WPA has been cracked. Twitter and other "web 2.0" technologies have been hacked. Payment process Heartland Payment Systems was recently compromised. Regulatory compliance requirements continue to increase while the range and scope of threats continue. What's the matter? Don't the bad guys know we are in a recession and my budget for security has been cut?
The fact is that during times of economic trouble security requirements don't decrease, they increase. Organizations may scale back hardware upgrades or the implementation of a new cool technology but they simply cannot choose to ignore security. A compromise in a strong economy is bad. A compromise in a weak economy, where profits are lower and competition is greater could make the difference between a business that succeeds and one that fails. So what can organizations do to maintain security and regulatory compliance while at the same time reduce costs?
Recent industry activity has shown that organizations are doing a few things to meet these seemingly conflicting requirements. Many organizations are looking automation and outsourcing. These approaches allow organizations to do more with less. "Security as a service" can allow organization to take advantage of high levels of expertise without the high employee overhead. Replacing highly manual and labor intensive processes with technology can replace those costs further. Managed security services look to play a big role in the coming year.
Many organizations are looking to blend physical and logical security. Technologies such as smart cards and proximity cards can provide "single sign on" to the building, the data center, the network and applications eliminating the need to manage and maintain multiple solution.
Larger organizations are also looking to centralized a sometimes distributed security infrastructure. Moving security technologies into a central data center can reduce administrative costs significantly.
So what can be done?
First, organizations need to understand where their security strengths and weaknesses are. They need to not only understand their risk of compromise, they need to identify areas where consolidation, centralization, automation and outsourcing would result in better security at a lower cost. If organizations have already addressed their security concerns, they should focus on testing their solutions to validate effectiveness.
One final thought. In a troubled economy it is important that organizations assess the financial stability of their security technology vendors. The failure of a security company could result in organizations relying on unsupported technologies. This would be a problem if we are talking about a firewall. It would be a disaster if we are talking about technologies, like anti-virus and intrusion detection, that require constant updates from the vendor. While technology replacement may not be high on the list of priorities for many organizations, replacing security technology from troubled vendors may be a requirement.
Wednesday, February 4, 2009
First Posting - Quick Overview
Welcome to the NWN Security blog site. I hope to use this site and its related Twitter account to distribute updates about NWN's Security Testing, Assessment and Response practice. Rather than talking about what this blog will contain, I'll just start and hope you get the idea.
As many of you know, NWN has created a new practice that focuses exclusively on security testing, security assessments, regulatory compliance, incident response and computer forensics - thus "Security Testing, Assessment and Response" or STAR. For those of you not familiar with what we do, I'll give you an overview.
"Security Testing" focuses mainly on reviewing security from an attacker's perspective. This includes things like vulnerability scanning, war dialing, war driving, social engineering, physical security and full penetration testing. Basically, we try to break in to customer networks to test their security.
"Security Assessment" tests to operate from a more trusted perspective. We work with our customers reviewing the configuration of systems and devices, their network architecture, Active Directory, security technology, security policies and security operations to determine overall security effectiveness. Assessments can also take the form of formal audits where NWN collects evidence of proper security and provides our customers with PASS/FAIL grades.
"Incident Response" involves identifying and confirming the attack or compromise, containing the problem, cleaning up the mess and finally, restoring normal business operations. It can include formal computer forensics investigations, either in conjunction with law enforcement or not.
Any and all of these services can be directly related to regulatory compliance (e.g. PCI, SOX, GLBA, HIPAA, 21 CFR Part 11, etc.) or they can be based on industry standards such as the ISO 27000 series.
Well, that's about all for now. Check back periodically for more updates. I hope to get to this on at least a weekly basis. If you have any questions, concerns, comments or need anything from me, don't hesitate to reach out.
Thanks,
Kevin
As many of you know, NWN has created a new practice that focuses exclusively on security testing, security assessments, regulatory compliance, incident response and computer forensics - thus "Security Testing, Assessment and Response" or STAR. For those of you not familiar with what we do, I'll give you an overview.
"Security Testing" focuses mainly on reviewing security from an attacker's perspective. This includes things like vulnerability scanning, war dialing, war driving, social engineering, physical security and full penetration testing. Basically, we try to break in to customer networks to test their security.
"Security Assessment" tests to operate from a more trusted perspective. We work with our customers reviewing the configuration of systems and devices, their network architecture, Active Directory, security technology, security policies and security operations to determine overall security effectiveness. Assessments can also take the form of formal audits where NWN collects evidence of proper security and provides our customers with PASS/FAIL grades.
"Incident Response" involves identifying and confirming the attack or compromise, containing the problem, cleaning up the mess and finally, restoring normal business operations. It can include formal computer forensics investigations, either in conjunction with law enforcement or not.
Any and all of these services can be directly related to regulatory compliance (e.g. PCI, SOX, GLBA, HIPAA, 21 CFR Part 11, etc.) or they can be based on industry standards such as the ISO 27000 series.
Well, that's about all for now. Check back periodically for more updates. I hope to get to this on at least a weekly basis. If you have any questions, concerns, comments or need anything from me, don't hesitate to reach out.
Thanks,
Kevin
Subscribe to:
Posts (Atom)
Posts
