By Mark Shaw
I used to work with an ex-military IT guy who
would look at new PCs with in the box and say
“Wow, what a security threat”, I would laugh
and ask him what would make them the most
safe. He replied “Never turn them on.”
We would both laugh and I would then state,
“OK, so we have the worst and best cases for
security, now we have to find a middle ground
and make it useable for the end user”
When it comes to security, isn’t that really
the point? If you focus too little or too much
on security you start to lose sight of what the
computer and network are there for. The entire
concept of a computer system, software and a
network are to provide productivity for the user
and efficiencies for the company. When we drift
from this concept we end up losing site of what
we as IT have been working towards in the first
place. Technology for the masses.
In the world today security is such a buzzword that everyone and anyone has advice on the topic and everyone wants to be an expert.
There are companies who have created White Hat Hacker certifications (White Hat is the industry term for a “good” hacker who helps people, not a bad one which they term Black Hat) that take only five days to get certified in and then apparently you are an expert. When I see these people practicing, I can’t help but feel like I have the brand-new doctor and I am their very first patient.
While any certification is a good start, for a security auditor to really be effective they have to be a number of things. There has to be a proven track record in their organization and among their staff. Preferably it would be nice to see a minimum of 10-15 years of core competency in the security field.
It is also best if that company or auditor focus solely on security and nothing else. If the same company that is handling the audit also sells all the tools for remediation of any issues, isn’t there a conflict of interest at this point?
How unbiased will anyone be if they have the “perfect” solution to the problems they found? The best audits have the security company do the audit, and the trusted IT resource internal or external review and then make the remediation’s that make sense.
Over the last few months more and more security focused sales pitches are being lobbed at the small and medium business market, and we are all finding ourselves watching the large enterprises time and time again make headlines for leaking out credit card information, our social security numbers, our e-mail addresses, our phone numbers or worse.
This is a real issue and there is no change this will go away. The goal of any small business is to remain secure while also being able to work. Turning off the power on your technology is not ever going to be the answer.
When I worked in a large multinational I used to find myself surrounded by Ph.D.s in the research and development lab all the time. There were people who would moonlight working with NASA on ways to better calculate distances to other stars by using the earth to the moon as a base demonstrator. Many times I hardly understood what they were saying technically, but I understood the concepts. I would sit with some of the best and brightest of this team at lunch and we would talk about how they would have a hard time with common sense items.
That is how the term “tree people” was created. What are tree people you might ask? Great question, they are the people who are so smart that they can look at any tree and tell you the genus, phylum, and species of it, and then walk right in to it. The roaring laughter from all sides of the table that day was a one of the highlights of my career there. It is the day when people from the Ph.D. side realized that there are so many cases where all the education, certifications, degrees and other academic achievements lose out to common sense.
The story is fitting because time and again the biggest breaches I have seen to security come from the certified professionals. People with the best intentions can often create the biggest disasters.
Here is some common sense security audit advice for everyone with a business:
1: Do not allow anyone to run any application on your network
2: Do not share any administrator or network passwords
3: Do not allow anyone physical access to any of your network devices
4: Do not allow people to take photos of the hardware, serial numbers or any network devices.
Any legitimate network security audit will be done from the viewpoint of the attacker to the network. U nder no circumstances should you hand someone your passwords and provide them physical access to the network. If you do, you have compromised your network immediately.
Now, one or more third parties have access to your physical Internet addresses and passwords to get behind your present security.
This is not how a security or penetration test should be performed. It should be done from outside of the network with no internal or confidential information shared. A firm, with background in this area, would try to breach the network in the same means a hacker would and would not require any details or need physical access to the machines.
Just the other day one of our clients stated that their large firm calls it an “audition” to work with their company. If you can get in from the outside, you can present your findings and we may then do business with you.
Every day small and medium sized businesses are approached about security, using a common sense approach and vetting this vendor as you would any other will go a long way to ensure your continued security. Mark Shaw is president, Stored Technology Solutions (StoredTech).