top of page

Mark Odiorne Discusses Fast Growing Threats in SC Magazine

  • VTX Staff
  • May 1, 2012
  • 2 min read

Updated: Dec 7, 2022

Vertechs' own Mark Odiorne in the news:



It's about all an enterprise can do to "stay at least one or two steps behind" criminal attackers in the constant effort to keep their websites out of trouble (and the news), says Mark Odiorne, the CISO at Scottish RE, which provides life, annuity and financial reinsurance services to the consumer insurance industry. "We have a number of external points of presence to the internet. We've grown those over the past few years and we're constantly checking those for vulnerabilities," he confides.


Odiorne believes it's especially important to perform a thorough assessment "anytime we make a change, such as upgrade a server." He says that Scottish RE's IT personnel are constantly testing the company's "external posture, especially of the servers in our DMZ area."


The exploits available for attacking web applications may sport obscure, if sinister sounding names — SQL injections, "remote file includes" in PHP, cross-site scripting (XSS) and request forgeries (CCSR), and directory transversals are the most common.

But they're still among the fastest growing threats that corporate information technology professionals must deal with, according to security experts.


The SANS Institute recently added web application vulnerabilities, in particular, those noted above, to its list of Top 20 Internet Security Attack Targets for 2006. "Most programmers never learned to program securely," explains Alan Paller, SANS director of research, "so they optimize time and don't know they're leaving holes."


Enterprises are also now finding that they must cope with "a massive growth in zero-day attacks on Windows," says Paller. "It's like nothing we've seen before, as many as three to four times more than a year ago."


It all adds up to a fundamental shift in the way enterprises must deal with so-called cyberattacks, Paller believes. "The confidence organizations once had that their [network] perimeter is stopping attacks has disappeared," he says.


"This means that you have to start treating your internet communications with more care," he says. "You have to stop trusting your computers because, more and more, they're not under the control of your users, but more and more under the control of others."

The security professionals at consultancy Ernst & Young (E&Y) concur with SANS' assessment of web apps. "From our standpoint, web-based applications have become the main attack vector against enterprises," says José Granado, a principal in E&Y's security and technology solutions practice.


This leads to what Granado calls the "perfect storm scenario" — a confluence of cybercrime, increased government regulatory demands on an enterprises's online behavior, and consumer pressure for more and enhanced online security. This amalgamation, he believes, should drive security executives to take on such challenges well before their companies' boards of directors do because massive fallout from security breaches can dramatically impact business initiatives.


Excerpted from SC Magazine. Read the entire article here.


Yorumlar

bottom of page