Thursday, 7 July 2011

Information Security: Why we Fail

The very first word seems to be our downfall. Information. If we don't have all of it, we have already failed. So suppose you are in a sizable organisation. Suppose that this organisation has grown inorganically over the years.  You have a problem, and that problem is that there is no single authoritative source of information about your environment.

Now as a Security Engineer or Penetration Test how can you protect that environment from compromise? The answer: you can't.  At least not until you rectify this problem first. The simple fact that is often overlooked is this: it takes only 1 machine being compromised for the situation to spin out of control.  If your knowledge of your environment is incomplete and there are systems your security team is not covering because they don't know it exists, you have failed. It is a matter of when, not if, you suffer a serious breach.  you can secure all of those other hosts on the perimeter, and it will amount to nothing. The host with SQLi in that subnet you never knew about will let the attackers in. Then they are on a trusted machine somewhere in your environment, and their possible avenues of attack are countless.  Hgiher ups within the organisation will demand answers "Why didn't we catch this problem before? Why are we paying you people".

So here's the point of my rant: If you are an org that is attempting a major Information Security initiative, make sure you equip your security people with the Information they need. If it isn't available, then you need to apply some breaks and fix that problem before anything else.

  1.  Identify all of the systems in your environment and where they are. Chances are you're going to find systems that should have been decommed years ago. There is an instant monetary savings for you when you shut them off, as well as a positive step for Security.  
  2. Document all of these systems. What they are, who owns them, etc. Keep this documentation up to date going forward
  3. Identify roles and responsibilities of those systems, and segregate portions of your network appropriately. Implement proper access controls between these segregated environments. If you worry about PCI compliance, this is a MUST.
  4. Now set your Security people to work. Deploy Vulnerability Scanning solutions, arrange Penetration Test Engagements, implement an SDLC, etc.
If you try to skip these first three steps, you will fail. I guarantee it.

No comments:

Post a Comment