Information security isn't what it's cracked up to be these days. Sure, there are vendors pushing faster, better, cheaper security products. And, we have fancy systems like SSL VPNs, e-mail and wireless LAN firewalls, etc. to protect our digital assets. The problem is that we can't see the forest for the trees.
We're applying so-called secure defenses around business processes that lack a stable foundation and employees that lack the most basic knowledge of security. Many organizations put safeguards in place for the sake of security without actually thinking things through. With all the money invested in the hopes of achieving some semblance of security, malware attacks are still disabling entire networks; Web sites are still getting defaced; credit card databases are still getting broken into; and wireless LANs are still being deployed without the least bit of real security in place.
It's time to get back to the basics and focus on keeping things practical. You've got to think long and hard about whether or not you'd be better off saving the time, effort and elbow grease required to implement and manage all the "necessary" security technologies and get down to what really counts. We've got to stop adding on all the knee-jerk layers of protection that do nothing more than increase our own false sense of security. Does this mean you should unplug your firewall? No. Get rid of your antivirus software? Absolutely not! Stop patching your software? Don't even think about it. Not change default settings to harden new systems from attack? You're kidding, right?
MORE INFORMATION ON SECURITY BASICS:
After you have all the basics down – firewalls, antivirus and patching, not to mention people and processes – you should focus on one thing more than any other. This one thing will require a decent budget and some of the most experienced people you can hire. This critical component that is so often overlooked and not taken seriously is an incident-response plan.
I'm talking about developing a plan and knowing it like the back of your hand. Your incident-response plan has got to focus on the essential areas including what constitutes an incident, who will be on the team, how incidents will be contained and recovered from, who will be called in for formal investigation, what tools that will be used and how evidence will be handled. Oh, and test it like you've never tested anything before. That's the only way you and your team will learn, be prepared and find any flaws that can cause trouble down the road.
You absolutely cannot rely solely on your security technologies – or your policies for that matter – to protect your information. When it comes to computers, the bad guys are usually at least a couple of steps ahead and seem to always be able to come up with new ways to attack systems. Thinking you can prevent every type of security breach in your organization is the same as believing that the police will always be there to protect you when harm comes your way. It's basically impossible to protect against something that has never happened before, so you've got to be prepared to respond.
You can't try to make critical decisions during and immediately after a security breach. An incident-response plan is your insurance policy and your guide. It's your only reliable solution to effective information security. I think the growing popularity of the computer forensics field is the proof in the proverbial pudding. Develop, test and maintain your incident-response plan like it's your saving grace. It will be someday.
About the author
Kevin Beaver, CISSP, is president of the Atlanta-based information security consulting firm Principle Logic, LLC. He is the author or co-author of Ethical Hacking for Dummies published by John Wiley and Sons, The Practical Guide to HIPAA Privacy and Security Compliance published by Auerbach Publications and The Definitive Guide to E-mail Management and Security published by Realtimepublishers.com. Kevin is a columnist and expert advisor for SearchSecurity.com and serves as Secretary of InfraGard Atlanta. He earned a bachelor's degree in Computer Engineering Technology from Southern Polytechnic State University and a master's degree in Management of Technology from Georgia Tech.
