Back to basics…
Security breaches are on the rise. Yet as security experts face ever more complex and challenging threats, is there a risk some of the basic components of IT security are being overlooked?
By Mark Kedgley.
Security breaches are on the rise. Indeed, Experian's 2014 Data Breach Industry Forecast (1) predicts that new security threats and transparency regulations will make 2014 a ‘critical year’ for data breaches and warns that organizations need to be better prepared. So what’s going wrong?
Sadly, however, recent high profile breaches would suggest that the routine, tried, trusted and proven security activity is being overlooked.
Why are so many security experts spending more time, money and effort attempting to prevent esoteric potential threats by, for example, tracking subtle network activity changes or signs of unexpected increases in data storage, than checking that the AV patches have been applied? Or actively seeking out innovative anti-phishing appliances, while failing to comply with proven data security standards?
Given the experiences of the recent months, second guessing the latest and most fashionable security issue is not proving a successful anti-breach strategy!
It may seem important to keep up to date with the latest threats but, take a step back: is it really sensible to be checking for new footprints in the garden that may, just may, suggest a risk of attack, when the front door is wide open, the windows unlocked and the attack Rottweiler has been replaced by a Cockerpoo designer dog?
Clearly not. Yet in the world of technology in general, and IT security in particular, the lure of the new is compelling. So how can the industry address this rising tide of security breaches? The answer may not appeal, but companies have got to go back to basics and create a steady, known and secure environment.
The concept is simple: if an organization cannot clearly understand what comprises a good, secure environment, it is impossible to ever identify something bad. And that is the heart of the problem facing too many organizations today: without a good, secure and optimised environment it is impossible to spot the changes that would indicate some form of security attack is underway.
Following the guidance of trusted standards – most notably the Payment Card Industry Data Security Standard (PCI DSS) - organizations can quickly evolve from today’s anarchic approach to creating a far more secure environment.
Step one: deploy a firewall and make sure it is working correctly.
Step two: harden the infrastructure to significantly reduce the threat surface.
Step three: ensure that the tools are in place to check any changes in the scope systems, from servers and network devices to databases, and respond to these changes immediately.
Hardening the infrastructure demands a good vulnerability assessment; evaluating the organization’s unique attack surface and taking the right steps to close off any problems, including well known attack modes of operation. It does not, however, despite recent trends in the industry, mean simply flagging the top five vulnerabilities in a surface threat analysis. This attitude is disingenuous: it still leaves other threats at large and, to be frank, patching five out of six holes in a boat may just give enough time to abandon ship, but that ship is still going to sink.
Some vulnerabilities are obviously more acute than others – but that does not mean ignoring low priority vulnerabilities or opting to leave known weaknesses in place for a few more weeks or months.
Of course, even applying PCI DSS measures correctly is no guarantee the company will be immune to attack. But, critically, it does mean the business will be well armed with tools that can prevent the breach and raise the alarm at any attempt. If followed to the letter – with both technology and culture – it should be impossible to fall prey to a Target-style breach that led to malware being undetected for weeks while credit card details were siphoned off.
There is no simple approach to IT security and there is no single product that can guarantee corporate data is kept safe. IT security is constantly evolving and no one appliance, box or software product is going to deliver the silver bullet – however good the marketing hype. Yes there are great new products being developed to deal with specific new threats, such as anti-phishing or anti-malware appliances. But using these in isolation is not going to safeguard any IT infrastructure because there is always more than one security threat to address; a multi-faceted, joined up approach is essential.
With no ‘IT security on a plate’ option, organizations require skills, expertise and, critically, rigour. It is only by following proven security standards such as PCI DSS, hardening the IT infrastructure and continually checking to ensure the severs, network devices and database systems are in a known state that an organization can minimise the risk of breaches and, critically, ensure problems are immediately addressed and resolved.
Sounds dull? Maybe. But how much fun is a major breach that results in the theft of thousands of customers’ credit card details or critical corporate IP? For those that have experienced a security breach, the pleasure of playing with a new, shiny security toy rather than employing best practice was never worth with risk. So before heading out to look for those footprints in the garden, check the front door is shut and the windows are locked!
Mark Kedgley is CTO of NNT.
•Date: 15th May 2014 • World •Type: Article • Topic: ISM