For those ControlTrends Community members who read Lynxspring’s Marc Petock’s article on IT Security and the pitfalls of “Security Through Obscurity,” here is more insight from Kesaya and Enterprise Management Associates.
Security is full of assumptions. Organizations think they’re covered, that their networks are safe, systems are updated and that their critical data is protected. In actuality, assumptions are dangerous, taking administrators off their guard while making users complacent. You could even say that assumptions are sinful, causing actions and reactions that put organizations, data and users at risk. We asked Scott Crawford, managing research director for analyst firm Enterprise Management Associates (EMA), to identify the Seven Deadly Sins of IT security and how organizations can avoid these pitfalls.
Deadly Sin #1: Ignorance
“Prevention is more important than detection.”
Crawford says that there is no sin greater than thinking you can prevent security threats from breaking into your IT environment. Organizations need to recognize that they have already been penetrated, and malicious code is waiting on a server, someone’s laptop or a mobile device to steal information or wreak havoc. Detecting these threats is just as important as preventing them, and a successful security strategy needs to embrace both strategies to keep the organization safe. Situational awareness is key.
Organizations need to know their current security posture, where the defenses lie, where there are vulnerabilities and whether end points are patched and up-to-date on maintenance. A security strategy that stresses prevention and detection will help you mitigate the effects of threats.
Deadly Sin #2: Unpreparedness
“We have anti-virus so we’re covered.”
Most security strategies are focused on specific threats, whether its antivirus, network security or phishing attacks, but hackers today are sophisticated enough to evade conventional defenses. Organizations need to better understand where the last line of defense stands and develop a comprehensive and holistic security strategy that is able to break down the silos of defense and create awareness. Data flows freely throughout the IT environment from systems to the network to the data center, and information needs to be protected at all levels and stages.
According to Crawford, this is where IT systems management (ITSM) solutions come in. They have the framework in place to follow data throughout the environment and the ability to embrace a holistic approach. ITSM solutions already have processes in place to remediate issues in addition to providing defense and awareness.
Deadly Sin #3: Neglectfulness
“We scan regularly for vulnerabilities.”
While scanning is a critical part of vulnerability management, it only covers the assessment and not the remediation aspect of preventing attacks. Organizations also need an action plan to combat threats and bring systems and the network back to normalcy. Crawford suggests the PDCA plan of action, which stands for Plan, Do, Check and Act.
Scanning encompasses the planning and doing aspects of the plan, but organizations also need to monitor for deviations in systems’ status and then have a plan of action that administrators can use to remediate issues. According to a study conducted by EMA, organizations that define, follow and enforce policies report having half as many instances that require remediation than organizations that are lacking enforcement mechanisms.
Deadly Sin #4: Short-Sightedness
“Our defenses are up-to-date.”
Organizations shouldn’t plan to just win the day; they need a forward-looking strategy that prepares them to confront security threats that may come up in the future. The nature of attacks is changing daily—essentially mirroring the changes in technology. Consider that viruses used to be spread on five and a half inch floppies. Then they spread through the internet and email. Now the battleground is on social media and mobile devices.
Crawford says that organizations need to have the flexibility in action, insight and integration. What he means by that is having a framework in place that allows you to respond to future issues through configuration changes, recoveries and restores. ITSM solutions need to provide you with the visibility into your IT environment and individual systems. And new strategies, policies and tools need to be able to interoperate within your existing environment.
Deadly Sin #5: Pride
“Security can’t be measured and managed like other aspects of the business.”
Crawford says that this is simply not true. Organizations can measure security in any number of metrics, including the percentage of systems covered and uncovered, the percentage of successful security updates versus failed updates and the rate of patch latency. It’s not easy to collect this information, but that’s where automation comes in.
In addition to enabling this automation, ITSM solutions can audit the network to identify known assets and their security status, ensuring security policies are being met fully across the entire organization while uncovering previously unknown exposures. Trends can be analyzed to demonstrate progress and determine need. Crawford suggests visiting benchmarks.cisecurity.org for more information about what security metrics are important.
Deadly Sin #6: Arrogance
“Our people can cover what our technologies can’t.”
It’s dangerous for organizations to rely too much on human intellectual capital for their security needs. As life plays out, people move on, and their knowledge isn’t easily replaced. A combination of technology automating the mundane, repetitive aspects of IT security management and the technicians to plan, assess and remediate is a much more consistent and safer strategy.
Deadly Sin #7: Avoidance
“Taking a more serious approach to our security will overwhelm our resources.”
While building a robust and reliable information security apparatus is not a simple undertaking—especially when you’re talking about large enterprise environments, it is not a herculean feat. Yes, it will require human and monetary resources to purchase, set up and maintain the necessary infrastructure. However, there are options out there that are ideally suited for just about any sized IT staff and budget. According to Crawford, organizations should consider all of their options carefully including properly vetting solutions and partners and considering both hosted and Software as a Service (SaaS) models.
What should you do now?
Organizations should focus on building security strategies that are comprehensive, forward-looking and flexible. Kaseya can give organizations the automation framework they need to implement a holistic strategy that runs through the service desk where administrators have a single console in which to prevent, monitor, detect and respond to security threats in an efficient manner.
Visit www.kaseya.com/features.aspx to learn how Kaseya can help you avoid these seven deadly sins and get a better handle on IT security management.
