In our hustle and bustle business world, we're always looking for quick answers to our challenges. This is especially true in IT and even more so with information security. No matter how good we are, there's never enough time to keep up with everything in security.
There always seems to be a rogue employee trying to exploit sensitive information, a criminal hacker trying to make us look bad, or an auditor or government bureaucrat asking us to prove the security of our networks.
There is no foolproof formula for staying out of trouble. I can provide some proven, common sense methods for ensuring the important things are in check so you can prevent hacking and the next breach.
1. Learn from what's happening to others.
The best way to understand what's happening in the world of security is to read the latest versions of research reports. These can include the Verizon Data Breach Investigations Report, the Trustwave Global Security Report and the PwC Global State of Information Security Survey. The recent Mandiant APT1 report also provides fascinating insight into how state-sponsored cybercrime units work.
2. Get the right people on board.
Information security is not an IT issue -- it's a business issue that needs to be dealt with at the business level. It is essential to have a functional IT security committee made up of upper management, legal, HR and others pertinent to the cause.
3. Know what you've got.
You cannot secure what you do not acknowledge. I see so many people claim their data is secure when they've never even taken an inventory of their sensitive assets. It's those surprise "Oh yeah, I forgot about that data on those devices" moments that will get you into a real bind. You have to understand where data is at any given time.
4. Understand how everything is at risk.
It's critical to know just how your systems, devices, applications and data are currently at risk. Many people claim everything is safe and sound when it can often be demonstrated otherwise. Know where things stand.
5. Vow to fix the silly stuff.
There's no excuse to have low-hanging fruit security flaws in your environment. Weak passwords, missing patches, SQL injection and the like are simple to find and fix if you have the right people on board. When you eliminate the low-hanging fruit criminals target, you eliminate the majority of your security problems.
6. Resolve the known risks with existing controls.
Use Windows' built-in controls. They're not often used, but it's amazing what reasonable and enforced controls can do around passwords, intruder lockouts, encryption, patching and audit logging. You can also tweak your network architecture and applications to ensure basic controls have been met.
7. Realize there always have been and always will be vulnerabilities.
Despite what marketers want you to believe, security threats and vulnerabilities don't change drastically from year to year. In fact, many of the security challenges we now face date back several decades -- just check out James Martin's 1973 book, Security, Privacy, and Accuracy in Computer Systems.
8. Put ongoing security tests in the budget.
Even though vulnerabilities do not undergo drastic change all that often, new vulnerabilities are found every day. One of the biggest mistakes you can make is to assume you've done enough and not look for new areas of weaknesses on a periodic and consistent basis. The tools to do this get better, and so do the people who do the testing.
9. Use common sense.
The people who get caught up in the hype perpetuated by many of our techie peers are usually the ones with the most vulnerable environments. They major in minors and don't focus on the security that truly matters. To prevent hacking, practical, street-smart security trumps academic processes and approaches every time.
Take some time to clear your head regarding security. Step back, look at the big picture and you'll no doubt see where improvements can be made to prevent hacking. If you need to, bring in someone else who can offer a fresh perspective. Take a closer look at what you have under your control as well as what you don't have under your control. The most important thing is to just do something, and the best time to get started is today.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speakerwith Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This was first published in May 2013