IT Compliance Institute claims that Cybercrime has become a $105 billion business, which surpasses the illegal drug trade, but people still don’t understand what a serious threat cybercrime can be. Corporations lose more than 40 billion dollars per year to cybercrime, but as a security analyst I still feel resistance to changes in software security, IT infrastructure and other factors that could mitigate a great amount of risk in the insecure systems.
I understand these company’s concerns - they have board members and stock holders to answer to and they have to keep profits as high as possible, so everything is about ROI. What’s the return on an investment protecting you against something that may or may not happen? ROI for security is very difficult to measure, to be sure. However, as soon as your company is crippled by the next worm, or the internal network has been targeted and breached by the latest 0-day vulnerability the CSOs, CISOs and CTOs of today’s modern company will have no choice but to listen to the deafening sound of the next major data breach.
So what can we do?
It turns out there’s a lot we can do, here are a handful of easy to implement activities that I employ and that people should really be considering. These will reduce your external attack surface and reduce the damage of generic threats.
Require the use of TLS/SSL for all e-mail – this will help ensure e-mail credentials and contents are not sniffed from the network if an employee connects to the network at a coffee shop or airport.
Deploy and use PGP encryption and signatures – this will make sure that the e-mails that you are receiving are coming from who you think they are and that you have the ability to encrypt sensitive customer information.
Create and enforce a solid password policy – making your users choose a secure password helps mitigate the threat of hackers breaking into your system through the front door.
Encrypt sensitive information in databases – breeches like TJX wouldn’t have been as much of an issue if proper encryption techniques were used to encrypt stored sensitive information.
Expire sensitive data as soon as possible – information that is kept past its useful time period is simply a liability, properly expiring your data as soon as it loses usefulness will help you sleep better at night
Education – The last but most important thing we can do isn’t policy at all; it’s educating our employees to see the benefit of security and empowering them to make good security decisions. Little things like not downloading or running files and programs from un-trusted sources (such as the internet or e-mail) is a great place to start.
--Joe Basirico
EDIT: I posted this last Friday, but over the weekend I realized that I’m much more interested in hearing what works for you, so I’ve compiled a few questions to get some discussion going, please respond in the comments.
- Have you found that these techniques help secure a network?
- Are there techniques that you use that I haven’t listed here?
- What works for you, and how much security do they provide versus the headache and time they took to setup?
- From an IT perspective should we always make the decision that will create the most secure system, or are there times when usability wins out?
We all need to admit that PCs **will** be compromised; one way or another. Operating Systems/Applications (even so-called security apps like antivirus) have been and will continue to be compromised and/or bypassed. They have vulnerabilities; always have had bugs and always will have bugs. Not to mention the Layer 8 problem of Users themselves installing malware due to social engineering.
Given that sad state of the (networked) world, a key component you should add is "Network Watch Towers". Ideally something easier to use than SEIMs and more accurate than NBAD's. Monitoring the network for new application traffic, mis-use of protocols, signs of data compromise, etc. etc. These tools exist (open source and proprietary) and we've been using them successfully to prevent bots and other malware from taking hold. Yes they sneak in, but we boot them out before they do too much damage.
Agree with the first comment (As someone from IBM said, "our strategy is to figure out how you do business with an infected computer.") "Trusted computing" is an oxymoron and will not work simply because you need to account for a user, who needs access to install apps, but cannot be trusted to install applications!
The technology conforming to the TCG's ( http://www.trustedcomputinggroup.org ) specifications are available from just about all PC OEM's today - in the enterprise space is. The PC OEMs are not visionary enough to yet put this tech into consumer PCs, which, actually, borders on corporate irresponsibility. Phishing would be a thing of the past and we could finally log-on using PKI based strong authentication. Everybody!