Dangerous Security Mistakes That Can Take Your Company Down1:13 PM EST Wed. Oct. 10, 2007
Developing, implementing, and maintaining an IT security strategy is a task so rife with stress and second guessing that it could probably give Rip Van Winkle insomnia. CRN recently asked several IT security experts for their take on some of the most common errors in judgment companies make when it comes to securing their networks.
Their responses suggest that while many companies devote massive amounts of financial and human resources to the task of ensuring that a company's network is secure, there are systemic security oversights that frequently slip under the radar, putting companies at risk and creating a false sense of security.
John Stewart, chief security officer, Cisco Systems
Traditionally, those chartered with securing an enterprise have tended to look to technology first -- and, at times, exclusively -- to protect their information assets. But there is no "silver bullet" that can make an enterprise secure. Security professionals may want to simply write a check or apply more technology with the hopes that it will make the problem go away.
That simply doesn't work. Technology does not equal security. You can't resolve all security issues by strictly applying more technology to the problem. Security is a process, not a product. It's a culture, not a service. Only through consistently evaluating the risks of every interaction with applications and data can sustainable security be achieved.
The hard work begins by recognizing the business systems that are most critical to your operations. Then incrementally securing each exposure. Over time your assets become more and more secure. It is neither easy, nor quick, but it's important and it must be done. You have no more valuable assets than your customer data and your intellectual property, so protect them wisely.
Ryan Hamlin, general manager, Access and Security Division, Server and Tools Business at Microsoft
Many companies mistakenly provide what they believe is "good enough" security, such as running antivirus only on the desktop or appliance, or relying on only a single technology at every scanning point in their network. Or they take a "react and patch" approach to security, just addressing problems as they come up with point solutions and fixes. The problem with both of these approaches is that they can expose vulnerabilities, lead to a single point of failure and overtax IT budgets and staff.
The best defense is a strong offense. Companies need to develop a comprehensive, layered defense strategy that identifies the people, processes and technologies required to create and maintain a solid security architecture for their business. This includes deploying security solutions at multiple levels in their infrastructure (for example, across client, server and network edge), utilizing different, complementary technologies that can be intelligently and efficiently managed as one, and having a strong and tested response process in the event the unexpected happens.
Samir Kapuria, a distinguished principal for Symantec Global Security Consulting, part of Symantec Global Services
Outsourcing various tasks and functions have become common practice in today's business world and allows organizations to drive core areas related to their business. But companies all too often fail to realize how third-party relationships may impact their overall risk posture, jeopardize their compliance, or threaten their business. As the client, companies cannot assume that potential vendors and partners implement similar security measures or that their internal security posture standards automatically fall into the scope of any partner relationship.
Companies need to ensure that partners can meet a desired risk posture. Before and after formally entering into a new relationship, companies should prioritize security during the negotiation period and outline specific risk and security measures in legal contracts to ensure that partners can meet a desired risk posture. If left unaddressed, the client may be seriously exposed in the event that a third-party partner or provider experiences some type of security threat, compliance breach, etc.
Marc Maiffret, CTO of eEye Digital Security of Aliso Viejo, Calif.
One of the biggest mistakes companies are making is not patching third party, non-Microsoft, software. Most patching tools and third-party products are inappropriately applying patches, and the result is that hackers are finding and exploiting these flaws.
Beyond antivirus, companies are not investing nearly enough in security on the desktop/endpoint side. Most of today's attacks are against client application vulnerabilities, but businesses still live in the old world of simply having antivirus on the desktop as the only solution. Standalone antivirus is dead. Attackers know this, but most businesses do not.
David Vergara, director of product marketing for data security, Check Point Software Technologies
Most companies spend the bulk of their IT budgets on network security and completely lose sight of the need to focus resources on data security. In fact, a recent Datagate Study showed, on average, that IT managers polled used only 0.5% of their entire budget on data security. This is amazing in light of the fact that the majority of data loss incidents are the result of lost or stolen devices.
Another risk that companies often take is deploying unproven solutions, which cause considerable damage to their reputation. All companies are cost conscious, but budgets can be blown completely if unproven or incomplete products are deployed and don't deliver in terms of the level security, total cost of ownership, speed/scale of deployment, and platform coverage.
Joe Levy, CTO at SonicWall
It's tempting to surrender to the frustration of the perceived ineffectiveness of security training. Don't give up! Commit yourself to remain the tireless herald of best practices; every individual who adopts even a single good behavior or habit helps the fight, and can spread the knowledge.
It's also easy to forget the basics with all the new technologies available today. Even if your network employs UTM, NAC, DLP, or next-generation firewalls, never underestimate the effectiveness of simple egress controls. For example, if there are hosts on your network sending SMB/CIFS/RPC/NetBIOS traffic to the Internet, or if there are nodes other than your sanctioned mail-servers sending SMTP traffic, that's usually a good indication of infection.
Log it, block it, and investigate it. Stop the spread!
Mitchell Ashley, CTO at StillSecure
Who's watching the watchers? Do you adequately protect root, require use of SU (the substitute user command), and audit all user actions on servers, network, and security devices? Today's smartest employee could be tomorrow's worst nightmare.
We are rapidly reaching a point where a security breach or data loss will result in the firing of both management and staff. Isn't it worth putting your job on the line to get your company to take security seriously? Worst case -- it's better to be fired now than later because of an incident.
Businesses are not coffee shops. Is it really worth the risk to allow end users to use P2P, download music and files, install software apps, play games or surf non-business sites? A balance is necessary but you don't want to be at the top of the teeter top when the other end goes empty.
Paul Moriarty, director of Internet Content Security at Trend Micro
You listen to the salesman who tells you how wonderful the security product is. You buy it and your team gets it installed into you company's network. More pressing matters command attention and the product sits, running but forgotten. Is it getting updated? Does it need to be reviewed and adjusted periodically? Has it failed in some quiet way without warning you?
Like any other system or application, security products typically need some care and feeding. Ignore this and it will be you who will be taking care of hackers feeding on your corporate data.
Jan Hichert, CEO and co-founder of Astaro
Many companies don't change the default policy of a security appliance once it's installed, and they also leave default passwords remain unchanged. A security appliance can pose a security risk when not properly configured.
We also see a lot of companies that use email security appliances mistakenly setting them as open relays. This opens the door for spammers to relay millions of messages through their unit, which not only spams people, but has the adverse side effect of getting them on real time blackhole lists (RBLs). So even after they fix the problem, they have to approach each RBL separately and go through their removal process, which can be very time consuming.