Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

6 hard truths security pros must learn to live with

Roger A. Grimes | April 29, 2015
Caveat emptor: Security solutions will always fall short in addressing the fundamental flaws of securing IT systems.

As a result, IT security must live with the hard truth that some percentage of devices will never get the security software installed. At a bare minimum, it's important that any security solution be able to tell you which devices have successfully installed the software and which are having problems. Then you can look for commonalities and try to get the software installed on as many devices as possible.

But installing the software is only the first challenge.

Insufficient staffing for deployment and monitoring
Too often, companies buy a great computer security solution, then fail to deploy it appropriately, if they deploy it at all. Months are spent evaluating and arguing for a big security purchase that ends up languishing unboxed in a corner somewhere. Or some unfortunate, lone employee is told to deploy the new solution despite already being overloaded with mission-critical work that is considered their "real job."

The employee puts in a hero's effort to deploy what they can in a few days. They become a pseudo expert on the device and the threats it's supposed to prevent. They do their best to configure the device, and for the next few days or weeks, they put in a passable job of monitoring it.

Then their other mission-critical priorities take over. Pretty soon that cool new security tool is monitored less and less. No one has time to track down false positives, much less follow up on alerts. Not long after, the device is kicking out alert after alert, all of which gets lost in the noise of other poorly monitored security devices. The Verizon Data Breach Investigations Report finds that 70 to 90 percent of all malicious incidents could have been prevented or found sooner if existing logs and alerts had been monitored. It's little wonder given this prevalent, nearly inevitable cycle from deployment to disuse.

Computer security devices are never self-maintaining. They need the right teams, resources, and focus to even come close to their promise. Companies are great at buying capital assets, but they're afraid to increase operational expenses and headcounts. This means built-in failure. Don't set yourself up for it. Get a plausible staffing solution in place before you purchase any security technology.

Hackers need to find only one weakness
Suppose a company has 1,000 Web servers, and 999 of them are fully patched and perfectly configured. All a hacker has to do is fire up a vulnerability scanner and point it to the right domain name or IP address range -- game over. Scanning 1,000 computers takes only marginally longer than scanning one.

A typical vulnerability scan will bring back one or more vulnerabilities on every server, if not dozens of vulnerabilities. When the scan is finished, all the hacker needs to do is pick through the juicy results to decide where to exploit first.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.