Sunday, October 24, 2021

Defending IT in an Evolving Battlefield

The battle for control over corporate networks is raging. And as IT

professionals and hackers both pick up more weapons and take on new

partners, the fight is only increasing in intensity… as it increases

in importance.

Scott Laliberte, a co-author of the new book Defend IT: Security by

Example, gives readers war stories from the digital battlefield. The

director of Protiviti, Inc., a global risk consultancy, Laliberte says

IT professionals need to suit up because the fight over the safety —

and control — of the corporate network is just heating up.

In a one-on-one interview with eSecurityPlanet, the author talks

about what is holding IT back in this on-going fight; how the

environment that needs protecting is constantly shifting, and what new

battles are looming ahead.

Q: In your book, you talk about the battle between IT and malicious

Internet users. How much is this battle growing in size and scale?

I’d say the battle is definitely increasing. If you look at statistics,

like the FBI and CSI survey, and the CERT stats, the number of attacks

continue to grow. But we’re starting to see more headway made in the

battle against the attacks. There’s more awareness. And security

spending is starting to rise. With the regulatory issues emerging…

companies and boards of directors are being forced to look at security

in a much more serious light and they are putting more resources into

it. That’s helping us gain some ground in the battle.

Q: How is the battlefield evolving?

It’s always evolving. As security professionals make advances in one

area, the attackers respond by developing smarter attacks. As the

perimeter started to be brought under control and people started to

block up ports, hackers developed more sophisticated Web attacks over

http and email. There’s starting to be more worms and viruses out there.

And the window between the find of a vulnerability and the time it took

someone to exploit it used to be weeks. Now, it’s days. So today, IT has

to patch every few hours instead of every few days. The battle is

speeding up.

Q: Is one side winning at this point?

That’s tough to say. I wouldn’t say one group is ahead of the other. As

an IT professional, you try forecasting ahead. You need to be

forecasting two to three moves ahead if you’re going to win the battle.

Q: So when you forecast two to three moves ahead, what do you

see?

I see companies putting together more formal structures and basically

having to have good frameworks. People are starting to put in better

frameworks and in-depth defense, some tighter controls — like tokens

and digital certificates. We’ll have to come around to those to get good

security. Passwords are just not good security. People understand that

but it’s too expensive to go to another solution.

Q: What is holding IT back? What is keeping them from doing better in

this war on hackers?

It’s budgets and management-level commitment. As most people in this

profession know, security is looked at as a cost center. It’s like

buying insurance. You don’t see ROI until an incident happens. And

hopefully incidents don’t happen, so they don’t see the problems that

you’re preventing. Showing that ROI and showing the return on investment

and getting the support necessary is a huge hurdle that security

professionals have to overcome right now… And they have to keep up

with the technologies and the attacks. It’s constantly changing. The new

technology you’re putting in place today is not going to be as practical

or work as well a year down the road. You can’t look at it as a process

that has a start and a finish. You have to look at it as a life cycle

model.

Q: What are IT’s strengths today?

I think there’s a lot more awareness of security issues and there’s a

lot more training out there. There’s a lot more resources out there,

like SANS and the trade publications and numerous books. And they’re

starting to get more recognition and support from management, but that

still has a ways to go.

Q: What are the biggest security concerns that are plaguing IT?

Regulatory concerns — making sure they’re not violating any laws.

Availability concerns — making sure there’s not going to be an incident

bringing the company down for any amount of time. In today’s world,

being down an hour could cost a million dollars, along with the loss of

reputation and customer good will. Another big headache they have is

educating users. You can put the greatest technical controls in place,

but if you have users who will give their passwords to anybody who calls

them on the phone, you’re still defeated.

Q: What kind of an effect are mobile workers and wireless devices

having on security efforts?

The tech environment is changing. It used to be that you had a very

well-defined perimeter. You had a firewall and a building where somebody

had to bypass a guard. Now you have wireless network and numerous Web

applications. You have people who work from home via a VPN. You have

partners connected to you online. You can’t just rely on perimeter

controls anymore. Your whole idea of perimeter control has changed. Now

you have all these entities that may easily bypass perimeter controls.

This is forcing us to change the way we think about security and enforce

new controls.

Q: What new problems do you see coming down the road?

The challenge I see coming down the road is managing all the controls

you have in place with limited resources. Monitoring is a major control

and you need to have a place for it in the organization. It’s one of the

most poorly managed controls out there. They try to monitor too much.

They need to figure out what are the highest risk areas they need to

guard, and then they need to design manageable solutions to do that. You

can’t protect everything at the same level. You have to make some hard

decisions about what you’re going to protect and how you’re doing to do

it.

Similar articles

Latest Articles