Defending Against Attacks Requires Good Technology, But Companies Must Also Have Effective Management Systems and Best Practices in Place.
There’s an old expression that the most dangerous part of a car is “the nut holding the steering wheel.” It means that despite all the technology that goes into making cars safer, there’s still risk associated with human error by the driver. The same holds true for an enterprise network. Despite all the technology that offers data loss prevention, encryption, intrusion detection, firewalls and vulnerability scanning, network breaches still occur. That’s because the technology has to be complimented with proper employee training, rigorous adherence to best practices, internal policies and effective IT security management. An enterprise that relies solely on technology to protect its network, without effective management, is still very much at risk.
When the network of security vendor Comodo was hacked early in 2011, the investigation revealed that Comodo issued nine digital security certificates to a single Iranian IP address. It turns out they all belonged to a hacker, but there should have been some mechanism in place that would have at least aroused suspicion. That was a human error that could have been prevented by having a digital certificate management solution in place. In countless other cases, sensitive data is stored on a laptop computer that an employee loses. Or people don’t change passwords often enough, or they use a password that’s too easy to figure out.
Thwarting these and other attacks requires technologies that help protect enterprises from risk. Most importantly, it requires best practices that IT security professionals should abide by to make security effective. Accomplishing all of that requires diligent and thorough IT security management.
Security management requires internal oversight of processes and IT policies. For example, all organizations—independent of industry or size—leverage digital certificates to authenticate systems, protect information and provide access to secure files, databases and Web sites. The process involves the use of so-called private encryption keys, which act as the metaphorical security keys to kingdom. Best practices call for those keys, which are lines of code, to be a minimum of 2048-bits in length.
In addition, companies need to be sure to know where certificates are. Most enterprises don’t have (and cannot quickly provide) an inventory of the various SSL certificates and private keys they use. Step 1 in developing a clear response plan for breaches like the one at Comodo is to do an enterprise-wide certificate inventory. This inventory will include obvious locations like Web servers outside the corporate firewall as well as the thousands and often tens of thousands of systems behind the firewall that rely on them, including application servers, routers and even endpoints.
Other best practices for security management include the following:
• Perform quarterly security and compliance training
• Encrypt all data and traffic that flows into and within public and private clouds
• Use encryption throughout the organization
• Have a management process in place to ensure business continuity in the event of a CA compromise
• Ensure separation of duties for encryption key access
These best practices, unique to each organization, need to be reinforced and constantly monitored for adherence.
We all know the impact of a security failure on employees, partners and customers isn’t just a matter of their inconvenience or the potential theft of sensitive data. Security breaches exact a financial and reputational-damage cost to the company. The Ponemon Institute published a study in 2011 that put the average cost of a breach at $4 million per incident in 2010 based on a study of breaches in the U.S., Germany, France, the U.K. and Australia; this was up 18 percent from 2009. That figure includes the cost of detection and response to the breach, notifying customers, lost business and other follow-up investigation.
The United States had the most expensive cost per incident at $7.2 million. Lost business is the most expensive cost of a breach, according to Ponemon, because the company loses customers who no longer trust or will conduct business with it. Another intangible is the “reputation cost” of a breach to the company’s image in the market in general. This cost is incalculable and typically runs very high.
Technology alone can’t fully protect a network, any more than a collision-avoidance system or anti-lock brakes can fully protect a car and its driver. For network security, the technology has to be backed up by IT security professionals who have effective management systems and best practices in place. That way, the nut holding the steering wheel remains a crucial part of the security solution, not the incident.