Security Think Tank: As cyber pros, we need to articulate our needs better

We are coming to the end of the year, Black Friday has been and gone and the shops are full of Christmas offers. And the scammers, of course, are having a field day sending emails offering enticing deals, often with pictures of the items on offer and links to online shops.

Many of those emails will carry malicious content or the links will connect to websites delivering a malicious payload. Of course, we’re not talking just about the home here, but your company’s offices as well. How many of your staff are now quietly surfing the internet or looking at their private email? In doing so, they are potentially exposing the company network to malicious software.

“Aha,” you say, “but our company has a Wi-Fi network specifically for private and visitor use.” So how do you know that there is no private use of the corporate network, or that the Wi-Fi has been configured securely? If there was a compromised device on that Wi-Fi, how good are your defences?

It is likely that the Wi-Fi in question connects through to your company firewall to access the internet and may even be carried over a VLAN within the company network to the firewall. So are all devices supporting VLANs up to date with the latest software and security patches, have their configurations been checked, and are they fit for purpose? The firewall itself is not a “fit and forget” device – it needs regular maintenance as well.

Have we, the security industry, or you, the security professional, learnt any lessons this year? Were last year’s lessons learnt and corrected, or were most just put on the side because they were too difficult or too expensive to implement. Or perhaps they were even dismissed out of hand without doing a thorough risk assessment or any risk assessment at all? Is the group responsible for maintaining IT security appropriately trained and funded?

Security incidents, data breaches and the like have continued apace during the year and there have been some quite spectacular data breaches. All of this highlights the fact that the security defences within many companies’ infrastructures are really not quite up to snuff, although it is widely agreed that you can never, ever create something that is completely and utterly secure, but you can do quite a lot to stop vulnerabilities being exploited.

Even if you believe all devices are up to date and configured correctly and appropriately, you still need to factor in the human element – the insider. Think the disgruntled employee, the “plant”, the contractor, the visitor and the visiting maintenance person, the cleaner, and just straightforward human error. 

If you’ll allow me to hop onto my soapbox for a moment, you need to get the basics right, and not getting the basics right is one of the main lessons that needs to be learnt. An organisation cannot get this right unless the IT team and those responsible for IT security are appropriately skilled and adequately resourced.

The basics cover a number of areas, including, but not exclusively, software (supported and patched versions), infrastructure device and application configuration (fit-for-purpose, up-to-date firmware), procedures (up to date, easily found and followed). Infrastructure health checking (internal and external vulnerability testing, configuration audit, operational audit) and general staff security awareness efforts.   

One of the key basics, and a lesson that is often not fully understood, is in the use of the access authentication and authorisation (AAA) system and its available controls. Question: is your AAA system used to ensure that all user accesses are based on a need-to-know, least-privilege and time-of-day set of principles? Most staff don’t need to access company IT systems outside of normal working hours, do not need access to all company files, and certainly do not need write access to every file they need to use. 

To summarise, although some lessons have been learnt by some companies over the year, I am certain that not all lessons have been learnt by all companies. In my humble opinion, one of the biggest lessons (and it’s not a technology one) is the continued failure by the IT and IT security people to articulate in a business-understandable way to those who hold the purse strings, the need for adequate funding and resources. Today more than ever, a failure in a company’s IT system could be fatal to the future of the company.