Get all your IT security questions answered by James Randell in a comprehensive interview.
I have implemented firewalls and anti-virus, are these the main security tools I need?
Certainly firewall and anti virus tools are very important for business organisations, but we need to be clear about what they really do. Firewalls are primarily a network access control technology. This is an important function in today's networks, its particularly important that you should set restrictions on who should access your network but its just as important that you look at the content of the 'envelope'.
Antivirus tools are also very important for organisations, they assist them in defending there servers and desktops against attack by malicious software like viruses, Trojans and worms, etc. As long as you're clear about what the tools do, they are important, but not every organisations security challenges are going to be solved by managing network access control and defending against malicious software, so an organisation really needs to take a risk based approach at looking at what security tools they need.
What exactly is security anyway?
This is actually quite straightforward but still it confuses a lot of people. Security is about managing risk to your business. Risk might affect your ongoing profitability, your revenues or it might effect your organizational climate. The idea is to manage, control and assess those risks.
What are some of the main security issues faced by companies today?
This can vary quite a bit depending on the organisation and what kind of online presence they maintain, but some of the main issues are things like remote network base attacks. There are also legal compliance issues - complying with industry specific regulatory frameworks are also a concern for organisations. The miss appropriation of confidential data or propriety information such as trade secrets and designs are also a major consideration for organisations.
It is very difficult to get straight answers about exactly what I need to do to comply with an industry-specific regulation?
Part of the problem here is that compliance framework and compliance requirements can often be given scary names. The thing to remember about these, is that when you look at all the different regulatory and compliance frameworks, most of them share so much common ground. Providing you are approaching your security policies and processes and tool deployments from a best practice and common sense point of view, you're actually likely to be complying with the greater part of nearly all compliance frame works. There are some specific industry variations though which you do need to be aware of, but they are mostly all about best practice and nothing to be too scared of.
Why do vendors keep trying to scare me into buying security products?
Its good that the tools are working and that nothing bad has happened but it is still very important to keep security tools up to date. Attackers are continually researching new methods and new ways to attack and compromise systems. However, you should never buy or invest in security products because of, or through vendor's attempts to scare you into buying them.
How do I decide what tools I need to implement, when they seem very similar?
This can be a particular problem for buyers of security - the tools all sound roughly the same, having very similar claims, very similarly worded and they all sound like they do the same thing. Yet they can cost completely different amounts. The real thing driving that is the amount of security research that the vendors are investing in their product development, this is one of the key differentiators in the security industry. The vendors who are investing very heavily in original propriety systems and security search work are able to keep their products that much better positioned to protect customers systems and infrastructures against the kind of attack they're going to see tomorrow and provide that kind of protection today. This is one of the main factors in the costs.
Where do most of the threats to an organisation really come from, outside hackers or malicious insiders?
We see the headlines being made in the media focusing on hacking attacks from external sources, breaking into systems, stealing confidential data, defacing systems and therefore affecting brand equity etc. however the majority of the money is being lost is through internal attacks, for example where an employee maybe has legitimate access to a database at a high level but then becomes disgruntled they may misuse that privilege or be tricked into misusing that privilege in order to access a huge amount of data which they may then sell on which is why it's the internal malicious insiders that cause the most amount of damage.
How do you train and retain skilled security experts and is this expensive?
This can be a real problem for organisations, when you invest in security tools such as firewalls and anti virus systems, you will have access to copious amounts of alert data from them. The challenge is then getting actionable security intelligence out of these tools, this can be outsourced to help you analyze the data and decide if you really are under attack. There are specialist organisations who would own that problem for you, they can hover up all your alert data analyze and process it all and then they can call you if there's something your should be worried about. This is a very easy way to deal with this problem.
How do you understand all the various elements involved with IT security?
If you're looking from the ground up, the security industry can seem very complicated. There are firewalls and remote access systems and virtual private networks systems and cryptography tools etc. The answer to this is to look at it from the top down, you need to approach this from the point of view of managing the risk to your business. If you understand what risks your organisation is actually susceptible to and what the consequences are then you can find relatively readily what tools you're going to need.
What is a "security policy" and what do I need one for?
A security policy is a frame work and a set of rules and guidelines for an organisation which help it meet any objectives. If you don't know where you're going, how are you going to get there? Is particularly applicable here. This is why a security policy is very important because it helps you understand where you're trying to get to by establishing, what your security objectives are for your organisation.
Why do security technologies seem to focus on "cleanup" when surely "prevention" is better?
Prevention is always going to be better than cure. Clean up is very inconvenient, if you just think about your own desktop or laptop, if it gets infected with a virus, it has to be sent back to the IT department and you'll have to do without it all day whilst everything is reinstalled and even then all your data might still be lost. Due to the fact that attackers and attack trends are evolving all the time, its essential that security tools vendors and security development vendors are investing heavily in original security research so that they can ensure that their products are protecting against the kind of threats that organisations will be exposed to tomorrow and prevent the bad things from happening today.
How do I stop security just "getting in the way" of my day-to-day operations?
Security tools and processes can seem like they are getting in the way of day-to-day operations. This can be particularly frustrating, maybe those tools have not been properly deployed or wisely chosen or well configured. As long as we are still approaching this from a well grounded risk based point of view for our business then its relatively easy to select proper tools and understand how to deploy them.
I hear a lot about risk assessment being key to budgeting for security spending. How do I even begin to quantify risk?
As a society we can be quite bad at assessing risk, sometimes we'll fret about highly improbable risks and then ignore the obvious. For any given risk there are several things you can do, firstly you can mitigate the risk, so you can try to defend against it or control it. You could choose to transfer the risk and pass it to someone else like insurance for example. Or you could chose acceptance, you accept the risk is so unlikely or the cost of the devastation would be too insurmountable and disproportionate to mitigating against it in the first place. These are all perfectly acceptable attitudes towards managing and identifying a risk. In a risk assessment, once you have identified the risks to your business, you can calculate something called an annual loss risk acceptancy which is basically you putting a value on what the impact to your business would be if that risk were to happen, you then make an estimate of how many times of year that's likely to happen. Once you've multiplied these two things together you can work out how much you're likely to loose should this happen as a result of that risk from this you can then work out how much would be practical on dealing with that risk.
As a small to medium business, what are three simple things I could do to quickly improve my security posture?
The first really simple thing you could do, would be patching, it is essential to keep your systems up to data with the latest software patches released by the vendors, this is often ignored because it requires down times to apply the patches but it's too dangerous to ignore.The second thing you could do, would be to get really good user control over the accounts and logins and the user passwords systems, make sure no one is using really obvious passwords like name or registration plate. It also very important to remove accounts which are no longer needed, if someone leaves, or changes departments. You also need to set proper access levels, it's a lot easier to just give everyone administration access but its not safe because you're giving them access to far more stuff than they actually need. The third thing you can do may be a little harder; you need to understand whether the alerts you're getting from your tools are valid. This can be outsourced so you don't have to work your way through lots of data. Then the outsourced company would alert you if there were something you need to be aware of.
What is the importance of patching?
The issue here is about the skill that the attackers can apply to finding weaknesses in systems and using those in a remote and silent way to get control of your systems. Very skilled attackers can make use of these defects in really devastating ways, they can get control of your systems remotely and access and steal data, they could put some malware on your system which would bring the system down and in the worst cases they could take over administrative control of the system completely which can be devastating, this is why its really very important to use patches and keep systems up to date.
How can I be sure that security vendors are keeping a step ahead of the bad guys?
It is here that we can see research work done between the security vendors and technology developers and looking at what tomorrow's attacks are likely to be like and attackers who are constantly advancing the state of their art. For the time being it doesn't look like that race will be over.
Every new technology I implement seems to introduce new security weaknesses, how can I resolve this?
It would be a shame for technology deployment and progress to stagnate in the face or fears over security, the answer is to be approaching new technology development from a risk management perspective so a thorough analyses of the kind of risks you may be exposed to as a result of deploying a new technology is absolutely necessary before you embark on the deployment and as long as you do that you can embark on new technologies quite safely and select the necessary security stools processes staff training and other things to help you manage the deployment to make sure it doesn't affect your organisations overall technology stance.
What is "penetration testing" or "ethical hacking" and how can it help me?
Penetration testing is really about you understanding what your systems look like from the point of view of an external highly skilled attacker who's trying to break into your systems, there are people who do this as a profession who can assess your systems by using the same techniques a skilled attacker would use, they might try to attack your systems over the network or the might try to trick your people into revealing passwords etc by phoning them and pretending to be from the helpdesk. Penetration testing and ethical hacking is the name used for this and its letting you see how your systems would cope if they were to come under attack.
|
