What CXOs Fail to Grasp about Enterprise Security

Tuesday, August 10, 2010

Richard Stiennon


IT security is often a nagging thorn in the side of enterprises and those that lead them.  It is viewed as a technical issue that should just be fixed. 

In this week’s lecture track on security that I delivered for Internet Evolution’s 60 Days of Executive Education I started off with three things that CXOs consistently fail to grasp about enterprise security.

Good security operations is not the same as good security.  

Every organization that uses computers has to deal with the mundane daily tasks of identifying and blocking malware, keeping and reviewing logs, generating reports, and demonstrating compliance.  Many organizations that I talk with are great at the operational tasks.

They have deployed technology that helps them patch and manage end points, generate reports, and keep the audit teams happy.  But, there is a lot more to being secure than doing these tasks well.  Let me start with defining good security. From my Focus Note on the subject:

1. A secure network assumes the host is hostile

It has been years since a firewall that enforces policies based only on source-destination-service has been sufficient.  Trusted end points harbor malware, are controlled by attackers, and are launching points for attacks.  Network security solutions must be in-line and inspect all the traffic that passes through them. 

They must look for viruses, worms, exploit traffic, and even unusual behavior.  IDC dubs these solutions "complete content inspection" firewalls. Many vendors refer to them as UTM, Unified Threat Management

One aspect of a secure network that is often overlooked is that the computers on the inside of the network are often the danger.  It could be an infected computer brought in by an employee or contractor; it could be a poorly patched server that has been compromised by an outside attacker. 

Even the smallest organizations have to invest in network security solutions to block attacks from devices on the inside of the network.  This is accomplished through network segmentation and deploying content inspection capabilities internally.

As threats multiply watch for solutions that either sit on top of the access switch or incorporate the switch in their configuration.

2. A secure host assumes the network is hostile

This is another way of stating the requirement for a layered defense model. A laptop, desktop, or server cannot rely on the network to keep it safe.  AV, firewalls, and anti-spyware solutions have to be installed and up-to-date. 

Patches for critical applications and OS have to be installed as quickly as possible.  Browsing shields should be turned on and Microsoft IE should not be used if at all possible.

3. Secure applications assume the user is hostile

This is where authentication and authorization come in to play.  One of the best deterrents of malicious behavior is the end user's awareness that their actions are associated with them (strong authentication) and logged (behavior monitoring). 

Many online services have failed to protect themselves from their customers.  This applies to internal file sharing and community services as well.

Why security investments never end.

Extract from my ZDNet post on the topic:

I engaged a visitor to booth I was manning at a the Gartner ITExpo in conversation about network security and he lashed out with “you security vendors are always trying to sell us a new box, you are a money hole we keep spending on but we still get hacked”. This is one of my hot buttons. Pinning the blame on the security industry for all the different solutions that do not inter-operate is a favorite game played by industry pundits and CIOs.

As I was digging my heels in and getting my hackles up I finally read this guy’s name badge. He was CIO of a major branch of the US military. Well, here is my answer to him, thought up way too late to confront him face to face.

No sir, you have not spent enough on security. Look to your own operations. Have you enforced segmentation of your network? Have you put firewalls between you and the other agencies? Do you still allow telnet and ftp in unauthenticated clear text? Have you deployed user provisioning? What does your patch management look like? Do you have effective anti-spyware? Do you do security assessments of your entire network on a continuous basis? I know the answers to these questions as well as you do. Look to your latest computer security scores from FISMA. An F. You see that? An F!

Before you point fingers at a security industry that is constantly evaluating the threats and creating counter measures look to your own actions; or lack thereof. You sir have failed in your duty to protect the assets of the US Military. You have allowed foreign entities to overrun your networks. On your watch our digital homeland has been invaded.

Strong words perhaps but I cannot emphasize strongly enough the need for continuous investment in security.

Audit and compliance get in the way of good security

Please do not confuse compliance with security.  There are indeed many standardized ways to accomplish good security operations and audit reports.  But many times the resources needed to evaluate and counter new threats are completely absorbed in the compliance effort. 

Government regulations and outside auditors have tremendously distracting effects on IT security people.  They got into security because they like the day to day battle with bad guys- the technical challenge of securing networks and applications. They did not sign up for endless meetings and paper work. 

So be vigilant and monitor your compliance efforts to ensure that they do not get in the way of your security.

Cross-posted from ThreatChaos

Possibly Related Articles:
Enterprise Security
Post Rating I Like this!
Dj Spydr Although I agree with your article - I disagree with your approach/response. Having worked with the DOD on Infosec - many of the claims are actually in place from site to site, as a whole they get an F for FISMA because most sites don't meet DoD 8500 standards/controls consistently - a better approach is that somebody is always wanting your data and never stops finding ways to get it. Another key part to security is also process, and he might be spending his money unwisely instead of layering.
Cyber Defense Weekly Good points Dj. Thanks!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.