IT security still immature, says HP security exec

Enterprise IT security is still relatively immature, with many organisations failing to achieve basic security hygiene, says HP security executive

Enterprise IT security is still relatively immature, according to HP enterprise security group senior director of products and services marketing, Dan Lamorena.

“The latest HP Cyber Risk Report shows that most organisations are still not achieving basic IT security hygiene,” he told Computer Weekly.

Lamorena is in London to discuss the findings of the report at the 2015 e-Crime & Information Security Congress.

According to the report, most businesses that experienced a cyber security incident in 2014 were hit with well-known security threats and system configuration faults.

In fact, the top 10 threats in 2014 exploited known weaknesses in systems implemented years or even decades ago, and 44% of breaches were linked to vulnerabilities that were between two and four years old.

“This shows these old techniques still work, and that is because many organisations are still failing to patch systems to ensure they have the latest security updates,” said Lamorena.

“Patching is not easy, especially in decentralised networks, but organisations should be paying more attention to these basics.”

Commenting on the recent spate of compromises of point-of-sale systems at US retailers, Lamorena said many of these vulnerabilities could have been eliminated through better patching processes.

“Retailers should be re-evaluating their encryption policies and systems configurations, and improving their monitoring capabilties in the light of recent breaches,” he said.

Read more about security monitoring

However, Lamorena said HP is seeing a lot of retail organisations looking to overhaul their card payments systems and set up some form of a security operations centre.

“Even smaller organisations are realising the need for improved monitoring of operations, even if that is in the form of a managed service,” he said.

Another exacerbating factor is that instead of investing in things like basic system management technologies, companies are focusing on things like cloud computing, mobile computing and online apps.

“Many organisations also still tend to see IT security as the people who say no and they consider security as a cost or insurance that often hinders the business,” said Lamorena.

The report identified misconfigurations of web servers as the top category of vulnerabilities in 2014, providing attackers with unnecessary access to files that leave organisations vulnerable to attack.

“This includes things like cross-site scripting and SQL injection attacks, which are all enabled by configurations that give apps access to more files and folders than necessary,” said Lamorena.

By tightening configurations on web servers, he said organisations can reduce the number of avenues of attack, thereby raising the overall security posture of the organisation.

Exploitation of web server misconfigurations underlines the value of using standard builds and things like automatic provisioning to ensure everything is done in a standard way according to best practice.

“Routine penetration testing is also extremely helpful in ensuring that there are no weaknesses in web server configurations that have been overlooked,” said Lamorena.

“But all the best security technologies in the world will not help if organisations are not getting the basics right – it is still very much about aligning people, process and technology,” he said.

Organisations should not neglect users in security strategy

According to Lamorena, organisations should not neglect users in their security strategy and provide as much security training as possible to reduce user error and encourage users to report anything suspicious to IT security teams.

“Users are often the weakest link, and with all the information people are putting on social media, it is getting easier for attackers to compromise credentials to get around traditional perimeter defences," he said.

It is useful for organisations to know who is using apps and consuming data so that they can identify anomalies

Dan Lamorena, HP

Overall, HP is advocating that organisations seek to improve their security capabilities by assuming they have been breached.

“In the past, organisations have tended to over-invest in technologies to block adversaries, but now they should be investing in monitoring their IT environments,” said Lamorena.

“It is useful for organisations to know who is using apps and consuming data so that they can identify anomalies even if attackers are able to steal administrator usernames and passwords.”

Lamorena said that by assuming they will be breached, organisations are also more likely to monitor their networks and protect data more closely through using things like encryption.

“Organisations have tended to shy away from encryption in the past, but the technology has evolved to enable companies to analyse and manipulate data even though it is encrypted,” he said.

As well as a move to greater network visibility and monitoring, HP expects the IT security industry to move to greater collaboration around identifying threats and bad actors.

“We are looking at enabling the concept of crowdsourcing security intelligence through the use of open standards to make it easier to share what we are seeing with our peers,” said Lamorena.

“The security industry is still largely made up of point tools, but we expect to see greater integration and interoperability to enable more automated responses a better view of threats and bad actors.”

Read more on Hackers and cybercrime prevention