HackDig : Dig high-quality web security articles for hackers

BrandPost: Are You Investing in the Right IT Security Technologies?

2015-05-15 00:25

IT security technologies are not a one-size-fits-all proposition. Every company has its own specific business requirements related to security, and the key word here is business. All too often, companies evaluate their security posture from the perspective of technology. They ask questions like, Do we need ingress filtering? Do we need intrusion detection?

These may well be legitimate questions, but technology is not the right place to begin. When it comes to security, companies should first and foremost determine the business consequences of a security breach, and do so on a system-by-system basis. The successful hack of a database that contains sensitive information like credit card account numbers might cost a company millions – or even billion – of dollars. A hack into a logistics database, on the other hand, would likely have less serious consequences.

Evaluating Risk            

When evaluating the security risks associated with any particular application, the informal "CIA" framework is very useful.

  1. How sensitive is the data, and what would be the consequences of a successful exploit? Obviously, some classes of data — personally identifiable information (PII) data, for example — require the highest level of protection. In fact, PII data is almost always the subject of regulatory requirements with which companies must comply if they want to do business. Other classes of data, like intellectual property or marketing plans, may or may not merit the same high level of security.
  2. What would be the consequences if the data were corrupted? Unreliable data in an accounting system could be a disaster. In a warehouse management system, the consequences wouldn't be good, but they would not be nearly so grave.
  3. What happens if any given system crashes? For an e-commerce company, keeping a website up and running is crucial, as every minute of downtime is a minute with no sales. In contrast, a manufacturing company's website that only exists for promotional purposes has no mission-critical significance.

There are two approaches to evaluating each of these categories: quantitative and qualitative. The quantitative approach asks how much it would cost the company if there were confidentiality, integrity or availability problems with any given system. To give a simple example, the cost of downtime (no availability) for an e-commerce website could be calculated by multiplying the average sales per minute or hour times the number of minutes/hours the site is down. For an engineering company, the cost of downtime due to corrupted data would be calculated as the number of working hours lost times the burdened hourly rate of the engineers who couldn't do their work.

Clearly, the results of these calculations will never be precise. Nonetheless, they can help companies prioritize their security risks. Also, they enable companies to make at least a rough cost/benefit analysis of the value various security measures can provide.

Qualitative decisions are obviously more subjective. For example, a web development company might make a qualitative decision that its own site needed to remain up and running 24/7 as a demonstration of reliability and quality, even though a crash would not have a measurable impact on productivity or sales.

Evaluating Technology

Once a business has prioritized its security needs, the next step in implementing appropriate security is to evaluate the technology. In general, the options are well-known, but here's a brief review that illustrates the complexity of today's security landscape.

Anti-virus and firewalls. These tools both perform ingress filtering. In simple terms, anti-virus systems do so by inspecting email attachments and web pages that have been downloaded, while firewalls detect and block unauthorized attempts to connect with the corporate network.

Intrusion detection and SIEM systems. Intrusion detection systems monitor network traffic searching for anomalies that indicate an attack is in progress. SIEM (Security Information and Event Management) systems also perform this function, but they coordinate this data with data from numerous other sources to uncover patterns typical of a malicious exploit. SIEM systems can also take action to block an attack, e.g., by interrupting network communications, disabling USB devices or killing processes.

Virtual private networks (VPNs). These private "tunnels" ensure the privacy and security of communications such as those between the mobile device of a sales rep and a corporate ordering or CRM system.

Identity and access control. According to one recent survey, roughly one in 10 exploits are inside jobs. It's important to manage who has access to what, and monitor that access so that suspicious activity can be quickly detected. Organizations also need to ensure they can shut down the network access of terminated employees very quickly.

Data loss prevention. Even the most conscientious employees can sometimes put data at risk through carelessness. Emailing sensitive information like social security numbers, bank routing information and the like is a good example. Companies need some degree of egress filtering to spot and block unintentional data loss, as well as intentional theft.

Complexity and Cost

The point here is that all these technologies may be required to establish a strong security posture. Unfortunately, they are all both complex and expensive. Their complexity stems from the fact that they must defend against a growing variety of threats that are in themselves complex, and constantly mutating into new forms. The cost includes not only licensing fees, but the time required for technicians to be trained on half a dozen systems, each with its own quirks.

One option that is becoming increasingly attractive to midsized companies is managed security. Outsourcing security not only eliminates the hassle of licensing, installing and running multiple systems. For many companies, it is the only economically feasible way to ensure that they have the most modern up-to-date systems guarding their data.

For more detailed information on how you can get the most out of information security technologies, please visit www.sungardas.com/solutions/consulting/information-security/Pages/information-security-strategy.aspx.

This article was originally posted on the Sungard Availability Services blog.

Additional Reading:

  1.  The #1 Thing In Their Information Security Programs That IT Managers Would Change
  2.  Managed Hosting: Lower Costs, Better Use of Internal Information Technology Resources
  3.  4 Ways To Royally Screw Up Information Technology (IT) Outsourcing

Source: .seigolonhcet-ytiruces-ti-thgir-eht-ni-gnitsevni-uoy-era/ytiruces/9052292/elcitra/moc.oic.www

Read:3402 | Comments:0 | Tags:Security

“BrandPost: Are You Investing in the Right IT Security Technologies?”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud