Although the focus of security efforts is often on companies, security professionals should remember that consumers are also affected, said Sarath Geethakumar, a security researcher and senior director of information security for VISA.
"If you would ask me the top security threat, it would be about my family being able to go shopping and buy bread,” he said. “We're talking about IoT, we're talking about mobile, but nobody's asking what's happening when you're buying gas or your wife is out using your credit card."
Geethakumar, co-author of “Hacking Exposed Mobile” and a self-described mobile security enthusiast and “developer by passion,” said "the risk of the unknown is something we can't quantify."
Geethakumar said it’s essential for companies to define strategy and governance, establish security standards and guidelines, benchmark security capabilities, and create a risk-based security assessment. Maintaining security architecture and frameworks and secure development standards are also important, he said.
Companies should build security into every aspect of their systems. And basic hygiene is essential. “You have to set the standard that you’re going to meet and follow these guidelines. We should be able to benchmark security processes. We need to establish security processes. We need to have secure software,” Geethakumar said.
Geethakumar agreed with Cigital CTO Gary McGraw that you can’t walk in and tell developers that “their code is crap.” Rather, he said, “You need to build security champions within the organization.”
Recent security breaches have struck large enterprises, retailers, manufacturers, and more, including Target, Neiman Marcus, Home Depot, PF Chang, Community Health Systems, and
JP Morgan Chase. The reasons behind the breaches range from problems with third-party software providers and Web application vulnerabilities to missing patches and phishing and targeted attacks.
Geethakumar says the same vectors—malware, phishing, and drive-by downloads--are being used again and again. In their wake, the exploits reveal weak security architecture, weak secure software development, a lack of vulnerability management, and nonexistent security monitoring.
In that environment, there’s no such thing as “absolute security.” Tellingly, said Geethakumar, most organizations affected by breaches were compliant with regulatory requirements. "It's inevitable that there's going to be one person in your organization to get into your organization," he said.