A major part of Check Point’s ‘3D Security’ strategy is a focus on people. In a nutshell, all the security software in the world won’t protect customers if their employees aren’t sufficiently educated in basic practices like keeping their passwords secure.
Check Point’s security evangelist, Tomer Teller, told delegates how hackers, appreciating this fact, have in the last few years started using social engineering to access the computers of low-level employees and thus bypass business security software.
Hacking isn’t all about snazzy computer skills any more, Teller says. Understanding the structure of a business is as simple as finding employees’ names, phone numbers and email addresses from discarded, unshredded documents, then researching social media sites to see who communicates with whom.
You also don’t have to break into a network to find out what systems a company uses – just check the experience recommendations in their job ads, or even wander into the lobby, distract the receptionist and take a sneaky peek at his or her display.
How to take over a nuclear plant
Indeed, Teller says one of the most potentially catastrophic hacks of the last year, the Stuxnet attack on the Bushehr nuclear facility in Iran, was most likely set in motion through simple social engineering.
The virus would have been transferable via USB, Teller says, and although the hackers may have paid an employee to introduce it to the facility’s system, it would have been far cheaper and probably just as effective to simply throw a bunch of devices over the fence and count on people plugging them into computers nearby to identify their owners.
Thoughts from the CEO
On the second day of the conference, we were lucky enough to attend a lunch with Check Point founder, chairman and cheif executive, Gil Shwed.
Shwed started the company in 1993, developing one of the first examples of firewall technology soon afterwards. Now, the company boasts a full set of security products, known as ‘blades’, and is, Shwed says, the largest pure security company in the world.
Although plenty of discussion at the conference centred on online security’s sudden media prevalence thanks to groups like Anonymous and LulzSec and sites like Wikileaks, Shwed says Check Point’s plans are as steady as ever.
"We’ve never felt the need to use scare tactics,” Shwed says. "People in IT already knew about the risks. Just because it is in the public eye does not mean they are more likely to come to us.”
Looking to the future
Of course, there was plenty of opportunity to look at initiatives Check Point will be implementing in the next few months.
The most significant area of development is certainly the mobile space, with more and more companies wanting to secure their employees’ mobile devices, such as tablets and smartphones.
Check Point is introducing tools such as two-tier authentication, whereby when employees attempt to login they are sent a text message with a code they must input before they are granted access; user-device pairing, which prevents users from logging in on other employees’ devices; and remote wiping, for removing data when devices are lost or stolen.
Check Point is also working on a new document security tool, cloud security, and a new operating system, known as Gaia.