The Security Perspective
- Growing roll of security
- Regulatory and industry compliance
- Zero day threats require constant vigilance
- Suite of monitoring systems
The ubiquitous threat and constant reporting of all manner of security breaches is finally starting to elevate security concerns within the enterprise. Companies historically were willing to give lip service to security, but they were a lot less likely to commit to costly security programs and additional time and effort to enhance security. Security is complicated and time consuming. When security is added as varnish over an existing process or product it will be ineffective. Security must be addressed throughout the life cycle of the product and throughout the organization. Increasingly security is being promoted within the organization. C-level executives are being appointed to guide security horizontally throughout the organization.
Security is about reducing risks. But risk cannot be completely eliminated. If you are going to do something, anything, there is some risk involved. If you want to completely eliminate risk, do nothing, put yourself in the closet and close the door. It should be noted, that security is a process, not a destination. You need to continually reevaluate your security position and adapt to changes. Modern applications need to be regularly tested for emerging security vulnerabilities in code, included libraries, operating environments and practices. Tactical security requires defining a perimeter, choke points, and other means to limit access to your goods. On many occasions Ops will try to define the perimeter inside out.
While security is a concern for any organization that wants to survive, organizations in regulated industries are required to pay particular attention to security. If your business handles credit card data or health care information it will be subjected to all manner of scrutiny including extensive questionnaires, audits and regulations. Organizations need to be able to demonstrate they are handling data in a secure way. They will need to have policies that provide an overview of management’s position on the rules. They will need to have procedures that detail how policies will be enacted. Finally, they will need to document adherence to policy and procedures in order to provide evidence that the organization is adhering to those same policies and procedures.
Security has a number of dedicated tools to assist with enforcing policies and providing evidence of compliance. These tools are monitoring tools focused on specific security concerns. Perhaps the most familiar application in this category is virus protection software. A mainstay on computers in this day, virus software scans your files for signatures of known viruses. Regular updates to your virus signatures are required in order to keep up with emerging threats. Virus scanning software does have the unfortunate impact of burdening systems with a disk intensive process. Particularly on servers, a balance must be struck between how aggressively virus scanning performs it work and keeping the system running so it can perform its function.
Monitoring Tools - DLP
Another application in this class of security monitoring software is called Data Loss Prevention (DLP). Data Loss Prevention (DLP) is used to deter and detect if data is “leaking” out of the production environment. DLP programs are installed on servers, and other systems like operators’ desktops and laptops that access secure data. These programs may also work down at the hardware level disabling USB ports to prevent downloading sensitive data (or any data at all) onto a thumb drive. They may also enforce screen savers and locks to keep prying eyes or sneaky hands off your computer when you are away from it.
Monitoring Tools - WAF
Twenty years ago, it was not uncommon for organizations to connect to the Internet with just a router and without any firewall. Firewalls are now commonplace. Increasing a requirement is a type of firewall called a Web Application Firewall (WAF). Traditional firewalls operate at the network level. They filter out unwanted traffic aimed at applications and services that could be used as a vector to launch an attack. However, a typical firewall does not distinguish between authentic web traffic and malicious traffic that is encapsulated or hidden in benign looking web traffic. This is where a WAF comes in. A WAF is smarter than a traditional firewall. It knows details about the protocol used to transmit web pages. It can discern non-conforming traffic that may exploit weaknesses in the application. A WAF can also include a white list of allowable requests that can be made to the application.
PCI Requirements
These monitoring tools are requirements for the Payment Card Industry (PCI) standard. They increase the security of the application in real-time and provide historical logs that can be reviewed after a security incident for forensic analysis. Even when they are not required by for a certification or a standard, they are best practices. They may not all be suitable for all environments every time, but they should all be considered. A conscious decision should be made before forgoing a best practice.
No comments:
Post a Comment