Why Effective Computer Security Means Covering All Your Bases

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/security/effective-computer-security-means-covering-all-your-bases.html

How safe is your company from malware attacks and security breaches? As the
technology and methods behind cyber-attacks are constantly evolving, it's
virtually impossible for any company to accurately say it's completely
safe, but there are steps you can take to minimize threats.

Ganesh Krishnan, who runs security at the popular job site and social
network LinkedIn, shared some of the lessons he's learned over a 20-year
career in security, including stints at Intel and Yahoo. His "tech talk"
was part of a meet-up here this week at online payments firm WePay.

The first point he emphasized is that security teams are by definition
outnumbered.  "There are a lot more hackers than security people. Security
has to be everyone's responsibility," he said.

This maxim extends to both technical and non-technical employees, as both
are needed to help defend against a growing range of threats including
so-called phishing attacks. Phishers use social engineering, email and
social media to gain access to corporate networks. For example, a phisher
might contact a relatively low-level employee under false pretense (e.g.,
pretending to be an authorized outside contractor), guess the employee's
password and get into the network.

In another example, the massive security breach at Target in 2013 was
traced back to an HVAC service provider whose credentials were stolen,
allowing the attackers to compromise the retail giant's network.

"Even [the accounts of] salespeople and non-engineers can be compromised.
It's not hypothetical, it's happened," said Krishnan.

Although there have been many high-profile breaches, Krishnan says a lot
has changed for the better. For example, it used to be considered a no-no
to let someone outside your company test your software for security
weaknesses. "Not anymore. Companies are rewarding the people who find
vulnerabilities if it's done ethically and with responsible disclosure," he
said.

But there still needs to be a shift in the mindset of many developers when
it comes to software. "Most engineers want to get the software finished and
get the features done," Krishnan said, "but when you write code, think
about how someone could abuse it."

Because that mindset hasn't been in place, Krishnan says security issues
are so pervasive that "if you think you haven't been hacked yet, you just
don't know it."

If that sounds dire, Krishnan doesn't apologize for raising alarm bells,
but says a comprehensive strategy that includes not only prevention, but
also a strategy and systems to detect and respond to breaches is what's
needed to minimize threats.

His key tips include logging everything and keeping that data for at least
a year. This includes firewall, virtual private network (VPN), access and
antivirus logs.

"When there's an issue, having logs will prove to be extremely useful
because you can see why you were hacked and take administrative action if
necessary," he said.

How to Prevent Phishing

On the issue of phishing, Krishnan notes it can happen to anyone, but
employee training can head off the threat. Rather than simply explain the
danger of phishing to employees, he recommends "live training" to sensitize
them.

"You'll be surprised how many employees will give up their credentials" in
a pseudo-phishing attack used for training. "And it's not just a password
that's compromised," he said. "It's an attack on the network to plant
malware once they can get someone to a bad site or install something."

Krishnan says the training has proved very useful. "Someone hears person X
fell for it, and they don't want to get caught themselves," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!