Watch who you deal with
Whilst visiting and exhibiting at Infosec Europe I found hundreds of "mushroom" security companies. These are companies that I find to ride the security band wagon whilst the going is good. Some of these companies are well staffed with good technical people and have great direction. Some of the companies are not and just collect consultancy currency because they are in the right place at the right time. The consensus in the security industry amongst those in the know is that eventually the cream security companies will consolidate into the antivirus vendor type companies and that portion of the security market will become a commodity.
This is the cycle that the security market will undertake and the reason for me mentioning this is because you need to be aware of such things when selecting a security vendor to partner with. Be wary of security companies that have little or no background in the industry. This makes it a lot harder for the mushrooms but in a competitive market there is no room for problematic organisations.
By virtue security companies are meant to be helping organisations become compliant... sometimes they are the ones breaking the rules. Who guards the guards? Walking around at Infosec I asked the vendors what disk encryption product they were using (reason is this is my current focus). I was amazed to find that even the vendors selling encryption were not encrypting their mobile devices. This was also true for some of the PCI consultants and QSV scanning companies. What is going on? Are the preachers guilty of not following their own advice?
I found that many public sector organisations were after encrypted USB devices. This seemed to be a consistent theme at Infosec Europe this year. With the multitude of vendors offering so many solutions I am sure the market is fractured and confused. Expect the Encrypted USB market to become consolidated and commoditised just like antivirus.
The ISO 27000 series
We have all heard about ISO 17799 and ISO 27001 and the series of documents in the 27000 range that follow; these are the basis of least requirement for doing business, in fact not something to work towards. However, very few western organisations have implemented or even looked at these standards. In Japan over 2000 companies have been certified meaning they Japan dwarfs any country by at least 300% more compliance than the UK and the US put together.
The managed service
Whilst reading about the pros and cons of security managed services, I found that many organisations resisted the option as they felt that their environment would be less secure if they outsourced something like encryption. In actual fact, a well run managed service would free up staff, lessen the support load overhead on the staff, and increase the organisation's security - whilst achieving compliance right away. In some instances the improvements are a lot greater and add more value than the organisation managing the niche security product themselves. Central management becomes key in such circumstances and you will find that the managed service is a lot more advanced than just buying the product out right from a vendor.
So do all these compliance things help?
The answer is, if properly implemented yes. But good people are hard to find. My view is that out of every 10 security consultants at least half are new to the industry, less than 5 years; the remainder are specialised leaving two that have a broad enough experience to be able to cover the whole spectrum. This means that a team is needed to make you compliant, or a seasoned individual. This is why compliance in some form or other is helping. There are quite a few security companies that begrudge PCI DSS and standards like it, but I feel that the standard is helping as there was nothing before it that helped organisations focus in a prerequisite way.
Most of what is covered in the standard is common sense, however when common sense escapes us it is important to have some sort of framework to work towards. For this reason it is important to use a global standard like ISO 27001.
Where do we start?
There are many ways to start, but the best way to write down a set of requirements and then work towards that. Document where you want to go and monitor the changes as you progress, this will not only depict your maturity as an IT professional but can also be used as a way to measure your team's performance. There are many tools that are free that you can use to become more secure. Nothing can replace a seasoned professional, but applications do make it easier.
Reduce the number of doors
When planning a vault, you will see in the blueprint that there is only one entry point. The rest of the room is isolated and well protected with thick alloy metal to make it harder for intruders to break in. The single entry point makes it easier and cheaper to guard from unauthorised entry. The reinforced alloy walls are deterrents and we all know that what man can make, man can break.
When working with one of the leading encryption companies I asked the head programmer a question: why can a user not use multiple tokens when authenticating. The programmer said two words that explained the concept "less doors". Lowering the attack surface area is most certainly the best approach.
What are the analysts saying?
On the whole, technical controls covering encryption, application hardening, email filtering, scanning and monitoring are still in their infancy and have not yet peaked in the hype cycle. This means that many organisations are still working towards developing and implementing such solutions and the majority still do not have these technologies on their radar. It is estimated that less than 1% of organisations encrypt their mobile data. This is not only a scary statistic but I am sure you would agree that you would not like to use a provider that is not keeping your personal information safe.
Technologies like device control seem to have made it onto the priority list, but what are companies doing about paper documents and camera phones? There is a lot more to security than just software and hardware control and management. Education forms part of the protection strategy.
Educate your people
Education is key - spend less time installing technical controls and more time educating people, you will find that not only will your people start to change their behaviour but they will also start to become interested in what you do making your task a lot easier. If you have buy in from the board, suddenly budget and culture change is less of a challenge. Awareness can go a long way. Try it, you may find it saves your organisation from the next attack.
Keep doing the old things, they still work
Windows updates, application updates, pattern file updates and keeping the environment current helps when it comes to security. All though this is well known, organisations still fail in this area. Basic steps that implement technical controls like encryption, two factor authentications need to be looked at. I find that organisations are failing on the basic tasks, not to mention the advanced technologies that require significant security related skills.
No matter how much we read or discuss security what gets done in your environment is what counts. This article is only of use to you if you are able to digest the contents and apply the areas of relevance to your organisation. I hope this information has been of use to you.