Johannesburg, 06 Dec 2012
Businesses that fail to monitor their ICT infrastructure as part of a risk assessment on a regular basis are likely to find their systems compromised, and sensitive customer data stolen, along with financial information such as bank details. Sadly, despite many public losses of information and money, the majority of businesses fail to effectively secure their infrastructure.
"The problem isn't negligence, but the fact that infrastructure protection solutions have always been silo-based, catering for specific areas of the infrastructure, such as file servers only," says Hedley Hurwitz, MD of Magix Security. "The result is that companies have a clear view of 75% of their infrastructure risks, but about 25% of the risks are unknown, and this is where breaches can occur."
Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any significant delays in finding or fixing software with dangerous vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over vulnerable machines and getting access to the sensitive data they contain.
Organisations that do not scan for vulnerabilities regularly and address discovered flaws proactively face a significant likelihood of having their computer systems compromised.
"The best way to ensure your infrastructure is secure is not to go for the big spend, but to take advantage of available risk management standards and tools to determine your own security posture," adds Hurwitz. "The SANS standards, for example, available at www.sans.org, offer free advice and pointers on what risks to look out for.
"A risk assessment is an inexpensive process that takes a few days. The result is a comprehensive overview of your entire infrastructure's security posture, giving the business a clear risk mitigation path to follow."
Hurwitz suggests four basic areas of risk to focus on as a start:
1. Hardware. Understand what hardware is authorised to be on the network and what its security posture is. This includes mobile devices such as laptops and employees' own smartphones.
2. Software. Understand what software is installed, if it is licensed and whether it is all patched correctly. Unpatched software is an easy way in for attackers.
3. Constant vigilance. There are always new vulnerabilities in every type of software and many hardware devices being discovered, from operating systems to business applications and even Internet browsers. Ensure your company remains informed and installs updates as soon as they are released.
4. Standards. Become familiar with the SANS standards and possibly join one of the SANS chapters in South Africa. They have done the hard work and companies can benefit from their expertise.
Hurwitz says risk assessments are not one-off exercises, but must be conducted regularly. Moreover, companies can't conduct risk assessments in a limited capacity, but must ensure they cover all their bases, because one small vulnerability can be all a determined attacker needs.
Share