Which security products do enterprises expect too much from?
By David Geer CSO | Feb 11, 2016 3:45 AM PT
Enterprises rely on some security products too much while counting on others too little. One product category that companies place too much faith in is encryption, which has vulnerabilities. The OpenSSL web encryption technology's infamous Heartbleed vulnerability is one example.
Enterprises should assess their information security stance in light of the vulnerabilities that have actually given attackers a foothold and lead to costly breaches, whether for their organization or for their peers. Where an off-kilter reliance on some security products is the crack in these defenses, look at a more effective combination of tools. Don't ignore tools that are effective yet limit some usability. Security products that enable a lot of usability while masking danger are among those that we do and will continue to count on too much.
Security products that dash hopes and promises
Enterprises have high hopes for security products that will let us down due to native security holes and shortcomings. A number of encryption technologies such as OpenSSL have sprouted gaping security holes, like Heartbleed, enabling attackers to leverage the vulnerability and circumvent the protection.
"That's like having a really good lock on your house and then realizing that they can just jimmy the door off of the hinges," says Walter O'Brien, cybersecurity expert, founder and CEO at Scorpion Computer Services. (Note: Walter O'Brien is the genius coder with hacker handle, Scorpion whose firm is the basis for the CBS TV drama, "</scorpion>".)
Both Dutch and Canadian law enforcement claim to have retrieved encrypted email information from special PGP/military-grade-encrypted BlackBerry devices , calling that encryption into question.
VPN encryption protects data in transit between laptops and enterprise networks. But if the laptop is already infected and controlled by an attacker, that connectivity is now a tool for that attacker for the length of the connection time, enabling him to gain control of the network machine on the other end and launch further attacks from there, according to Andrew Ginter, co-chair of the ISA SP-99 Working Group 1, revising the SP-99 report on cyber security technologies.
Smart firewalls are another tool that offers less protection than people estimate.
"People upgrade to a smart firewall and they think great, now we're completely safe. Then they find out that application security, database security, and source code security have been completely neglected," says O'Brien.
Often it's not the type of tool but the preponderance of state-of-the-art products such as for pen testing and network monitoring and anomaly reporting that lead enterprises to check the proverbial box, marking information security as 'problem solved'. "People get lulled into a false sense of security because they see that their tools run 22,000 SQL injection tests over a given period and they believe they're safe. Those tests are often just variants on tests that have been around for 10 to 20 years. They're not cutting edge methodology," says O'Brien. Dated tests won't tell you whether you're vulnerable to something that's based on altogether new code.
Enterprises shouldn't expect so little of these products and approaches
Enterprises should inventory, update, and clarify the locations, potential locations (cloud), paths (data paths, transmissions), vulnerabilities, and ingress and egress points of their most prized data. They should rally IS technologies that defend all these against potential, unacceptable losses.
Companies should consider combining AI-enabled (artificially intelligent) security products such as Scorpion Computer Services' ScenGen (other intelligent security products include examples from Lancope and AlientVault) with products that establish exhaustive baselines such as Scorpion Computer Services' Normalizer (other baseline security products include Magna from LightCyber). Adding these into the mix with other effective products, perhaps replacing similar products that don't measure up should sharpen an organization's edge against intruders, helping it to better test for vulnerabilities and flag behavioral inconsistencies.
The best weapon against attackers is only as effective as the warrior who wields it. Even the best warrior can do nothing if his hands are tied. "Whoever is reading the alerts has to have the authority to take action immediately, to shut down a department, take away someone's permissions, or have someone arrested. If all he can do is report it at the end of the quarter, it's kind of pointless," says O'Brien.
Some protections work without additional effort from security warriors, much like a brick wall does. Organizations should consider using approaches that are natively secure due to the fundamental way that the technology works. "My favorite is unidirectional communications, using unidirectional gateways that permit information to move only in one direction," says Ginter.
Power plants on the power grid use these to protect their safety systems from external attack. IT can use unidirectional gateways to remotely monitor the network while preventing data from returning inside the perimeter. "The most sensitive of IT networks use unidirectional gateways," says Ginter.
This flies in the face of two-way data traffic that allows transmissions into the network from remote workers who want to do all the same things they can do at the office. We've established that VPNs and firewalls are far from fool proof. Any business that could die from even once losing control to an attacker cannot afford to hand out remote, two-way communication with sensitive, vulnerable systems.