Back to Basics...

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://continuitycentral.com/feature1180.html

Security breaches are on the rise. Indeed, Experian's 2014 Data Breach
Industry Forecast predicts that new security threats and transparency
regulations will make 2014 a ‘critical year’ for data breaches and warns
that organizations need to be better prepared. So what’s going wrong?
IT security is certainly a tough job. From the relentless introduction of
new threats, to the escalating impact of any breach in a 24x7, joined-up
economy, those tasked with protecting business-critical data have the
challenge of juggling routine, day to day protection requirements with the
need to prevent ever more innovative hacking attempts.

Sadly, however, recent high profile breaches would suggest that the
routine, tried, trusted and proven security activity is being overlooked.

Why are so many security experts spending more time, money and effort
attempting to prevent esoteric potential threats by, for example, tracking
subtle network activity changes or signs of unexpected increases in data
storage, than checking that the AV patches have been applied? Or actively
seeking out innovative anti-phishing appliances, while failing to comply
with proven data security standards?

Given the experiences of the recent months, second guessing the latest and
most fashionable security issue is not proving a successful anti-breach
strategy!

Falling standards

It may seem important to keep up to date with the latest threats but, take
a step back: is it really sensible to be checking for new footprints in the
garden that may, just may, suggest a risk of attack, when the front door is
wide open, the windows unlocked and the attack Rottweiler has been replaced
by a Cockerpoo designer dog?

Clearly not. Yet in the world of technology in general, and IT security in
particular, the lure of the new is compelling. So how can the industry
address this rising tide of security breaches? The answer may not appeal,
but companies have got to go back to basics and create a steady, known and
secure environment.

The concept is simple: if an organization cannot clearly understand what
comprises a good, secure environment, it is impossible to ever identify
something bad. And that is the heart of the problem facing too many
organizations today: without a good, secure and optimised environment it is
impossible to spot the changes that would indicate some form of security
attack is underway.

Proven strategy

Following the guidance of trusted standards – most notably the Payment Card
Industry Data Security Standard (PCI DSS) - organizations can quickly
evolve from today’s anarchic approach to creating a far more secure
environment.

Step one: deploy a firewall and make sure it is working correctly.

Step two: harden the infrastructure to significantly reduce the threat
surface.

Step three: ensure that the tools are in place to check any changes in the
scope systems, from servers and network devices to databases, and respond
to these changes immediately.

Hardening the infrastructure demands a good vulnerability assessment;
evaluating the organization’s unique attack surface and taking the right
steps to close off any problems, including well known attack modes of
operation. It does not, however, despite recent trends in the industry,
mean simply flagging the top five vulnerabilities in a surface threat
analysis. This attitude is disingenuous: it still leaves other threats at
large and, to be frank, patching five out of six holes in a boat may just
give enough time to abandon ship, but that ship is still going to sink.

Some vulnerabilities are obviously more acute than others – but that does
not mean ignoring low priority vulnerabilities or opting to leave known
weaknesses in place for a few more weeks or months.

Of course, even applying PCI DSS measures correctly is no guarantee the
company will be immune to attack. But, critically, it does mean the
business will be well armed with tools that can prevent the breach and
raise the alarm at any attempt. If followed to the letter – with both
technology and culture – it should be impossible to fall prey to a
Target-style breach that led to malware being undetected for weeks while
credit card details were siphoned off.

Conclusion

There is no simple approach to IT security and there is no single product
that can guarantee corporate data is kept safe. IT security is constantly
evolving and no one appliance, box or software product is going to deliver
the silver bullet – however good the marketing hype. Yes there are great
new products being developed to deal with specific new threats, such as
anti-phishing or anti-malware appliances. But using these in isolation is
not going to safeguard any IT infrastructure because there is always more
than one security threat to address; a multi-faceted, joined up approach is
essential.

With no ‘IT security on a plate’ option, organizations require skills,
expertise and, critically, rigour. It is only by following proven security
standards such as PCI DSS, hardening the IT infrastructure and continually
checking to ensure the severs, network devices and database systems are in
a known state that an organization can minimise the risk of breaches and,
critically, ensure problems are immediately addressed and resolved.

Sounds dull? Maybe. But how much fun is a major breach that results in the
theft of thousands of customers’ credit card details or critical corporate
IP? For those that have experienced a security breach, the pleasure of
playing with a new, shiny security toy rather than employing best practice
was never worth with risk. So before heading out to look for those
footprints in the garden, check the front door is shut and the windows are
locked!

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!