Every company has its own unique approach to data security assurance, typically combining layered technologies and tailored policies. Joan Goodchild, the online executive editor of CSO Online, said any company with network security solutions should be frequently conducting vulnerability assessments of both physical and digital assets. However, there are often mistakes made in this process that can leave the door open to data loss, theft or other unsightly errors.
Two experts spoke to the crowd at the CSO40 Security Confab and Awards event in Atlanta, including Roger Johnston, the leader of the Vulnerability Assessment Team at Argonne National Laboratory, and Jerry Walters, director of information security with OhioHealth.
Both talked about the troublesome situations involved with assessments and different ideas, outlining some common mistakes that can be made, including a lack of vision by the company, CSO said. Johnston said a big mistake people make is wrapping up planning sessions and brainstorming ideas before they have chance to breathe, saying that "the best ideas come late."
Another mistake that companies commonly make is letting compliance get in the way. Johnston said these laws often do more harm than good.
"As a security professional you have two jobs: compliance and security," said Johnston. "Sometimes they overlap. You have to do what you can to make the overlap. A compliance auditor might be suspicious. If they are, push back. On the other hand, some parts of compliance are worthwhile. Take what you can from the good parts of compliance and run with it. Go above and beyond in the parts you agree with."
Bad reporting can be a problem too, as if it just focuses on problems, there will not be good answers provided to the company. There may be mistakes made or found if the reporting is expanded, but that will simply help the company fix any problems, CSO said. Johnston said security is everyone's job and should be treated as such, especially as line-of-business employees gain deeper access to corporate technology assets.
Test the untested
Jerry Hoff of Computerworld's Security Reality Check blog said there are also some areas that companies should be testing but often times simply do not. One big area is testing during development, he said, as this is the front line for the company in protecting against attacks.
"By instituting secure coding guidelines, common security controls, and internal team code reviews developers can catch as many vulnerabilities as possible before they progress," he said. "Developers should peer review 'security critical' code, such as authentication, access control, input validation, output encoding, encryption algorithms, hashing, password storage and so forth. Making use of security unit tests serve as a nice reminder for developers to properly implement these security controls, and give developers a heads-up when something breaks."
Other areas that should be analyzed, according to Hoff, include:
– Static codes, which can help give assurance that every path has been accounted for during the development process
– QA testing, which helps check for missing or improperly implemented functionality
– Manual code reviews to help find all the little errors in business logic that keep happening and can cost a lot of money over the long run
– Ongoing dynamic analysis, which helps as most organizations end up deploying new code on a consistent basis
Hoff said ensuring that security testing is happening at each phase of development and use gives companies piece of mind that they will defend against attacks of any size.
Security News from SimplySecurity.com by Trend Micro