There were many talks at DerbyCon a few weeks ago on PenTesting and Social Engineering and how humans are still the best way to gain access to systems. Mobility devices are commonplace in most organizations. The Chinese have thousands of "consultants" pouring over the source code for all of the Windows Operating Systems and applications looking for new vulnerabilities because Microsoft wanted into the Chinese market and caved and, well, gave it to them. To those who have not already altered your course, you are overdue to overhaul your business security strategies.
Today, IMHO, it is imperative to secure your business assets as close to the human as possible. And that starts with REAL security awareness programs, not your SOX checkbox "program". I was walking around the campus of my University alma mater this past weekend and was delighted to see and recognize posters from Lance Spitzner's Securing the Human awareness training hanging everywhere. If a private University can proactively invest in a training program to enhance the security awareness of its students, you without blinking should be doing the same for your employees who have business use case access to your intellectual property, methodologies and innovations.
The next closest area away from your employee's brains is identity systems. Systems can now go well beyond the standard authentication/authorization controls. Active, real time inventories of every device connected to your network and profiles of what those devices actually are, device-based authorization (you are allowed access to sensitive areas on your corporate laptop but not on your personal smartphone/pad, etc.), authenticated user policy enforcement through posture assessments and identity tagging at the IP packet layer. How sexy is that?
And finally comes the host-based controls. My preference is application whitelisting, which can be a challenge depending on the sophistication of your data classification and approved applications programs (if they even exist). But assuming that people are going to click links and trust bad people, preventing malicious code from executing on your systems is a no-brainer. If you're not on the list, you can't come in.
Awareness, Identity and Whitelising are the three most critical controls to invest your security dollars into today. Mitigate the urge to click things, understand and control what is connected to your network, who is on those devices, enforce conformity to your standards, prevent unauthorized access to sensitive data and only allow business approved applications to run on your endpoints. Simple.
Tuesday, October 25, 2011
Friday, October 14, 2011
Post DerbyCon
I meant to put up a DerbyCon wrapup but didn't get around to it until now. For an inaugural Con it was pretty impressive. I think I read there were 1,000 attendees over the three days. Great sessions. My short list includes:
- HD Moore
- Johnny Long (Hackers for Charity)
- Mitnick/Kennedy
- Nickerson
- Joe Schorr
- Carlos Perez
- Boris Sverdlik (Your Perimeter Sucks)
- Chris Roberts (terrifying)
- Jayson Street
Replacing FUD
I've been thinking about this for a bit. Vendors and InfoSec pros alike use Fear, Uncertainty and Doubt to sell their gear and services. I like Fear. It is a great motivator and, as long as you resist the temptation to panic, you (well, at least I) tend to rationalize options, engage in contrustive decision making discussions and and formulate solutions that reflect both business goals and protection of assets. So I say keep the Fear! It's the Uncertainty and Doubt that we should clearly have issues with. IMHO Security Awareness should be an essential element of your enterprise security architecture. REAL awareness, again, not your SOX checkbox. With awareness comes Understanding. And the direct result of Understanding your InfoSec Fears is the Confidence to meet them head on and be able to effectively manage your business risk decisions. Sound advice, i say, and a nice little elevator pitch at that.
And you can't beat the acronym.
And you can't beat the acronym.
Subscribe to:
Posts (Atom)