Better Security requires New ThinkingMarch 10, 2017 | By:
Distributed Denial of Services (DDoS) attacks have proliferated in recent years. For better or worse, it showed us how dependent we are on IT and e-Services.
Not to mention how Mr. Snowden and wikileaks open few eyes. The stories we hear almost on a daily basis, about anonymous, Botnets crackdown, data breaches. Oh have I forgotten state sponsored attacks.
Taking things for granted isn’t really a good way – any more – when dealing with security issues.
The main question that we should ask ourselves as CIOs, IT Managers or CISOs, is how come that all the investment we have put in the last decade had miserably failed to protect us from such attacks? What happened to all the promises we heard from security vendors that their solution is a panacea to our security problems. That we can peacefully sleep at night feeling we are protected.
Before we start blaming our firewalls, IPS or Antivirus, Let’s take a step back with a deep breath and look at what has happened the last few years that just passed by. What has changed in IT in the first place? Are we noticing that more colleagues using their smart phones at work to access enterprise IT?
If we just look around, are we allowing employees to use cloud-based storage services so they can continue working on projects from home or even coffee shops? Are they bypassing our IT infrastructure? Are we creating a different IT within? A Shadow IT, if you will.
The new development in ICT technologies such as Smart phone, tablets and mobile devices, virtualizations and others have pushed what we call IT consumerization where the new technologies start with the consumer and then – whether we like it or not, it becomes part of our Enterprise IT.
Also, with our increasing reliance on e-services, the whole world suddenly became at huge risk when the vulnerability of Heartbleed came in the news. OpenSSL vulnerability made us think again about software security and our trust in open source and commercial software.
As we mentioned earlier, most of the investment in information security was heavily directed to technology acquisition and to lesser extent to performing a minimized scope of risk assessment and penetration testing on an ad hoc basis.
Technology (vendor products) is just one pillar of the security. The rest is people and processes. Even in Technology the physical box is just one single part. Implementing the right policy on this box and ensuring the operations of such box is important (updating, patching, monitoring, etc,..) is a major part of maintaining security.
Both initiatives (technologies and assessment) address the first steps in a cyber security framework. Identify and Protect. There was a huge negligence in the next but equally important steps in such framework that focused on the detection, response and recovery.
In order for us to have a better security we need to focus on the next steps.