With corporate hacking scandals and some of the first confirmed instances of cyberwarfare making headlines in recent times, network security managers can be forgiven for temporarily shifting their focus to combat these potentially serious threats. However, these risks must be put in perspective. While external attacks seem to be more prevalent than ever before, there is a far greater chance that an organization's own employees will be the root cause of a disaster. Whether through technical errors, inconsistent policies or insider breaches, a company can quickly become its own worst enemy. With that in mind, security teams may be wise to restrict the attention being paid to amorphous outside threats and take a closer look at what's going on inside castle walls.
Built to last
A house is only as strong as the foundation it is built upon, and the same principles apply when designing and managing the corporate network. Aging or incomplete IT architecture has been the Achilles heel of more than a few companies, and frustrated security teams are often forced to respond after the fact with built-on rather than built-in solutions. This creates complex and disparate layouts that only make integration and administration more difficult. Consequently, IT teams are generally reluctant to make drastic or frequent adjustments to their architecture. And considering the prevalence of vulnerabilities found in many security configurations, companies could be leaving the gates wide open.
"Typically, administrators configure hundreds and sometimes thousands of machines the same way, meaning a virus that infects one could affect any computer on the same network," explained one Wake Forest University researcher currently working on an algorithm for continuously evolving network defenses.
The dangers of configuration errors were recently on display in an incident involving the breach of hundreds of thousands of citizen records guarded by the Utah Department of Health. Computer forensics analysts later determined that the original exploit was a flawed configuration in the authentication protocol that allowed hackers to circumvent security systems. As a result, an estimated 280,000 Social Security numbers were exposed in addition to names, birth dates and addresses of many more.
While these basic elements are still tripping up network managers, the quest for next-generation firewall systems capable of thwarting exotic attacks may be introducing new vulnerabilities. According to AlgoSec's State of Network Security 2012 report, 76 percent of IT professionals who have deployed these tools suggest that the size and complexity of their newfound management burdens is creating, on average, an additional hour of work each day. As a result, they are being distracted from other routine responsibilities.
For example, 30 percent of respondents to the AlgoSec survey indicated that manual processes has become their biggest challenge as a result of the time squeeze. Additionally, more than half of IT professionals have seen a network outage as a result of an out-of-process change.
You can't catch what you can't see
Although some of the end results could be considered discouraging, there is room for optimism in the AlgoSec survey, as the majority of network managers correctly identified the path to improving security.
"While industry focus naturally gravitates toward the latest buzzwords, such as 'advanced persistent threats,' we were pleasantly surprised to find that practitioners primarily voiced concerns with how to better manage security," AlgoSec vice president Nimmy Reichenberg explained.
The most commonly cited vulnerability was poor visibility. Without comprehensive monitoring capabilities, respondents understood that insider threats and misconfigurations wreak havoc for extended periods of time before being discovered – if they ever are. But just because a company knows what is good for it doesn't mean that administrators have a definitive answer on how to acquire it.
Perhaps the clearest case of how a lack of visibility is compromising data security plans is through the advent of enterprise mobility. As business managers feel compelled to welcome personal smartphones and tablets into the workplace to increase productivity, IT teams are having to play catch-up.
According to independent analysis from the SANS Institute, just 9 percent of organizations feel "fully aware" of the devices accessing corporate resources. That leaves nine in 10 companies essentially guessing at where data packets are traveling and who is accessing the network at any given time. This new development brings IT administrators back to square one in regards to access control and identity authentication.
"More than 60 percent of organizations today allow staff to bring their own devices," SANS senior training instructor Kevin Johnson explained. "With this type of permissiveness, policies and controls are even more important to help secure our environments."
Policy before practice
In the world of IT, what can go wrong often will go wrong. Planning for the worst is not pessimistic, it's diligent. But while companies are well aware of the role that contingency planning plays in data backup and recovery, too few are applying those principles to the in-house policies provided to employees. Without any policy at all, security teams are flying blind and hoping for the best. But overly restrictive or inconsistent standards could have similar effects by confusing or antagonizing workers. Faced with this paradox, a number of companies have failed to take decisive action.
According to Computerworld, weak base-level password policies have been the root cause of recent disasters involving everything from utility providers and financial service firms to healthcare providers and small town merchants. Not only have IT teams come up short when designing airtight authentication systems, they have also failed to educate the end user on best practices. When a pet's name is the first line of defense against an HR database, something is amiss.
As noted by the SANS Institute study, well-designed and consistently enforced policy will only grow in importance in the coming years as consumerized IT changes workplace dynamics. With a company's entire corporate ecosystem now available across potentially thousands of mobile touchscreens, security teams need to set clear expectations of what risks employees will face and how they must be navigated.
After all, if a company can't keep its own house in order, the actions of rogue hackers on distant shores are of little consequence.
Security News from SimplySecurity.com by Trend Micro