Everywhere we turn, we’re inundated with security threats. From home to office, we encounter risks to our data. While we all agree there’s a need for lots of security, the simple questions as to where and how can garner as many answers as there are product vendors.
Usually, a data center will start by first establishing security policies and procedures and then look for solutions to fit their paradigm. Security auditors normally get involved after implementation to determine if the effort was effective and within the targeted standards acceptance range.
Perhaps we should consider getting the auditors involved earlier in the cycle when the overall plans are being developed so they can provide a more strategic focus to the architecture design and possibly save some budget dollars.
Auditors commonly are engaged annually to evaluate risk and validate the security controls against a set of industry standards and guidelines. Their analysis will generate a list of findings (hopefully, short), representing any divergence from standard. All the analysis will be distilled down to the final report containing a professional opinion of the security implementation effectiveness.
Most auditors are reviled and feared, since it’s their job to basically uncover mistakes and point them out in excruciating detail. However, their job is integral to the success of any security implementation. An independent analysis of the security should be welcomed and encouraged (yes, I’m serious), since it’s only through this exercise our hard work can be validated and any residual risks can be discovered and corrected. The goal of the Chief Information Security Officer and the IT auditor are really the same; consequently, they must work together and maybe sing a little “Kumbaya.”
Every organization can benefit from a security audit. Taking a proactive approach to IT audits can reap huge rewards long-term by identifying problems before exploitation occurs. If you’re just starting to develop a security plan, or starting over, then consider engaging an auditor during the initial planning process to provide some guidance to a holistic approach to effective security.
We need to become more proactive with computer security and there’s no better way to start than by first addressing the simplest to implement protections. Auditors are finding consistent patterns to security lapses within data centers that shouldn’t happen. Sadly, these seemingly easy to fix problems recur with such frequency that serious questions are raised about staff training and management oversight. Here’s a sample of 10 issues:
- Poor password management; passwords easily guessed or vendor default; no passwords configured for network devices; or passwords shared by staff
- Use of unencrypted protocols and unauthenticated network protocols; clear text logins, including those used to remotely manage network devices
- Unnecessary services active or services poorly configured
- VPN clients inadequately configured and controlled
- Inadequate application security testing, particularly for homegrown, Web-based applications
- Email systems inadequately configured and controlled; spoofing allowed; blacklisting attachments and not whitelisting; allowing self-rendering previews; ignoring email systems as a potential attack vector
- Lack of control over telework devices such as personal computers, cell phones, PDAs, USB storage devices, and Bluetooth devices
- Failure to adequately restrict Internet connectivity in sensitive areas
- Users allowed to run as “administrator” on local workstations
- The use of insecure browser settings; personal firewalls not used or ineffectively implemented; failure to implement and manage the use of certificates.
Believe me when I say this list could go on and on. The amazing aspect of all this is that many of these issues are easily rectified but keep cropping up over and over, even within the same organization. This is only the tip of the proverbial iceberg and many more problems could be listed with equal severity and importance. It’s obvious we aren’t taking a “holistic” perspective toward our network security architecture when these problems persist.
There’s a serious disconnect in the design and management of end-to-end controls within many organizations. We all need to get to the point where we create an integrated host (network/user connectivity approach) that will adequately deal with the technical and organizational controls. Many technical infrastructures are no longer properly matched to the mission they support. All too often we rely on operational or administrative functions to do the security but the work never gets the proper priority until a problem occurs. Auditors find these problems all too often when it’s too late. We need to change our mindset about security implementation and start looking at things from an auditor’s perspective to improve our success rate.