Cloud Security Alliance (CSA)

Areas of expertise:
The Cloud Security Alliance comprises many subject matter experts from a wide variety of disciplines, united in our objectives: to promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance; to promote independent research into best practices for cloud computing security; to launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions; and to create consensus lists of issues and guidance for cloud security assurance.

The Cloud Security Alliance (CSA) is a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

Tag Cloud



Security Check List: An Ounce of Prevention is Better than a Pound of Cure

By Wolfgang Kandek

It is common belief that buying more robust and expensive security products will offer the best protection from computer-based attacks; that ultimately the expenditure pays off by preventing data theft. According to Gartner, more than $50 billion is spent annually on security infrastructure software, hardware and services. The analyst firm expects this number to grow and reach $86 billion by 2016.

With security investments skyrocketing, the number of successful attacks should be decreasing – but they aren’t. That’s the reality. There is no one thing, or even combination of things, that can guarantee you won’t get hacked. However, there are some basic precautions companies can take that can put up enough defenses to make it not worth a hacker’s time and effort to try to break in.

The recent Verizon Business 2013 Data Breach Investigations Report revealed that 78% of initial intrusions were rated as low difficulty and likely could have been avoided if IT administrators had used some intermediate and even simple controls. Using outdated software versions, non-hardened configurations and weak passwords are just a few of the many common mistakes businesses make. These basic precautions are being overlooked, or worse, ignored.

Implement a Security Hygiene Checklist

One of the most simple and effective way for companies to improve their defenses is to create and closely adhere to a checklist for basic security hygiene. The Centre for the Protection of National Infrastructure in the UK and the Center for Strategic & International Studies (CSIS) in the US released a list of the top 20 critical security controls for defending against the most common types of attacks. Topping the list is creating an inventory of authorized and unauthorized devices and software, securing configurations for hardware and software, and continuous vulnerability assessment and remediation.

A laundry list of organizations are already using this checklist and seeing results, including the US Department of State, NASA, Goldman Sachs and OfficeMax. The State Department followed the guidelines for 40,000 computers in 280 sites around the world and within the first nine months, it reduced its risk by 90%. In Australia, the defense agency’s Department of Industry, Innovation, Science, Research and Tertiary Education reported that it had eliminated 85% of all incidents and blocked malware it would have missed otherwise, without purchasing additional software or increasing end user restrictions.

My own security precaution checklist includes:

  • Promptly apply security patches for applications and operating systems to keep all software up to date
  • Harden software configurations
  • Curtail admin privileges for users
  • Use 2-factor authentication for remote access services
  • Change default admin passwords
  • Prohibit web surfing with admin accounts

Making it Happen

The hardest part of changing security policies is getting IT administrators on board to drive these initiatives. Because they are already managing heavy workloads, it is important to present the efforts as ways of strengthening existing security measures rather than adding responsibilities. Incentivizing implementation is another effective strategy. Or, you can always remind them that cleaning up after an attack is harder than preventing one, but in case you need more ammunition for motivating IT:

  • Friendly competition: One engineer at NASA boosted participation by awarding badges, points and other merits as if it were a game, giving employees incentive to compete for the highest score.
  • Company-wide report card: The Department of State assigns letter grades based on threat risk for each location, including various aspects of security and compliance. For instance, a lower grade would be given for software that is missing critical patches and infrequent vulnerability scanning. The report cards are published internally for all locations to see and again boost participation by competition and cooperation.
  • Show them the money: The biggest incentive of all would be offering bonuses or time off for quantifiable improvements in security and reduced risk.

While spending money on the latest security product to build bigger and stronger walls may impress the board of directors, it won’t necessarily deter attacks. Ultimately, the goal is to implement fairly basic but often forgotten measures to eliminate opportunistic attacks and discourage hackers who don’t want to waste the time and energy trying to get in. Some renewed attention to the basics can mean the difference between suffering from an attack and repelling one.

As the CTO for Qualys, Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Kandek has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the internet. Prior to joining Qualys, Kandek was Director of Network Operations at the online music streaming company and at iSyndicate, an internet media syndication company. Earlier in his career, Kandek held a variety of technical positions at EDS, MCI and IBM. Kandek earned both master’s and bachelor’s degrees in computer science from the Technical University of Darmstadt, Germany.


Posted 30/04/2013 by Cloud Security Alliance (CSA)

Tagged under: patch management , security education , security controls

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×