written by Pierluigi Stella
So previously, in Part 1, we talked about the state of security today, and how, I feel, it is somewhat mishandled. Indeed, security is neither for the faint of heart nor for the untrained person. Can we ever hope to get ahead of the curve?
The way security should ideally be approached is by integrating it within the business processes as, for instance, process plants do with their physical security. You don’t walk into a refinery and define a new business process without keeping very closely in mind that the whole plant might blow up if you aren’t careful. Similarly, no one should design business processes that could jeopardize the integrity of a company’s data. A security expert should be called to attend all such planning sessions, to ensure security is built into the business processes, and not designed only as an afterthought. We all need to realize that we’re under perpetual attack and we need to know how to prevent such situations.
How many companies spend even a dollar per employee to train them on security issues? To just show them how a link in an email could compromise an entire organization? To teach them not to click unless they know what they’re clicking?
This doesn’t seem at all technical, and yet, it is, in my opinion, the single most important area wherein security is lacking, aside from the perimeter defense. Recently, we’ve taken to calling this ‘the human element’ and finally, our industry has recognized this as the most vulnerable part of any company. And please don’t go looking at unskilled employees as the culprits. We’re all targets and I personally have witnessed numerous situations whereby a C level employee was the one clicking on a link that was clearly not to be touched.
The difference is that when someone at the lower levels loses their computer, it’s quite possible that not much damage will occur. But when a C level does the same, the risk is exponentially higher.
One very common type of attack is aimed at stealing corporate bank credentials; only the CEO and CFO may have those. Once hackers gain that information, they can transfer money to their own accounts anywhere in the world, and the bank is no longer responsible for the loss because the transfer was made with legitimate (albeit stolen) credentials. So, C level people, you above all should take the security class before anyone else in your company! Then embrace security and show to all your employees that it’s important, show it by example, show it by creating policies that always include security; just create an environment around you that breathes security (without breathing fear).
Shall we go back to the technical aspects, since that’s what I actually do for a living?
Then remember that this is 2015 and that many tools are available to protect your network. A firewall is necessary but please, do not stop there as that was enough way back in 2002. You will need IPS, AV at the gateway, web filtering; you MUST be scanning encrypted streams, and when I say scan, I mean decrypt, open, scan, re-encrypt – yes a MitM attack of sort – you need to ensure that the company doing this gives you a certificate, which will be used to intercept all the encrypted calls outbound, ensuring that they can be properly decrypted and scanned.
Never connect to your network remotely without a VPN. Never allow anyone who’s not a security expert access to your firewall. The common practice of allowing network people to manage the firewall while security people manage the IPS is absolutely to be abhorred; network engineers’ objectives are often in contrast with security – they need to get things working and are prone to taking short cuts in order to get there.
A security experts understands the hidden consequences of an incorrect or ‘loose’ configuration, and will take a few more seconds to think it through, and provide a solution that is secure while still allowing business to continue without interruptions.
Spend money, where it matters, and do not underestimate the danger, because it is real and it is frightening, my friend. But take heart that it is also possible to contain it. Afterall, you want to be the one in the parking lot who has an alarm. That way, the thief will move on to the next car – that too is a viable way of doing security.