More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US.
(Also see a recap of Thursday’s The Challenge of Natural Security Systems.)
Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered.
The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible.
Cardella defines risk as:
Threats x Vulnerabilities x Time = Risk
Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly can help drive the risk down. The point: Do what you can to secure your company as quickly as possible to immediately lower risk within your organization.
- Security requires resources, you must invest in order to get a return
- Act/think like an adversary.
- Find and understand what’s happening in your network. Find your baselines.
- Document everything. Especially if you deal with audits, you want to have everything written down.
- Make a plan. Write that plan down. Even if it’s simple, write it down, and then flesh it out over time.
- Keep your scope small.
- Go back and do it all again. Verify, and find the things you missed.
Cardella says that in IT, it’s important to understand your business, and how the IT infrastructure supports that business. Knowing how your business uses the infrastructure means you can create and change it to be more effective and secure in the future.
Another really important basic is network segmentation. Not allowing systems to talk to each other within a network means that an attacker cannot break into one section because they have access to a different section. He admits that this takes a lot of time, and it’s important to seek out an expert who can help with firewall implementation. You also need to test to be sure that your network is actually segmented, not just that they should be segmented.
Managing the accounts that are on your system is incredibly important, and goes back to understanding how your company works, and who needs what access. Restrict access to employees and vendors to a need to know. Set up a classification scheme in order to determine the sensitivity of data, and thus what access is necessary for certain users in order to get to the information they need.
At the end of the day, Cardella explains that there is no magic bullet. InfoSec is multi-layered and multi-disciplinary. It costs time, money and resources. Focus on the implementation, not just the technology – that’s where much of the problem is.
Humans are the weakest link, so you can’t take for granted that a great technology is implemented correctly. Always ask “Are you sure?”, and prove that you’re secure through trials, testing, changing and repeating.