As the incidence and impact of cybercrime and cyber-warfare on business continues to escalate, one fact is beyond dispute: enterprises are losing. Enterprises are losing revenue, customer data, goodwill and intellectual capital. This might come as a surprise to some people, considering that businesses are spending increasing portions of their IT budgets specifically on security on ever more sophisticated solutions.
So how can they possibly be losing the war when they’re spending more than ever on IT security? There are undoubtedly many reasons for this, but the root cause typically lies within the very DNA of an organization. Here are some indicators that your enterprise is overly vulnerable – and some steps you can take to rectify that.
- Lack of executive and board support. Commitment from the top is the single most important factor in determining vulnerability. I strongly believe that the CIA triad – confidentiality, integrity and availability – in CISSP parlance applies to not only technology components but to people as well. Particularly the integrity component as applied to executive leadership. If executives are willing to sacrifice security for convenience, this tone will trickle down through the organization, making it virtually impossible to implement comprehensive and effective security policies.
- Security strategy is applied from the outside-in instead of from the inside-out. Organizations commonly invest outsized portions of their IT security budgets at the perimeter, yet most of their critical resources are deep within the network. Security controls should evolve outward starting from the application to the point of access.
The belief that “defense-in-depth” equals “layered security.” Defense-in-depth is the result of layered security and not the opposite. For example, chaining firewalls, intrusion protection systems and application delivery controllers (ADCs) in front of an application will likely lead to decreased security because each platform is operating in a silo. Without the benefit of sharing context in real-time with each other, devices in the service chain don’t have a complete picture of the communication. In addition, organizational focus and expertise is divided among the tiered platforms, leading to a situation where the sum is less than the parts.
Consider a vertically layered security model by consolidating security functions in fewer platforms. Invest in platforms that have the ability to inspect and understand the entire context and flow of a transaction from the network to the application. This approach provides a path to a better security posture since it allows you to channel resources and expertise into delivering the security function instead of managing platforms with improved operational efficiency.
Poor operational practices and processes. Great IT security starts with excellent operations – practices such as change policy, aggressive patch management, standards compliance and baselining. Operations are key because they allow an organization to establish normalcy.
Establish a common-sense change policy that balances business with operational availability concerns. If a change policy is overly restrictive, administrators will neglect patching systems against known vulnerabilities, which can lead to unnecessary risks for the enterprise.
No centralized and pervasive monitoring infrastructure. The NSA should have nothing on your enterprise monitoring capabilities. Every platform on the network should have a monitoring strategy to detect changes – and changes should be measurable against a baseline. For example, when an administrative group is changed, an alert should be issued.
Consider investing in log consolidation and trending solutions even before SIEM solutions. Most organizations focus on event correlation before they have even established a pervasive monitoring infrastructure. Once that infrastructure is established, SIEM can be used to align the data log data with normal activity and detect anomalies.
Principle of least privilege is not rigorously applied to platform, application and data access. For attackers, accounts with elevated or administrative privileges are an ideal target. If an attacker compromises a host without having elevated privileges, they must take the additional and potentially more difficult step of elevating their level of privileges in order to gain an effective foothold on the compromised system. Organizations, however, often make obtaining administrative level privileges a trivial task; users and administrators often both operate with elevated and/or administrative privileges. This is roughly equivalent to locking the door to your home but leaving the key in the lock.
Consider vaulting sensitive administrative credentials and rotate them like encryption keys after a set number of credential uses, per the risk profile of the system or application. In addition, users and administrators alike should not operate with administrative privileges unless absolutely necessary at a particular point and time.
The enterprise network is flat. Internal network zoning and security boundaries are critical to help reduce the scope of a potential compromise. In networks without zones, a single compromised host can communicate freely throughout the entire network, making it extremely difficult to determine the scope and impact of a compromise.
Consider applying segmentation policies at the ADC. This is a logical place to apply access policies and monitor application traffic since most enterprise applications typically reside behind an ADC. Only allow users limited access to services (for example, DNS), and only allow network-based access to presentation tiers of applications.
Users have broad access to the Internet. Users with broad or unlimited Internet access typically represent the largest threat vector for an enterprise. Whether it be phishing, drive-by downloads, or email-based malware; infiltration, command and control, and exfiltration of data will usually require some form of Internet connectivity. Limiting Internet access for users will radically improve the security posture of an organization.
Implement stringent Internet access policies to restrict employees’ access to work-related sites only, such as for B2B transactions. With the prevalence and pervasiveness of personal smart devices, users can still work productively and stay connected without placing the organization at undue risk.