Which security measures are ‘known goods’ for enterprises, and which are ‘known bads’?
Recently, I was approached by a journalist who asked me that question.
Security professionals are often asked questions like this. Not everyone has the time to think through all the complexities of security provision, so from a certain standpoint, such a temptation to oversimplify is understandable. It also makes for satisfying reading.
Naturally, the right security strategy depends on the details of your brief, your budgets, the size and nature of your systems, in-house skills, the degree of risk involved, and a million other factors. What’s usually required, especially for medium to large enterprises, is a combination of approaches that can supply ‘defence in depth’.
With that caveat, I answered:
1. ‘Known bad’; Firewalls in isolation
Stopping traffic, opening and closing ports, examining data as it comes in… Firewalls are a fundamental security measure. However only using a firewall as your principle security measure (as a surprising number of smaller companies do) is, indeed, ‘bad’. Firewalls should be employed as part of a ‘defence in depth’ approach, adding another moat to your castle.
2. Known good’; whitelisting
Simple whitelisting is affordable across a range of budgets. The latest whitelisting technologies are incredibly advanced, employing AI and deep learning neural networks to analyse your ‘normal’ patterns of behaviour in order to anticipate what should and shouldn’t be let into your network.
3. ‘Known good’; Unified Threat Management
With the growing architectural complexity of today’s business systems, and the growing use of cloud infrastructure, encompassing multiple security solutions within a single management platform, (firewalls, whitelisting, anti-malware, IPS, etc.), is broadly a ‘known good’, (particularly for companies with larger, more complex systems).
Again, it’s about taking a multi-layered approach. However, such systems are often from a single vendor, which many businesses would see as increasing their risk. To address this, you might split the various layers of solution out, or obtain the solutions from different vendors. So, UTM isn’t a black-and-white ‘good’ or ‘bad’ solution.
4. ‘Known bad’; relying on passwords
Passwords are all-too-frequently hacked and published en masse on the Internet. People tend to be lazy: Mark Zuckerberg’s LinkedIn password was compromised a few months ago, and it turned out that he used the same password for his Twitter account. Broadly-speaking any alternatives to the traditional password, (such as biometrics) are a good thing.
5. ‘Known good’; Two-factor authentication
Two-factor authentication is one of the best ways of securing applications, especially as everything moves into the cloud. It’s becoming increasingly important to ensure the right person is logging in to apps and services.
6. ‘Known good’; some kind of email monitoring
We use Mimecast to monitor suspicious activity on email, particularly phishing attempts, which are becoming increasingly sophisticated.
7. ‘Known bad’; relying too much on your employees
Realistically most employees will be too busy doing their jobs to dedicate the necessary amount of headspace to security. Ensure they understand policy, but security professionals need to accept that half the time that advice may well be forgotten or ignored.
8. ‘Known good’; data encryption
Data encryption is definitely a ‘known good’. In fact, it should really be the default position now, (opt out, rather than opt in). Any data that is in transit, especially, should be secured, (via https, VPNs, SSL, etc.).
9. A potential ‘known good’; outsourcing
Today’s threat landscape is so complex that protecting a company’s infrastructure can be a full time job. As a result, for many companies, it makes sense to outsource threat management to companies that can treat it as such, and which have the time, skills and expertise to monitor systems appropriately.
P.S. If you want to take a close look at the security vulnerabilities of your existing systems, and understand how to implement your security in a balanced, comprehensive way, GET IN TOUCH.