Content

Failing to protect systems will turn you into roadkill

The stuff they use to protect the organization is, then, at risk itself. Now, I have to ask myself, "why would an organization spend a bunch of money on, for example, an IDS, and leave the IDS itself vulnerable?" The answer, I think, is: time, money, training.

New regulatory pressures have caused some organizations to buy additional security and privacy tools. Often, these organizations have limited resources to manage information security, so the tools are installed and the hope is that by their presence alone security will improve. Often, for now, this is the case, but organizations need to protect the protection they use.

I was teaching a class recently in which I commented on the validity of intrusion detection logs as evidence, and made the point that logs needed to be protected from malicious alteration.

To one student, the idea that an IDS would be installed so that the console was on an out-of-band fiber network and the sensors stealthed to the outside was normal. Another student had never been exposed to the concept. This is the fault of the IDS developer for not providing the appropriate training on deployment. It is also the fault of the organization for not demanding that training or seeking it elsewhere.

A tick-box mentality is insufficient to protect information assets. This mentality says that as long as you can satisfy the auditors, you have taken some information security steps, no matter how trivial, you pass the audit, and passing the audit is all that matters.

If you apply that approach and you get hit, you're toast – for two reasons. Your assets are not really protected, so you will experience a loss at some level (I know of losses of nearly a billion dollars under these circumstances). Also, you and/or someone at a higher level will be seen to have breached your fiduciary duty to protect organizational assets, and the law suits will just keep on coming.

Halfway measures to protect information assets are no longer acceptable. Protect the protection, and train the people who protect the organization's assets.

Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.