Few would argue that the major themes at the recently wrapped RSA Conference 2012 in San Francisco were cloud, mobile and Big Data.
This should come as no surprise as they are currently the hottest areas of technology. Sure, the ongoing scare of undetectable and unavoidable slow, targeted attacks on organizations’ systems, known as advanced persistent threats (APTs), still had a presence at the conference. However, there was very little mention of them on the show floor.
Even so, the current vendor messaging begs the question: Are we missing the mark on security basics by focusing so much on emerging technologies?
This isn’t to say that emerging markets and new technologies aren’t important. It simply raises concern about what takes priority when organizations determine how and where to invest their time, manpower and budgets. Are we so excited about the new stuff out there that we’ve lost our IT security common sense? Is it that the vendors are speaking to the largest and most forward-thinking of organizations that have had the opportunity to deploy multiple layers of defense and master their overall IT security programs, leaving the rest of the smaller, less-funded organizations in the dust? Time will tell.
Bringing things back to reality for the masses, as has been stated many times over by security analysts and vendors alike, organizations should expect their systems and their data to be compromised at one point or another. Therefore, the goal is really to lower the risk of damage in the event of an attack, not so much to block every possible threat in an attempt to altogether prevent a successful attack with 100 percent success.
This means organizations should employ improved tactics for handling and safeguarding their data by using some of the same tools they already have to better manage accounts, passwords, vulnerabilities, and patches, for example.
During this year’s RSA show, I was able to speak with a number of individuals regarding this view. While a variety of topics surfaced that were geared toward helping organizations make good decisions based on common sense, one theme consistently emerged above the rest: passwords, identities, and privileges.
And there is nothing futuristic about that.
Just as organizations should be prepared for the seemingly inevitable reality that their systems and data will be compromised, they should also consider the likelihood that their employees’ email accounts have already been compromised, probably the easiest source of entry into an organization’s business systems. The fact that many users reemploy passwords creates tremendous risk for consumers and enterprises alike.
Of course, email and password compromises don’t always take place en masse. They also can happen on an individual basis, one by one. In these cases, it is often due to one or more of a few exposures:
- Weak or infrequently changed passwords
- Identical passwords being used across a variety of systems and applications
- Company-provisioned emails used to register for personal systems and non-corporate services
- User passwords shared among corporate and personal systems and services
Organizations should be investing in areas that result in immediate benefit, especially those that have yet to conquer the defense-in-depth model. With a bit of understanding and prioritization, organizations can lead themselves to mobile and the cloud with a solid security strategy, not one built on pomp and circumstance.
First, the challenges must be uncovered, the solutions identified, and the benefits clear.
I spoke to Phil Lieberman, president of Lieberman Software, who told me that every company his firm has engaged with has well-known accounts and passwords — such as “guest” and “root” — and these accounts and passwords are generally used each and every day without question.
In addition to the passwords that need to be better managed and supplemented with two-factor authentication, account privilege is another area that should be proactively managed and controlled.
Most organizations take steps to remove admin-level access and elevated privileges from standard user accounts. But admin privileges often get granted to additional users over time as a way to allow them to install printer drivers, launch system-level applications, and perform other business-enabling actions on their own without IT help desk involvement.
Viewfinity CEO Leonid Shtilman told me that most organizations are victims of “privilege creep” – a situation where privileges are locked down initially and are increased over time. Businesses should follow the basics of managing account privileges on a granular level, controlling access based on need, time, application, location and more.
I hope that IT security admins, analysts, and engineers running the day-to-day security gauntlet still have their common sense and haven’t let go of their best practices and tools. So one has to wonder, on whose ears does all the new messaging land?
Sean Martin is a CISSP and the founder of Imsmartin Consulting. Write him at email@example.com.