The threat landscape is evolving like never before. Organizations are aggressively trying to prevent any back door that allows threat access. Nevertheless, with top security hardware and software each being implemented according to their own specific guidelines, there will always come a point when IT Security specialists have to get involved, to deploy and maintain those guidelines. And when they do, they are potentially giving attackers the window they need to exploit services; one small error in the configuration of network and security solutions can lead to a nightmare scenario of multiple risk challenges. Let’s take a look at some of these.
The Vulnerability Remediation
We’ve all heard recently of multiple well-known security vendors releasing patches and updates for solutions deployed worldwide, because of a discovered vulnerability. Imagine how serious the risk would be if a device, intended to provide security for internal critical systems, was exploited by bad actors. An email would be sent to customers, informing them to immediately apply this patch, or change this configuration remediate – not a good look. Then the action starts: the Security Team has to alert Operations. The system has to be patched. And everyone needs to report back and verify that this vulnerability has been fixed. Multiple teams get involved, and waste hours, days, weeks even.
Compliance: Again and Again
Compliance is being updated more and more frequently, as the digital transformation landscape moves forward. The announcement of new regulations such as GDPR and FIFA Cyber Security Framework, plus the amendments made to existing regulations all results in new important security needs that need to be implemented. Organizations and their teams are constantly checking and re-checking these compliances, validating their security solutions’ configurations and updating accordingly.
Minimum Security Baseline
As implementation is set to start for a network or security solution, employees start building a minimum security baseline – this could be done by a vendor professional service, or an outsourced security consultant. The real challenge comes after implementation: once the solution is in production, how will the organization maintain this security baseline, as new requests come in, and changes in the configuration need to be made. Getting the vendor consultant on board for revision ends up costly in terms of time and money.
Human Error
We can’t ignore this underestimated part of maintaining security guidelines. Human involvement inevitably leads to errors. Troubleshooting steps or misreading release notes can invite attackers in through the back door. Even when vendors provide release notes of changes in the software, when it comes to upgrading a solution, a change may affect a critical service and have a huge impact on the business. A simple example: a firewall with a restricted policy based on application default port faces a major OS upgrade – and the organization has a critical business application running on a non-standard port. Applying the OS upgrade without checking such points is going to result in a big loss in revenue or data to a bank or a government entity.
So what is being done?
Many established organizations with Risk Management Departments address these problems in several ways:
1- An Internal Team or Security Operation Center (SOC) monitors the operation of security solutions, and provides 24/7 updates to High-Level Security Directors
2- Outsourced consultants (a popular choice) are called up for Health Checks and configuration checks – costing money and taking time to action
3- And a variety of security tools that monitor configurations and check against compliance and regulations. The question is, are these tools vendor-agnostic? How will the workflow be when a violation occurs?
Preferences as to which is chosen differ according to industry and needs, and of course each has its pros and cons.
Recent Comments