When wireless networks first emerged, wardrivers proved that many companies had failed to secure them. Is it just plain ignorance, or pure complacency?
It's a little bit of both. From the ignorance point of view, one of the things we see a lot is most wireless product vendors configure them by default to be easily able to connect to. From the security point of view, that's exactly opposite of what you want.
So when you buy any of the common wireless products and plug them in, you can connect to them right away, which is very convenient but totally insecure. That's where ignorance comes into play — when people plug them in and assume it's going to be okay.
The other part is that we see a lot of rogue networks where people plug in a wireless access point at their desk and they can wander around with their laptops. They do that, not knowing the company's security policy. Finding and getting rid of the rogue networks is something the administrators have to do.
Hacking attempts are now closely aligned with the geopolitical issues of the day, like the recent attacks against Japanese Web sites by Chinese hackers. Any thoughts?
The interesting thing is that this is a peculiarly Asian thing. We don't see politically motivated hacking happening as much in Europe and America as it is in Asia.
In the rest of the world, the motivation tends to be more financial. A lot of attacks that we see in Europe and America are mafia-style attacks, with a lot of Russian mafias involved. It is very much organised crime and about generating profits.
In Asia, hacking tends to be more politically motivated, because we see different forms of government compared to Europe and America.
Why should companies buy into managed security services which is effectively giving outsiders the keys to their IT assets?
The reason that companies would do that — basically outsourcing their security — is that the rate of change of new attacks and threats is so high that they are not able to keep up with the changes and still maintain the basic functionality of their IT infrastructure.
So what they are looking for is a company that has the capability to specialise in security and keep up with what's going on and protect them. But at the same time, they have to find someone they can trust.
Over the last four to five years, attempts to start managed security businesses in Asia, Europe and the US have not been successful. The key issue boils down to trust — the companies that are most successful in managed security are those that are trusted by their customers, not whether they have the technology or not.
