Subscribe

Keep security simple

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 24 Apr 2017

ITWeb Security Summit 2017

Registration is open for ITWeb Security Summit 2017, with five international plenary speakers, #SS17HACK launch, four training courses to choose from, and much more. For the complete agenda, click here.

Spending the entire security budget on tools doesn't work. In addition, it is a mistake to fully rely on third-parties and service providers to take care of security, or to only train those employees within IT.

So said Mustafa Al-Bassam and Sebastian Strobl from Cognosec GmbH, who will present on 'White Hat vs Black Hat' at ITWeb Security Summit 2017, to be held at Vodacom World in Midrand, from 15 to 19 May.

They added it would be a mistake to leave it up to employees to define password complexity, or to believe that a perimeter firewall, signature-based technology or single-factor authentication are sufficient to protect the business.

So what does work? "Firstly, assign responsibilities for security, and implement secure defaults, such as password complexity and system hardening. Lessen the attack surface by removing any unnecessary devices, and always apply principles of least privilege. Adopt a 'defence in depth' approach, with multiple layers of security to make it more difficult for attackers, keep security simple, and conduct awareness training."

According to them, all businesses will be attacked at some point, so it's important to think about how to prepare for it. "Conduct regular vulnerability scans and penetration tests."

They said the difference between a penetration test and real attackers, is that penetration testers are authorised and have the owner's permission to attempt to gain access. "Time is also a factor; remember that attackers have weeks or months for targeted attacks."

In addition, they said testers are provided with extra information to allow for more efficient testing, and will not conclude their test until all potential security vulnerabilities are identified. "Successful compromises are generally the combination of vulnerabilities and information."

Strobl and Al-Bassam added that some businesses have the notion that they have a firewall so why spend money on testing. "Think about it: we do not need penetration testing for IT but need crash testing for cars. This makes no sense."

Strobl noted misconfiguration and security bugs often remain undetected for years, and penetration testing can identify vulnerabilities in infrastructure and applications, as well as people and processes.

"It can also ensure the right controls have been implemented and are effective, and will test applications that are often the avenues of attack."

Share