From the start, it seemed like something new. It makes for great evening news headlines, and all the coined terms surrounding ‘cyber’ are often cool and clever. While there are clearly new attach vectors to any emerging breed of technologies and networks, one fundamental reality is inescapable. Security begins with a sound and robust network architecture where it is integrated from the ground up. Whether you are new to your organization or a seasoned veteran, the following questions are relevant to everyone:
- What is security all about?
- What are we trying to protect?
On the most basic level, security is all about mitigating risk. Certainly in IT, we will never have zero risk, but the closer we are, the better. Ironically, what’s most important is often a moving target and poorly understood by most in any organization, but at the end of the day, it’s about protecting the data.
Do you know where your critical data is? Are you confident your data is not at risk to either insider threats or eternal hackers? What is the source of all the complexity?
While virtualization has allowed for amazing agility and countless benefits for every IT organization, at the same time, it’s generated a level of complexity and disconnect that remains unaddressed by most. Think about this, if an organization fails to apply sound policies and procedures to a traditional infrastructure, we all understand the problems: weak security configurations, problems with patching, operating system and application vulnerabilities, etc. In a virtual environment, where you are able to spin-up hundreds of machines in minutes, these problems are augmented exponentially and ultimately become out-of-control.
How do we get a handle on these basic yet serious issues? We must get back to basics and put the right pieces in place.
Perform a Yearly Security Assessment
Having an outside provider test your environment for vulnerabilities and sound practices, at least on a yearly basis, is critical to ensuring the security program is on track and operating effectively. Leveraging an outside provider not only ensures independence of the findings but also provides a fresh perspective surrounding how effective the security program really is. Many avoid this type of engagement, fearing the results it may produce. Instead, everyone from senior leadership down through the ranks, should embrace this as a tool for continuous improvement. No environment is perfect; vulnerabilities will always exist, but the focus for every organization should be to uncover these issue, no matter how, before a malicious outsider does.
Develop a Risk Register
Does your organization have a risk register at the organizational level, integrating IT and IT Security? If not, it’ll be extremely difficult to effectively identify, mitigate and transfer risk without this vital information. When a risk register at the organization level cannot be developed, for whatever reason, the IT division must work to create it by infusing as much business intelligence and relevant information as possible.
Assess Your Network Architecture
Cyber defense begins with a solid network architecture. Every organization should not only have network engineers who understand how the network design is laid out, but most importantly, who have developed supporting documentation that is consistent and complete. This documentation should be revisited at least on a yearly basis or whenever changes occur. It’s far too common for an organization to rely on one individual who has all the information ‘in their head.’ This is a recipe for disaster. For every existing environment and/or solution that comes online, it’s important to revisit the network design and analyze any opportunities for improvement, vulnerabilities that result, or changes that are needed.
While having hard core penetration testers throughout every organization is highly unlikely, monthly vulnerability scanning of assets by the average technical resource is extremely viable. Procuring and using a scanning solution is a fairly simple matter but will yield amazing benefit by ensuring you thoroughly understand current risks and are able to remediate them quickly. A great use case for scanning includes virtual templates. By scanning the templates before putting them in production, teams will be able to remediate issues and thus, eliminate the proliferation of the vulnerabilities each time a new virtual machine is brought online. It’s also key that every new environment is canned before being put into production.
The two biggest issues seen when scanning are related to web servers and patching. When it comes to web servers, its imperative organizations consult the Open Web Application Security Project (OWASP) top 10 vulnerabilities. SSL related vulnerabilities are also all too common for all business, enterprises, and providers. Invariably scanning provider sites yield alarming results based in fundamental security practices.
Do we give enough attention to training folks within IT? One of the biggest gaps I find is the perception that folks that work in IT are skilled to deal with every technology and solution. While many amazing IT professional will do whatever it takes to learn and perform without formal training, for the business, this is like playing Russian roulette. The business should not leave competence to chance. I’ll never forget the time I asked a virtual machine admin a question about the hypervisor and the response was, “We don’t have one of those, we’re running VMWare.” The point here is not about discrediting the individual, but instead understanding how a resource could be put in a role where they don’t understand the basics of the technology they are supporting. Let’s think about this; how many server guys are really great network guys inherently? Not very many that I’ve seen. Yet, the moment we ask a server admin to manage a VM, we’re also giving him/her a network hat. Let’s position our resources for success. Surely, organizations can’t send every single person to training, but we need to do a better job in this area.
[In upcoming posts, I will address a number of topics relating to cybersecurity, including vulnerability management in the age of cyber-everything, selling security to IT, building a culture of security consciousness, and embracing innovation without compromising security. To view previous blogs, click here.]