Well Do Security Later

This kind of thinking is very common during a merger or an acquisition or when the company is rushing out a new product. Since systems and networks are continuously evolving and getting more complicated, it is always difficult to retrofit security at a later date. Security should be considered from the start, not afterward.

The same is true regarding the erroneous thinking about security: It might seem more important to get a new Internet service up and running and to start building up the online buzz before all the privacy policies and protections are in place. Organizations have to comply with a mishmash of regulations to ensure user privacy, so it’s best to have all the ducks in a row before the regulators come knocking.

After practically every data breach, the organization is criticized for not encrypting the data. While it’s important to protect sensitive data, it’s important to think about the architecture and make sure the network is still secure. Insiders have to still be monitored to ensure they aren’t abusing their privileges. People expect encryption to solve all problems, forgetting that implementation flaws, such as improperly storing the keys, can render encryption moot.

Pick the security technology, and there’s someone out there convinced that it is the cure-all and the only thing needed for security utopia. It doesn’t exist. While there are excellent antivirus, intrusion prevention, network monitoring and forensics tools available, none of them can do everything. Security tools are specialized, and there is no silver bullet. Focus on layered security, not a one-size-fits-all approach.

Some executives have the attitude that if security can’t be guaranteed, then it’s not even worth talking about, putting the security professional in a position of having to downplay security risks or over-promising security. Organizations need to have metrics to measure risks and decide when it’s “good enough” and focus on other areas. Security is about balancing protection and cost.

It’s easy to look at the landscape and available technology and conclude that it can’t be that hard to take charge of security. However, it’s best to let people who have done it many times and know what they are doing take charge of security, instead of handing it over to someone who may not know how to deal with rough spots or unexpected situations. “How hard is that?” Plenty hard. Leave security to the professional.

While regular testing is necessary to look for and patch flaws, it’s not a replacement for having security by design. All penetration testing is doing is plugging holes to harden a broken product, which forces the organization to always be reactive. True security is making sure the common issues are not in the application in the first place and addressing subtle, more complex problems that are discovered down the road.

Wrong! Practically every organization, big and small, in all industries is a target. The threat actor can be the frustrated insider, disgruntled ex-employee, a person out to make a political point, a cyber-criminal looking for the fastest way to make money or corporate spy. The Sonys of the world aren’t the only ones under attack. Small credit unions and mom-and-pop operations are targeted, too.

Security by obscurity sounds good in theory. If the attacker can’t just Google the software you are running to find known vulnerabilities, then surely, it’s safe from attack. The most common attack vector is cross-site scripting and SQL injection, attacks that are easily preventable, but often overlooked by developers. If an attacker really wants to get in, they will do the research necessary.

It’s another idea that sounds good in theory, but it’s no excuse to skimp on the technology. Users need to be taught to not click on dodgy attachments, but they also shouldn’t be seeing those files in their in-box in the first place. It’s difficult for the savviest Internet user to identify some of the latest scams. While technology can be patched, the human brain can’t.