Feeds

Process, not just product, will save your IT department

RTFM is not enough

  • alert
  • submit to reddit

Protecting against web application threats using SSL

So, you’ve bought your firewall. You’ve spent thousands on an intrusion prevention system, and you’ve got expensive data leak prevention software. Are you dead sure that your sensitive customer data hasn’t been leaked?

In IT security, capital expenditure on products can help to protect your systems, but it isn’t enough. Thinking about security when designing and executing your everyday IT processes is a key part of guarding your infrastructure. Moreover, it might help to reduce your overall security expenditure.

“CISOs spend a lot of money on firewalls and anti-virus,” says Jeremiah Grossman, chief technology officer at at WhiteHat Security, which carries out penetration testing services on client systems.

Grossman argues that large companies typically invest lots of money on developing software, and desktop and server infrastructure, with less spent on network infrastructure. Conversely, he argues that the CISO targets security dollars on network infrastructure first, investing in expensive firewalls, with less spent on desktop security infrastructures, and even less on things like secure development lifecycle in software. “So he’s out of phase with the business,” Grossman concludes.

This doesn’t mean that you shouldn’t buy a firewall, of course. Nevertheless, focusing purely on throwing tools at the problem rather than thinking more generally about security processes risks making security more reactive, and piecemeal. What does a properly orchestrated set of processes look like?

There are a variety of operational maturity models to choose from, each with their own strengths and weaknesses. ISO 27001 covers enterprise security in the broad sense, and ITIL includes useful points on security within a services framework. These can be effectively integrated with other models to create an operational maturity model for security. For example, it is possible to map ISO 27K and ITIL against the Capability Maturity Model Integration (CMMI), which provides the framework for assessing operational maturity. Using this mapping, you can frame your security processes according to five levels of capability. The Control Objectives for Information Related Technology (COBIT) also provides a framework of governance and control that encompasses security practice.

Systems integration consultancy CIBER uses a seven-layer model as the basis for its operational security maturity programme. It starts with a programme layer that covers funding, strategic planning, and cross-functional oversight. The management layer covers asset risk management, security skills, roles and responsibilities, while the next layer, documentation, involves asset classification, procedures, and policies. Atop these layers sit the others: education, protection, detection, and response.

Documentation is an important part of implementing standard security models across the enterprise, according to CIBER, which talks about an umbrella security framework that allows for traceability for security regulations and external requirements. Documenting your assets is important if you are to fold them into processes that help to protect your corporate infrastructure.

CIBER advises companies to create a roadmap for use as part of its ‘protection’ layer, which will link the technologies that you invest in to your long-term security goals.

What processes should you focus on when defining these long-term security goals? Much will depend on your company’s unique business requirements, but broadly speaking, we can identify some common critical areas. Vulnerability management and intrusion protection are important, as is identity and access management. Here are some key things to keep in mind when designing security processes that will guide your roadmap:

Know your infrastructure A sound asset inventory and configuration management database is a critical piece of the puzzle. Without this, you won’t know what you have, which makes it impossible to manage it properly. This becomes a serious problem if, for example, someone plugs an unauthorised access point into the network,or downloads un-verified applications,or hooks up a USB hard drive for instance . Is it yours, or is it theirs? How would you know, if you did a wireless networking audit?

Automate its management Ensure that critical processes such as patch management are as automated as possible across servers and PCs, operating systems and applications beyond just Microsoft (third party applications are the greatest sources of risk), so that procedures necessary to bolster corporate security happen quickly. Automating other processes such as the scanning of new devices connected to the network will help to ensure that rogue devices don’t pollute your environment. This is one area where process and product intersect, but it is also an area where security budgets can be wisely applied.

Use systems management tools as your eyes and ears Effective governance includes discovery of devices on the network, so that they you can first of all figure out if they’re yours or not. Make sure that your management tools watch your network and systems for you, alerting you to problems that could indicate a security issue. Why, for example, is that newly-attached PC suddenly blasting out traffic to every PC in the local subnet on an unusual port?

Check your logs Mine your logs for useful information, possibly using log analysis software. Drawing intelligence from your logs can help you to identify attempted attacks (and perhaps successful ones).

Positive Feedback Loops It may seem obvious, but above all do remember to learn from your experiences. If you encounter an incident make sure that the relevant holes are plugged, that configurations are tweaked and users educated. You might be able to buy software that will do most things for you, but process – of which positive feedback loops are one – are the things that really keep you secure.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.