Survey from EiQ Networks: (sample size not as
big as I would hope.)
Some
startling statistics, just 15% of IT people think they are prepared for a
security breach. Just 21% think that what they have in place can
mitigate the risk.
Only 80% about
use a firewall (Another survey put this at 87%.) Only 28% are using host based firewalls. (You have to use both or one system being compromised suddenly becomes every system is compromised.) Only 2 thirds use
anti-virus. Only 60% use some type of intrusion detection, mostly just
watching logs.
Only 60% have even a partial process to respond to an attack and only 30% think that process is solid.
Another
survey from ISACA (bigger sized survey) shows that 67% of it
professional have heard of APTs but half of those think they can protect
against them.
And the people who think they are ready to
protect their networks from an APT are relying on the things that don’t
work against APTs, Firewalls and Anti-virus. Like the keys to your house
these things only work against the regular run of the mill threats and
are practically useless to an APT threat. We still need them but they
are nowhere near enough. (They don’t get it, even seasoned professionals
in the cyber security industry don’t seem to get it.)
Couple
this with Cisco’s survey 75% of CIO’s think that their security tools
are effective but less than half of them patch their systems regularly. Also don’t really get it. What else are they not doing if they don't patch their systems?
There
is also some noise in cyber circles about companies that think that
since they were already attacked once (Sony for instance) they won’t be
attacked again.
So
sum that up to this; Most companies are not even doing the basics
right. Not patching, poor firewall use, hoping that outdated technology
like antivirus will help but they don’t even get that the threat they
face has changed and even when presented with examples think it won’t
happen to them or that since they have already been attacked are somehow
immune. And they don’t have a proper plan to deal with it and I bet
they also don’t have a plan of how to recover from it afterward either.
So what to do.
Cyber Security must do all of the motherhood stuff, firewalls (both perimeter and host), patching, anti-virus (even on Linux), etc. Segment your network so that the important stuff (Point of Sale, production, software development, whatever your company does) is not on your main network and that outside access is also on it's own network (like hvac and pepsi machines) and that access from the main network is controlled if allowed at all. If the only thing required is access out don't let access in.
And then if your line of business is at all a target for an APT then assume you are already compromised. If you could be a target you are a target and if you think you can't be a target prove it don't just think it.
You have to teach your employees how to recognize spam and phishing emails and not to open them. If you have employees that are not learning switch them to Linux with only user privileges. Better yet switch as many users as you can, without affecting their job function, to Linux. It's just safer and more secure. (Based on that there are so few malware for Linux and so many for Windows. and that the user access rights on Linux are not administrator level where on Windows so often it is.) Having a mixed network is more work but your IT people may complain but if they are good they will be fine. And put more money into IT. The biggest issue with cyber security is not that people can't do it but that companies are failing to fund it properly. Use open source tools, use free Linux firewalls and security tools like IPFire. Take the money you save and hire IT people. free tools with more people is better than paid tools (which are mostly based on the free tools and packaged to make them pretty) and not enough IT staff.
Also listen to your staff, regular and IT when they say there is something wrong. Most security breaches are not caught by IT but by sufficiently empowered users.
You need to do intrusion detection, something like snort but also honeypots: Fake systems that are not used for anything real on your network but if they get activity means someone is checking out your systems from the inside. Your systems are compromised and the attacker is looking for stuff to steal. Make them obvious and tempting and fill them with fake data. More on this another time perhaps. For now just do the motherhood issues and get enough IT staff to do their jobs.
No comments:
Post a Comment