Failing to protect systems will turn you into roadkill

By on
Failing to protect systems will turn you into roadkill

It must be conference season. I've never asked my colleagues on the speaking circuit if they've made this observation, but it seems I get a lot of questions that indicate that, although security folks protect their enterprises, they don't protect their security assets.

The stuff they use to protect the organization is, then, at risk itself. Now, I have to ask myself, "why would an organization spend a bunch of money on, for example, an IDS, and leave the IDS itself vulnerable?" The answer, I think, is: time, money, training.

New regulatory pressures have caused some organizations to buy additional security and privacy tools. Often, these organizations have limited resources to manage information security, so the tools are installed and the hope is that by their presence alone security will improve. Often, for now, this is the case, but organizations need to protect the protection they use.

I was teaching a class recently in which I commented on the validity of intrusion detection logs as evidence, and made the point that logs needed to be protected from malicious alteration.

To one student, the idea that an IDS would be installed so that the console was on an out-of-band fiber network and the sensors stealthed to the outside was normal. Another student had never been exposed to the concept. This is the fault of the IDS developer for not providing the appropriate training on deployment. It is also the fault of the organization for not demanding that training or seeking it elsewhere.

A tick-box mentality is insufficient to protect information assets. This mentality says that as long as you can satisfy the auditors, you have taken some information security steps, no matter how trivial, you pass the audit, and passing the audit is all that matters.

If you apply that approach and you get hit, you're toast – for two reasons. Your assets are not really protected, so you will experience a loss at some level (I know of losses of nearly a billion dollars under these circumstances). Also, you and/or someone at a higher level will be seen to have breached your fiduciary duty to protect organizational assets, and the law suits will just keep on coming.

Halfway measures to protect information assets are no longer acceptable. Protect the protection, and train the people who protect the organization's assets.

Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?