'Tis The Season For Security Resolutions, Not Predictions.
At SecurityWeek, we believe it is more important for IT security teams to focus on resolutions rather than vendor predictions that are typically self-serving. While keeping an eye on the ever-changing threat landscape is important, as we suggested in our 2013 security resolutions feature, organizations worried about what might happen should instead focus on what they can do to improve their security posture.
Keeping to tradition, SecurityWeek invited security experts to weigh in on New Year's resolutions for improving information security and how organizations can better develop new habits in 2014.
Resolutions ranged from improving network monitoring, data center security, and understanding cloud services, to mobile security and user awareness. The common theme running through them all was the fact that organizations had to focus on the basics again, to tackle the nuts-and-bolts of security.
Back to Basics
The primary step towards keeping the enterprise "healthy" year-round is to get back to the basics, such as properly managing vulnerabilities and regularly patching systems, said Marc Maiffret, CTO of BeyondTrust. Unlike weight loss plans or promises to exercise more regularly, businesses see the benefits of adopting security fundamentals almost immediately.
Resolutions to do better don't mean squat if the organization doesn't know what is at stake, said Isabelle Dumont, director of product marketing of industry/vertical initiatives at Palo Alto Networks. Organizations need to know exactly what the vulnerabilities are and what they stand to lose in case of cyberattack.
"From healthcare and education to energy, oil and gas and transportation, companies in every vertical need to do a better job evaluating the costs and risks related to cybersecurity threats," Dumont said.
Take Control of the Network
"Go back to the basics. Integrate your data. Automate as much as possible," suggests Brandon Hoffman, senior director of global business development and security engineering at RedSeal Networks. Organizations have to first understand the security posture of the network infrastructure itself and then figure out how the information being collected can be used across multiple security systems. Automating some of data collection and analysis reduces human error and improves efficiency.
For most organizations, the network infrastructure is complex, as it has morphed to support new requirements over the years. The network had "numerous architects, builders, maintenance people, and janitors all adding sections, changing walls, and fixing holes (or adding them) over the years," Hoffman said.
Administrators have to unravel the tangled mess that is their network and make sense of what they have and what is happening. "Trying to secure the network infrastructure without understanding it is like trying to secure a building without knowing where all the doors are," Hoffman warned.
The next step is to figure out ways to integrate security platforms to improve overall security posture. Initiatives include correlating vulnerability scan data with network infrastructure analysis to understand where vulnerabilities exist. Data can be shared across multiple platforms.
Hoffman also emphasized the importance of automating certain security tasks to reduce human error and improve efficiency. Network infrastructure security management software automates the calculation of attack vectors and correlates systems data such as vulnerability data and security information and event management system logs, but the task is "enormous," Hoffman said.
"Network infrastructure is the key, start there," said Hoffman.
Don't Neglect the Data Center
The data center should be part of the overall network infrastructure assessment. In recent years, organizations have largely been focused on the top layers of the IT stack, such as applications software, operating systems, storage, and networking devices, said Bob Butler, CSO of data center company IO. Assessing data center infrastructure security using penetration testing and vulnerability assessments is an important part of going back to the basics because the defenders will know what is vulnerable and the severity of the risk.
Many organizations will find their “traditional raised-floor data centers are filled with aging infrastructure of varying design that do not lend themselves easily to protection," Butler said, noting that attackers can penetrated these aging systems relatively easily. A software-defined data center strategy will focus on standardizing hardware and use software-based intelligent controls to improve visibility into the network, Butler said.
Focus on Mobile
According to a recent survey of security professionals, 75% of respondents identified mobile devices such as smart phones as "the greatest risk of potential IT security risk within the IT environment."
Thanks to proliferation of mobile devices, it's no longer sufficient to focus just on the network, or the computers and servers. If your organization hasn't addressed mobile devices yet, this is the year to tackle that question head-on. Whether the organization controls which mobile devices employees can use, or allows BYOD, it is important to come up with a strategy. Most security professionals recognize that mobile devices pose the biggest risks to the organization, but this awareness has to translate into actual policies. "Are you hiding your head in the sand when it comes to mobile security?" said Dumont.
The organization has to recognize that crimeware and fraud targeting mobile devices is just as risky to their networks and data as traditional attacks. Attackers will be able to use cellular networks to connect to command-and-control infrastructure, thus bypassing a lot of organization's network-based defenses, Dumont said. APTs targeting mobile platforms will take advantage of GPS location to pinpoint individual targets.
"Get your mobile security strategy in place," Dumont advised.
Control Employee Access
Administrators need to exert greater control over remote access tools such as Remote Desktop, SSH, and TeamViewer, said Dumont. The applications are powerful and essential for a variety of business operations, but they are also abused regularly by attackers. "In 2014, resolve to take make certain these tools are secure," Dumont said.
"View employees as threats and monitor them as such," says Carmine Clementelli, iNetSec product manager at Fujitsu Computer Products of America. Organizations have been focused almost exclusively on external threats that they have neglected to secure their networks and data from internal abuse. The threat may come from bring-your-own-device because IT doesn't have control or visibility over employee activity, or because the employee decided to break the rules. Either way, organizations have to create policies and monitor employees before a costly data breach occurs.
Understanding the Cloud
Cloud providers need to "reinforce the idea that security is a shared responsibility," that organizations outsourcing certain activities to the cloud doesn't mean they relinquish their security obligations, said Adrienne Hall, general manager of the Trustworthy Computing group at Microsoft. Cloud providers are quick to tout the security benefits of the cloud, such as not having to worry about security updates, but neglect to mention that organizations still need to do their part, such as securing the endpoint and making sure employees are using strong passwords.
Along with a discussion about responsibilities, cloud providers and organizations need to talk about their expectations, Hall said. Cloud providers need to understand what compliance requirements the business has to follow, and organizations have to understand what security features the service plan offers, and how much these additional features would cost.
None of these conversations can happen if everyone slings around acronyms instead of specifying exactly what they are saying. Instead of getting caught up in the differences between Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), focus on what the cloud service provides the customer. For this New Year's resolution, resolve to "avoid acronym soup when discussing cloud services," and just talk about what the service provides and how it drives business value, Hall said. This will make cloud computing "less theoretical and more real," she said.
There is no magic pill in security, and organizations need to be diligent about staying on top of these tasks. Maiffret suggests a yearlong plan with monthly checkpoints "that force you to reflect more frequently and honestly" about what is actually being done, Maiffret said.
"Changing your habits is never an easy thing but just imagine—had you stuck to your goals a year ago where you would be now," Maiffret said.
Related Reading: Strategic Thinking - IT Planning and Risk in 2014
Related Reading: A Cyber Security New Year's Resolution: Simplify Security
Related Reading: Planning for Network Security in 2014
Related Reading: What Would Nostradamus Have Said About Cyber Security in 2014?