IT security breach pitfalls named

Facebook, the iPhone and operating systems were all named and shamed as the weak links in the IT security chain by a group of security experts.

But end users were let off the hook by the CEO of a security company who said immature security tech is a bigger danger than human error.

Speaking at the Gartner IT Security Summit 2007, Joanna Rutkowska, CEO and founder of security company Invisible Things Lab, said: "The common belief is that once the users are educated [about the hazards of leaving their personal details online] then no other [security] problems will occur but this is not the case."

Rutkowska added: "Today's prevention technology does not always work even if the user is not stupid... We have an endless arms race as the hackers get better and better."

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

Cyber crime is becoming an increasingly professional business with malware kits sold on the internet and cyber criminals becoming more organised, according to a recent report.

According to Rutkowska, the answer is in building detection and protection software into commercial operating systems to find stealth malware, which is prone to escaping detection. But she said it could be 50 years before commercial operating systems have source code that is 100 per cent safe.

She said: "Detection is still very immature [but] we need a systematic way for checking system compromises. We need to change the operating systems [and] we need the very close help from the operating system vendors to improve detection code."

And it's not only the operating systems that need to be buffed up to beat the hackers.

Also speaking at the summit, John Pescatore, VP and distinguished analyst at Gartner, said consumer applications devices - such as Facebook and the iPhone - will "sneak into" the business world, even though many companies' first reaction will be to ban these sites and devices. Because they can't be managed centrally, the security issues cannot be ignored and must be dealt with now, he said.

Pescatore added: "We knew as soon as we saw the iPhone that [company] managers would want one and read [corporate] emails on this device."

With data breaches hitting the headlines more regularly, Bob Gleichauf, VP and CTO for the Cisco Security Technology Group, also speaking at the Gartner event said security threats are moving to the application area and data loss is now the "number one topic" for security groups.

Gleichauf added peer-to-peer networks are also being used to find corporate data and companies must "build for the fact that our networks are all open networks".