Richard Stiennon, IT-Harvest
IT security is often a nagging thorn in the side of enterprises and those that lead them. It is viewed as a technical issue that should just be fixed.
In this week’s lecture track on security that I delivered for Internet Evolution’s 60 Days of Executive Education, I started off with three things that CXOs consistently fail to grasp about enterprise security.
Good security operations are not the same as good security.
Every organization that uses computers has to deal with the mundane daily tasks of identifying and blocking malware, keeping and reviewing logs, generating reports, and demonstrating compliance. Many organizations that I talk with are great at the operational tasks.
They have deployed technology that helps them patch and manage end points, generate reports, and keep the audit teams happy. But there is a lot more to being secure than doing these tasks well. Let me start with defining good security. From my Focus Note on the subject:
1. A secure network assumes the host is hostile.
It has been years since a firewall that enforces policies based only on source-destination-service has been sufficient. Trusted end points harbor malware, are controlled by attackers, and are launching points for attacks. Network security solutions must be in-line and inspect all the traffic that passes through them. They must look for viruses, worms, exploit traffic, and even unusual behavior. IDC dubs these solutions “complete content inspection” firewalls. Many vendors refer to them as UTM, Unified Threat Management.
One aspect of a secure network that is often overlooked is that the computers on the inside of the network are often the danger. It could be an infected computer brought in by an employee or contractor; it could be a poorly patched server that has been compromised by an outside attacker. Even the smallest organizations have to invest in network security solutions to block attacks from devices on the inside of the network. This is accomplished through network segmentation and deploying content inspection capabilities internally.
As threats multiply watch for solutions that either sit on top of the access switch or incorporate the switch in their configuration.
2. A secure host assumes the network is hostile.
This is another way of stating the requirement for a layered defense model. A laptop, desktop or server cannot rely on the network to keep it safe. AV, firewalls and anti-spyware solutions have to be installed and up-to-date. Patches for critical applications and OS have to be installed as quickly as possible. Browsing shields should be turned on and Microsoft IE should not be used if at all possible.
3. Secure applications assume the user is hostile.
This is where authentication and authorization come in to play. One of the best deterrents of malicious behavior is the end user's awareness that their actions are associated with them (strong authentication) and logged (behavior monitoring). Many online services have failed to protect themselves from their customers. This applies to internal file sharing and community services as well.
Why security investments never end.
Extract from my ZDNet post on the topic:
I engaged a visitor to a booth I was manning at the Gartner ITExpo in conversation about network security and he lashed out with “you security vendors are always trying to sell us a new box, you are a money hole we keep spending on but we still get hacked.” This is one of my hot buttons. Pinning the blame on the security industry for all the different solutions that do not interoperate is a favorite game played by industry pundits and CIOs.
As I was digging my heels in and getting my hackles up I finally read this guy’s name badge. He was CIO of a major branch of the U.S. military. Well, here is my answer to him, thought up way too late to confront him face to face.
No sir, you have not spent enough on security. Look to your own operations. Have you enforced segmentation of your network? Have you put firewalls between you and the other agencies? Do you still allow telnet and ftp in unauthenticated clear text? Have you deployed user provisioning? What does your patch management look like? Do you have effective anti-spyware? Do you do security assessments of your entire network on a continuous basis? I know the answers to these questions as well as you do. Look to your latest computer security scores from FISMA. An F. You see that? An F!
Before you point fingers at a security industry that is constantly evaluating the threats and creating countermeasures, look to your own actions; or lack thereof. You sir, have failed in your duty to protect the assets of the U.S. military. You have allowed foreign entities to overrun your networks. On your watch our digital homeland has been invaded.
Strong words perhaps, but I cannot emphasize strongly enough the need for continuous investment in security.
Audit and compliance get in the way of good security.
Please do not confuse compliance with security. There are indeed many standardized ways to accomplish good security operations and audit reports. But many times the resources needed to evaluate and counter new threats are completely absorbed in the compliance effort.
Government regulations and outside auditors have tremendously distracting effects on IT security people. They got into security because they like the day-to-day battle with bad guys -- the technical challenge of securing networks and applications. They did not sign up for endless meetings and paper work.
So be vigilant and monitor your compliance efforts to ensure that they do not get in the way of your security.
This article was published by Infosec Island.
Richard Stiennon is chief research analyst and founder of IT-Harvest, an independent analyst firm that researches IT security vendors.
Only registered users can write comments.
Please login or register.