I have had the opportunity over the past couple of months to perform security assessments for a bunch of different organizations including hospitals, universities, manufacturing companies and real estate companies. While the results of these assessments are as unique as the companies for which they were performed, I have noticed some common trends. I thought it would be interesting to try to condence them down into a "top 10" list.
1. Ignoring web application security
2. Poor patch management (expecially internal systems and workstations)
3. Lack of a risk basis to security decisions (or making decisions based on fear uncertainty and doubt)
4. Relying solely on the perimeter for protection
5. Ignoring the operational aspects of security (e.g. IDS tuning, maintenance, incident response, etc.)
6. Poor password management (Is 8 characters with an upper, lower, numeric and special char. changed every 90 days really strong?)
7. Ignoring detection - focusing solely on attempts at protection
8. Failing to account for users (who will always find a way to break security)
9. Failing to implement a DMZ, allowing external access directly to the internal network
10. Focusing exclusively on completing regulatory "checkboxes" - compliance does not equal security
As you read this list, ask yourself, is this you? Have you adequately tested the security of your web applications? Have you conducted a web application penetration test that is complete and comprehensive? If not, how do you now your web applications are secure?
What about patch management? Cross site scripting, email-based links and malicious Javascript make your end users direct targets. If an end user workstation gets compromised the attacker can continue their attacks from within your network perimeter. What will they be able to do? Are you expecting your firewall and other perimeter devices to provide protection in this scenario? Is your network resistant to attack from within? Have you implemented proper network segmentation and implemented strong access controls between internal segments?
If an attacker were to get in, are you ready? Do you have sufficient detective capabilities to identify the attack in its early stages or will you wait until a partner, customer or other third party notifies you of the breach? If you notice the attack, do you have a formal, approved incident response plan in place? What are your incident response goals? Do you want to conduct a forensics investigation or simply get the system back up and running? What about notifying law enforcement?
What about regulatory compliance and risk? Does your security plan focus exclusively on meeting regulatory compliance requirements or are you making security decisions based on assessed risk? One way will cost a lot and achieve little with respect to actual risk reduction. The other reduces costs, achieves compliance in the face of a dynamic regulatory landscape and reduces business risk to an acceptable level. Which are you doing.
I have put together a podcast that covers each of the items on this top 10 list so if you are interested, give it a listen. If you want to discuss this in more detail, please reach out to me. Also, don't forget to follow me on twitter - http://www.twitter.com/nwnsecurity - and on facebook (kevinfiscus).
Take care!
Kevin
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment