Welcome to the 29th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Protect Your Business by Building a Security A-Team
To quote George R. R. Martin, “Winter is coming.” Here in the Pacific Northwest, that means skiing, flu season, and a freeze on enterprise IT configuration changes until the New Year. Like the flu virus, malicious computer software (malware) is always looking for ways to infect your enterprise IT. There’s a reason that malware programs are called viruses — both are adaptable, opportunistic attackers looking for new opportunities to get past the defenses of the target, whether it is carbon- or silicon-based.
What you don’t know will hurt you.
The role of virus defenders, whether they’re experts in IT security or in public health threats, is to look at every mode of ingress and ensure that it’s protected against attack, as well as to inspect every node — computers on the network or people in a city — and ensure that each has the latest defenses against infection. Just as important, virus defenders are constantly working to improve the speed and accuracy of diagnosis, in case those defenses are penetrated.
Current events highlight the vital importance of diagnosis and experience. The recent Ebola outbreak spread so quickly partly because of an initial misdiagnosis as cholera in West Africa. In an IT environment, the digital footprints leading up to a major attack, including the presence of targeted malware, are frequently obvious in hindsight. But it’s only after an infection, attack, or even theft has occurred that anybody bothers to check for and accurately classify vulnerabilities and threats. The Home Depot and Target hacks are both unfortunate examples of this pattern.
Fresh eyes for fresh threats.
Computer security is such a fast-moving field that it’s important to know when to call in external help (just like a fast-moving, dangerous contagion requires the attention of the CDC) and what to expect from those experts. Professionals who do security assessments for a living bring with them a proven methodology that has worked in many environments. Much of the guidance may seem obvious, but it is often the obvious that has been overlooked. (Surely someone has already done background checks on all the folks with key codes to the server room, right?) Outside experts not only bring their experience and expertise, but also fresh eyes that can see what’s been in front of your team so long that you no longer even notice it.
Because attackers are always looking for new channels and vulnerabilities, IT experts must remain highly current, informed, and vigilant — something that is difficult for internal teams to do with all their other responsibilities.
A good offense is always the best defense. It takes both your internal team and external experts to make the most effective team with the experience to see new threats. When you bring in external security experts, they contribute broad expertise and depth in relevant technologies and compliance areas. When they’re paired with your team – the people who know your IT operations and assets inside and out (including where the bodies are buried) – you get the strongest foundation for tight security.
The key is trust: you must trust your operations people to be candid about risks and concerns, and you must hire security people that you can trust to act on that information responsibly.
What to expect from an IT security assessment.
Seasoned external security experts will help you employ a process that covers the following bases:
- Asset inventory: what is the known list of computers, users, and groups, who maintains it, and how?
- Data flows: what data is going from A to B and how is it protected?
- Personnel policies: what are the procedures for onboarding, off-boarding, authentication, and auditing?
- Strongholds: also known as trusted enclaves, what are the high-value assets and how is defense in depth being used to protect them?
- Review: once threats have been enumerated, bring together internal and external experts to evaluate, prioritize, and implement mitigations.
- Repeat: refresh the assessment and review the plan at predetermined intervals to maintain security
Prevention beats cures.
Just as vaccines are more desirable than illness and treatment, so is proactive security preferable to incident response. The time, effort, and budget required to avert attacks are less costly than what’s required to mop up the mess. When a company is hacked and ends up in the news, the damage to its reputation and competitive advantage can be permanent.
Teaming up for security success.
IT personnel are the most important asset for protecting the business against security threats. Empower your IT team to deploy defense in depth security measures, based on a combination of new technologies and well established best practices, and to engage with external experts in order to complement their skills. Winter is coming. Now is the time to prepare.
For more information about conducting a security assessment and protecting your business-critical assets, please contact us at firstname.lastname@example.org.