use the same service.
In addition, most firewalls simply lack the visibility and intelligence to discern: which network traffic corresponds to applications that serve a legitimate business purpose but are being used for unsanctioned activities; and which network traffic, even though it corresponds to legitimate business activities, should be blocked because it includes malware or other types of threats.
Computing power
Recent hardware advances have resulted in processing power increasing while the cost of getting this power within the business information technology infrastructure has considerably come down.
While raw processing power has gone down to the user devices, information technology infrastructures have become more vulnerable to various attacks such as brute-force attacks.
This provides an example of the accessibility of raw computing power to the average person. It is therefore paramount that organisations maintain pace with such developments, as cryptographic solutions that may be secure today but so in the near future.
While this article does not even begin to scratch the surface in line with the current information security challenges now and in the future, we must remind ourselves of the principle that IT security is a process and not a solution, and that improved security merely raises the bar in terms of the skill levels required to identify and exploit vulnerabilities.
—Mwendwa is a Consultant, Technology Advisory Services Department, Deloitte Kenya.
The views expressed in this article are the author’s and not necessarily those of Deloitte Kenya.
The Standard Group Plc is a multi-media organization with investments in media
platforms spanning newspaper print operations, television, radio broadcasting,
digital and online services. The Standard Group is recognized as a leading
multi-media house in Kenya with a key influence in matters of national and
international interest.
NCPB sets in motion plans to compensate farmers for fake fertiliser
Governors reject revenue Bill, demand Sh439.5 billion allocation
Firm linked to fake fertiliser calls for arrest of Linturi, NCPB boss 
KPLC to pay Sh500 million for Nakumatt fire tragedy
Scented success: Passion for cologne birthed my venture 
Lenders raise interest on loans despite CBK holding key rate
Huge volumes of unsold tea at Mombasa auction raises red flag
Kebs now shifts focus to MSMEs to reverse 'State victim fear' tag
CBK's fresh bid to raise core capital puts small lenders, investors on edge
After avocado, KRA now trains its guns on sugarcane farmers
Pioneer women CEOs leading the way in Kenya's banking sector
Hike in EPRA levy denies motorists a bigger drop in pump prices
join