Answering Enterprise Security Questions

Kevin Prince
April 28, 2010 | COMMENTS

I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers.

What does it take to keep the enterprise secure?

A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn't one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.

More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration are key. Central repositories for compliance documents and audit documentation are critical. Policies, procedures, and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interests in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.

Why should some applications (or classes of apps) NOT be used in the enterprise ?

The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn't be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don't know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.

If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.

Why should others be used? Do you have any examples?

Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.

Why isn't it the best idea to give end-users administrator rights?

There are two big reasons for this: 1) The user may install software that could compromise the system and subsequently the entire network; 2) Hackers that compromise the system may use these rights for other nefarious purposes.

How is mobility affecting the typical company's security planning?

USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock Princes, not to mention the fees and class action lawsuits that usually follow.

Is there such thing as too much or too little security?

Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren't able to keep up with the 24/7 management and monitoring, you aren't getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren't getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.

Perimeter E-Security provides security services for the financial industry. Read other blog entries by CTO Kevin Prince at perimeterusa.com/blog.