IT Security: Lessons learned

Rajan Sodhi
VP, Marketing and Communications  
Tuesday, August 07, 2012  

The recent Black Hat security conference highlighted several important security issues, according to a recent InformationWeek article. The article offers several IT security lessons for organizations:

1. Understand what you're protecting
"The conventional IT security concepts of 'behind the firewall' and 'securing the perimeter' are outdated in a world of mobile devices and social networks," the article stated. "CIOs must take a hard look at what information they must make widely available versus the information they must restrict."

Businesses should use more than one approach to security to protect their data, especially when it comes to data that needs to be widely available to employees. Once these security measures are in place, regular testing is necessary to identify potential vulnerabilities and make sure the systems protect the way they should.

2. Read the fine print on cloud contracts
Another point the article made is the liability of cloud service providers compared to the business. Organizations that use cloud hosting, for example, should make sure they understand what the provider is liable for in the event of a software or storage glitch.

Security is another element to ensure from the cloud provider. Organizations should investigate the security services offered by the vendor, such as regular vulnerability scans, protection against distributed denial of service (DDoS) attacks and managed firewalls.

A recent Computing article highlighted the importance of protecting against DDoS attacks. Although DDoS attacks are typically used to slow down websites or cause outages, they can also serve as a distraction for attackers and lead to other threats, such as data breaches.

"It appears that the main purpose of the attacker was to distract the team investigating the data theft as well as overwhelm the systems the investigators may use to collect and analyze the evidence of the attack," Gartner analyst Anton Chuvakin told computing regarding one such incident. "Specifically, the attacker might have needed a certain window to make use of the stolen data, and only needed to delay the investigation by that time."

Many organizations are not effectively guarding against data loss, according to Computing - 79 percent of data breach victims are not pre-targeted, but simply have an exploitable weakness. Eighty-five percent of breaches took weeks or months to discover, and were discovered by third party organizations rather than the victim.