Information Security Solutions Status and the Roadmap for Future Requirements

Information Security (InfoSec) Surveys conducted worldwide show that the number and type of InfoSec attacks is expanding daily. This is verified and validated through a survey discussed in this paper. The paper asks a number of questions concerning InfoSec issues, outlines a survey designed to answer these questions, and then discusses the results obtained within the framework of those questions. The survey concludes that, although InfoSec awareness exists, best InfoSec practices are usually not being followed. Consequently InfoSec threats are increasing enormously despite the existence of tools designed to protect against them. Of particular concern is “human factors”, since user carelessness and negligence may contribute to the issue and may grant hacker’s access to sensitive assets.


Introduction
Information systems are facing an enormous increase in information security breaches as hackers always appear to be ahead in discovering system vulnerabilities and then generate attacks that bypass defense systems, Breach Security Labs (2009), Symantec (2009), PWC (2008 and Schryen (2007) discuss the this issue in greater details. Compromised security can impact organizations of many kinds, including governments, businesses, intelligence services, infrastructure, and education so forth. It can disrupt key operations, reduce productivity and inflict significant economic losses; Anderson (2008), Denning (2009) and Clarke and Knake (2010) show that governments have enacted laws to address this type of cybercrime. And indeed why shouldn't they, Infoguard (2010) says "It can take a second to steal a national secret; and it will cost a high price. Ethical hacking brings the message home: If cybercrime is too easy, and the tools to do it are at anybody's fingertips, then it pays to give more attention to the prevention of this new, often widely underestimated form of crime". Therefore, improving information security is critical to the operations, reputation, and economic stability of all information systems users. Many published reports show that hackers are becoming more proficient, and their attacks are becoming extremely destructive, while current InfoSec protection solutions are not effective against hacker's attacks, which is the reason why these attacks are increasing as highlighted in Maynor et al (2007), Denning (2008) and Denning and Denning (2010). There must be no doubt that this challenges all organizations, since they will need to proactively combat the work of unprincipled hackers.

Journal of Information Assurance & Cybersecturity 2
Brancik(2007) mentioned that many hacker's attacks are caused by the insider which is as high as 80% compared to that from the outsider that is 20%; this is because of the contribution of human factor, where for instance, if legitimate users do not conduct systems risk and vulnerability analysis, do not use the right protective tools (and do not maintain them up-to-date), or do not use strong authentication, they may be granting attackers access to their critical assets emphasized in McNab (2004). This is verified and validated through a survey discussed in this paper. The paper asks a number of questions concerning InfoSec issues, outlines a survey designed to answer these questions, and then discusses the results obtained within the framework of those questions. This paper is arranged to first give a brief (in section 2) on the information security survey conducted with respect to the purpose of the survey, the core issues and the anticipated recommendations; then the scope is given in section 2.1, followed by section 2.2 covering the survey evaluation using both quantitative and qualitative analysis. After that, the survey results are mapped with the core issues in section 2.3 and conclude in section 3. Mohay et al (2003), Savage (2010) andOWASP (2010) show that InfoSec hacking threats are increasing, and hackers are finding new ways to bypass the wide range of conventional security tools and techniques available (Fire Walls (FW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), encryption, Virtual Private Networks (VPN), Network Address Translation (NAT), subnetting, anti-virus (AV) and anti-spy (AS) ware). Bratus (2007) said "To learn security skills, students and developers must be able to switch from their traditional conditioning to the attacker's way of thinking".

InfoSec Survey and the Human Factor
This InfoSec survey was conducted to directly look at: The aim was also to see whether implementing InfoSec solutions based on behavioral analysis and hacker's countermeasures would give better protection against newly emerging InfoSec threats as compared with conventional tools. The survey was therefore designed to indirectly measure: 1. Whether the concept of a "total security solution" is realistic, and if a model driven InfoSec solution would prove to be more robust and more effective than conventional approaches; 2. The human factors issue, how it accounts for the success or failure of InfoSec solutions, and whether it has connections with reverse engineering hacking techniques; 3. Whether InfoSec protection solutions based on behavioral analysis and counter measures of hacker's techniques form a base line for a total InfoSec protection.

Survey Scope
The survey was conducted using a questionnaire, which comprised 15 questions. The questions covered training, risk assessments and security policy, applying this policy (if it exists), best InfoSec practices, verifying the effectiveness of current InfoSec tools, and users' future solution recommendations.
The surveyed sample comprised 100 Information Technology respondents from different organizations (government 30%, private sector 30% and military 40%); respondents came from different backgrounds, levels of education and job responsibilities. Of those surveyed, 10 were face to face interviews with senior IT/InfoSec staff, and 90 were sent by email and hard copy to other staff.

Responses
were accumulated and classified by scoring one point for each check received for each given question. Thus the maximum score possible for any one question (given one reply per question and one reply per respondent) was 100.
Statistical analysis software (SPSS) was used to analyze the data collected, see Figure 1 for summary statistical results. This showed that the majority of responses scored between 10 and 35 with a mean of 25.16, a standard deviation of 16.37, and a variance of 268.141. Table 1 (below) shows response frequencies, there being a maximum of 64 for Q14 (Yes), and a minimum of zero for Q1 and Q4 (Don't care).

Survey Evaluation
The results in Figure 1 and Table 1

Mapping Core Issues to Survey Questions
In this section, the four core issues above are mapped with the survey question results, to give the final and the most important findings of the survey.
The first issue was the status of conventional InfoSec solutions and their effectiveness. This relates to survey questions Q5 to Q7, Q10, and Q13 to Q15. From these it was concluded that conventional InfoSec solutions are not effective against hacker's attacks.
The second issue was whether the concept of a "total security solution" is realistic, and whether a model driven InfoSec solution would prove to be more robust and more effective than conventional approaches. This issue relates to the questions Q5 to Q7 and Q10 to Q14. Responses indicate that the concept of a "total security solution" is not feasible, however, a model driven InfoSec solution would prove more effective and efficient than conventional solutions.
The third issue concerns human factors, how they impact the success or failure of InfoSec solutions, and whether there is any connection with reverse engineering hacking techniques. This issue maps to all questions (Q1 to Q15). These showed that human factors have a significant impact on the success or failure of InfoSec solutions. This is because conventional solutions rely on the users' "good will", which is never Journal of Information Assurance & Cybersecturity 6 achieved fully. On the other hand, reverse engineering hacking techniques, including behavioral analysis, reduce human factors.
The final issue concerns whether Info Sec protection solutions based on behavioral analysis and counter measures of hackers techniques form a base line for a total InfoSec protection. This issue was mapped to questions Q5 to Q7 and Q10 to Q14.
Here there was a positive answer, because countermeasure hacker's techniques would analyze and determine hacking processes and behaviors, which is the core of detection and blocking of breaches. But, not fully a total InfoSec protection as the second survey question denied its existence.

Survey Summary
The survey showed that people have experienced an increase in InfoSec threats, despite the fact that they often exercise good InfoSec practices and behavior. The top most information security threat comes from hacker's attacks for whatever the reason is. This implies that there is a research need for more effective InfoSec solutions against hacker's attacks. Answers on the survey question number 14 gave a recommendation for InfoSec countermeasures solutions based on hacker's behavioral analysis; this answer got the highest score on the survey. There are studies and references that give good guidelines for anti-hacker solution with respect to the type of tools and counter hacker techniques and policies as covered in Fadia (2006), Erickson (2008) and Lockhart (2004). InfoSec awareness is a dominating part in overcoming the human factor and the insider issue as stressed by Brancik(2007); that is dealing with human error whatever the reason is, while the best practices gathers past experience from all sources and utilize it in the best possible way to countermeasure hacker's attacks, Jones and Gallo (2007) and Yuill et al (2006) give good counter hacking approaches. Counter hacker tools should be carefully identified and selected to fit for purpose such as access control, Fire Wall, Intrusion Detection Systems, Intrusion Prevention Systems, encryption (files, storage media, mails and links using SSL, SSH, IPsec, SET), Virtual Private Networks, Network Address Translation, anti-virus and anti-malware knowing that there exist security unit that combine number of security tools into one unit; these tools are detailed in Kanneganti (2008), McClure et al (2005), Shema et al (2006) and Smith and Marchesini (2008).