RSA Conference, the world’s leading information security conferences and expositions, has unveiled expert insights into salient issues around emerging threats and security technologies.
Ahead of RSAC 2019 APJ, which begins on Tuesday, 16 July, and runs through Thursday, 18 July, at the Marina Bay Sands Convention Center in Singapore, industry experts, including speakers and the program committee of RSAC 2019 APJ weigh in on the evolving threat landscape, and uncover what is hype, what is reality and what this means for businesses and CISOs in the Asia Pacific region.
Linda Gray Martin, senior director and GM, RSA Conferences, said: “RSA Conference serves to be a platform that facilitates pertinent conversations, while informing businesses of how to make actionable decisions on all things cybersecurity. With the continuous emergence of new technologies, enterprises now find themselves having an ever-growing repository of security products that do not necessarily help in providing strategic management of cyberthreats.
“We gathered industry experts participating at RSAC 2019 APJ to share on what risks are understated or overstated, so businesses and CISOs can distinguish between hype and what should be genuine priorities.”
Based on the industry observations and interactions with partners and customers across the region, experts share their thoughts on four hotly contested statements that impact regional businesses in 2019:
* It is possible for a cybersecurity solution to be completely unhackable?
The adoption of fraud detection and prevention solutions, including multifactor authentication and biometric solutions have been on the rise in Asia. According to Grand View Research, the Asia Pacific market will witness the fastest growth rate from 2018-2025, as a result the increasing emphasis on personal data security, stringent regulatory compliances, and increased investments in connected devices and cloud technologies.
While such solutions buffer against attacks, experts caution that businesses need to do more than just ensure that technologies are in place.
“The reality is, biometrics also brings with it some caveats and new risks, including privacy concerns around how ‘Personal Identifiable Information’ is collected, shared and secured as this data can also be a target for cybercriminals. As biometric technologies depend on probabilities and confidence scores, there are also risks that the systems can be spoofed by say, a photo. Therefore, it is always best for biometrics to work in conjunction with other security measures,” explained Vicky Ray, principal researcher, Unit 42 Threat Intelligence, Asia Pacific.
An executive advisor of a Fortune 100 company and member of the RSAC Program Committee shared similar sentiments. “We have seen security “silver bullets” come and go over the years – it used to be biometrics and now, vendors are praising AI as the ultimate cyber defense weapon. Unfortunately, the one constant is that hackers will resolve to targeting the weakest link – people. While biometrics are good as another layer of security, they are but just an additional layer of security. If hackers can convince people to do something that they should not do, no technology will help,” he explains.
* When IoT devices are embedded with security vulnerabilities, it puts users at risk.
The opportunities that the IoT phenomenon has driven across businesses and industries have been almost unparalleled, as ubiquitous connected devices provide key physical data, unlocking further business insights via the cloud. Yet, they have also turned into security concerns with the emergence of distributed denial of service attacks and a rising number of Internet security breaches launched against servers.
Experts warn that this is a valid concern, and that more needs to be done in order to protect end users. Sunil Varkey, CTO and security strategist, Middle East, Africa and Eastern Europe, Symantec, said: “Even as the IoT adoption is in a rapid phase and may soon touch our everyday lives, security needs to be accounted for. Currently, it is not a major consideration in the development lifecycle. As such, most security practitioners are not yet familiar with security protocols for IoT, and that needs to change. Else, any exploit on the vulnerabilities or mis-configurations could lead to huge impact on safety.”
Srinivas Bhattiprolu, senior director-Solutions and Services, Asia Pacific-Japan, Nokia, elaborated on how threat vectors could potentially take advantage of IoT devices, explaining that lateral movements to compromise assets within the security perimeter has been on the rise.
“In order to secure an end-to-end IoT system, it is necessary to clearly understand the vulnerabilities and exploits associated with specific components as well as of the system as a whole,” he explained.
* Critical infrastructure owners should create separate networks to move essential operations off the Internet.
In recent years, governments and organisations across the APJ region have begun the introduction of separate networks, and have even cut off internet connection from employee devices in order to prevent potential leaks from e-mails and shared documents. The Singapore government’s move in May 2017 is one such example in a move to prevent attackers from tapping the internet to plant malware in work devices. As for whether this is essential, experts share differing views.
“The challenges that security professionals have been facing with legacy systems is their complexity and lack of security by design, which necessitate off-network operations. This is still a common practice as it reduces critical systems exposure, providing mitigating controls, by limiting potential cyber-attacks through segregation,” explained Magda Lilia Chelly, MD, Responsible Cyber Pte Ltd.
Varkey however pointed out the increasing challenge of this practice. “While isolation and separation of network segments were an active defense strategy when systems and information were well within defined perimeters and enterprise networks, this might not be enough to solve challenges anymore. This is because heterogeneous multi-cloud environments see users having multiple IT personas.”
“Beyond segregation, owners and operators of critical infrastructure should make sure their systems are properly secure, patched, updated and monitored. It is too easy for an individual today to go on one of several search engines and easily find misconfigured or unpatched critical systems,” continued Varkey.
* AI-powered systems are self-sustaining and secure by design.
According to market research firm, Reportlinker, the Asia Pacific region is expected to be the largest AI cybersecurity market, as a result of the high adoption of advanced technologies like IoT, big data and cloud computing. As for its ability to keep out attacks, experts warn that AI has both exacerbated advances in cybersecurity solutions and threats of cybercrime.
“We have seen recent AI deployments across cyber security solutions, where companies claim that they can detect attacks faster using the technology. Academic research proves a success rate between 85% and 99% – this all depends on the implementation, algorithms and data,” Chelly explained.
“In order for AI to be successful, it requires the appropriate data input. If the data input is manipulated, or biased, new security concerns can emerge very quickly. The data inputs, and their integrity and availability present a crucial element for the AI technology,” she continued.