The Importance Of Fundamentals
I recently read two articles that make me wonder when, and if, organizations will ever commit to the fundamentals of information security. A CSO article was brought to my attention by fellow infosec guy and cigar aficionado, Eric Cowperthwaite, in his blog Security, Cigars & FUD. The article, “Why the Board of Directors Will Go Off On Security in 2015” highlights the disconnect between executive management and security as well as the lack of fundamental security practices.
Boards and executives are concerned, as they should be, about their fiduciary responsibility and legal liability in the wake of last year’s payment card breach at Target, the dismissal of Target’s CEO and CIO, and the ensuing legal actions. Yet, companies continue to ignore the basics.
Eric Coles, Senior Fellow at The SANS Institute, sums up the issue very nicely. “If you take any of those big companies that have already been hit, they made these big announcements about spending several million dollars on security to fix the problem. When breaches hit them again next year, that’s going to paralyze the organization and the board of directors.” Cole goes on to say, “Most big companies / stores purchased more security products such as next-generation firewalls and state-of-the-art IPSs. My concern is that many of them don’t have the proper structure or foundation for security in place.” Rather than a quick fix with all these products, companies need to first build the proper foundation.
There are four fundamental responsibilities that companies must address:
- Asset identification
- Configuration management
- Change control
- Data discovery
Many organizations have no idea what someone has plugged into their networks. They don’t know how people have configured these assets. They don’t manage change, and they don’t know where their critical data is located. “If you fail in those four areas, you can spend $50M on security products, and it’s not going to help you because the underlying vulnerabilities that create risk are still there,” says Cole.
The second article that caught my attention is a notice from The Payers website that Charge Anywhere, a provider of electronic payment gateway solutions, announced that they have “uncovered a sophisticated attack against its network.” The notice on Charge Anywhere’s website seems innocuous enough until you read that “During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009.” The attackers had access for nearly five years before they were discovered and Charge Anywhere has no idea if any payment card information was taken before August 17, 2014.
I suspect, and this is purely conjecture, that Charge Anywhere has a logging tool in place that no one looked at until this breach was brought to its attention by a third party. They then discovered that the storage capacity was only large enough to have maintained log records back to August 17. Another large investment made in tools, but not in the resources necessary to monitor the output and watch for suspicious activity.
Don’t misunderstand me; security hardware and software tools are an important part of the battle against malicious activity. But without the fundamental knowledge of your environment and an information security management program, those tools have the same effectiveness as an air traffic control radar system with no one monitoring the blips on the screen and no rules for reacting to an impending collision.
So, commit to establishing and executing on the fundamentals this year. Who knows… it may save your job and your CEO’s.
