By Gordon Rapkin, CEO of data security specialist, Protegrity
1.If we buy the right security solutions, our data will be protected
No matter how much money you frantically throw at vendors, enterprise data will remain vulnerable until you pay equal attention to educating people and developing data-driven security processes and policies. One of the most positive things an enterprise can do from a security standpoint is to institute ongoing data defence training for employees. Then enforce policies using technologies like role-based access, automated enforcement and system auditing and ensure that there are real consequences if policies are ignored or thwarted.
2.The real threat emanates from inside/outside the organisation
Narrowing the enterprise’s focus to protect data against specific types of attacks often results in opening the doors to other types of attacks. Don’t implement a media-scare-story-driven security plan based on reacting to every overwrought report or bit of research. Constantly shifting focus to manage the threat of the moment will result in piecemeal security, focus instead on comprehensively securing data.
3.We’ve outsourced data storage/security, so we don’t need to worry anymore about securing personally identifiable information (PII).
The hard truth is that businesses cannot outsource their responsibility to protect data. If a business is required to comply with data protection standards or regulations, and its outsourcing partner fails to protect personal data, the company that owns the data will most likely be considered at fault. It will be liable for any associated costs, penalties or legal actions that might arise from its exposure. You must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.
4.Certified applications are secure now and into the future
Certification is valid at the single point in time when the application was sanctioned. No certification comes with a “Happily Ever After” fairytale guarantee. Certified applications need to be managed in the same way as any other application, with regular reviews of vendor patches, monitoring changes in the environment and auditing usage to stay on top of the inherent risks.
5.We know our network doesn’t have vulnerabilities because we patch our applications regularly.
Patches fix only the exploits that we know about and not all flaws are public knowledge. Sometimes the bad guys find them first and they aren’t exactly eager to alert vendors to the problem. Vendors also can’t always patch holes immediately, and sometimes patches can create exciting new security holes and other problems. Patching is an important part of an enterprise security plan, but doesn’t alone equal a secure system.
6.We don’t need to worry about those far-fetched ‘Proof of Concept’ hack attacks the IT guys are always getting excited about.
Theoretical attacks shouldn’t keep you up at night, especially if they require a high skill level, physical access and a well stocked computer lab to conduct the attack successfully. That said, proof of concept attacks should be treated like a preview of an action movie that may or may not come to a cinema near you. IT should certainly be aware of the new and exciting things the security and underground communities are discussing, and should track emerging threats that seem likely to become actionable exploits. Forewarned is forearmed.
7.If a system is in compliance with industry data-protection regulations, that system is secure.
Nothing could be further from the truth. Regulations and standards tend to deal with specific and limited issues -- such as securing the systems that process payment card data -- and don’t address the network and applications holistically -- something which is essential for real security. Roll compliance into your security plan, but don’t make it the centrepiece or sum total of the enterprise’s data protection efforts.
8.The strongest possible security is essential for all business systems and every part of a system.
Defcon 1 level security is neither necessary nor desirable for all businesses, or for every aspect of a business environment. It makes far more sense from financial, usability and availability standpoints to focus the most stringent security efforts on protecting the most sensitive information. Companies should define their data security strategies based on a comprehensive risk analysis of the value of data they collect, use and manage and the enterprise’s own threat profile.
9.Open source software is inherently more secure than proprietary software, or vice versa.
Neither of these two software development methods results in 100% bulletproof applications. Comprehensive code testing, correct deployment and the right security plan are more important than whether applications were developed in open source or proprietary mode.
10.All security builds on prior investments
The success of an enterprise’s security efforts need to be regularly reviewed and measured, older goals may need to be dropped, new plans may need to be instituted, and sometimes technologies that seemed like great ideas at the time may become a gaping security hole as a result of changes in the computing environment or advances in the hacker community. An example of this is DES encryption. At one time it was considered secure until a dedicated group proved it was vulnerable to brute force attacks due to its short (56-bit) key. Security is always a moving target and we have to be willing to shift focus as conditions demand.
Protegrity USA Inc. is exhibiting at Infosecurity Europe 2009, Europe's number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk
By Gordon Rapkin, CEO of data security specialist, Protegrity