The old saying “all that glitters is not gold” can have a particular resonance with us in the Information Security profession, especially at this time of the year. I say this as we are now starting to move into the heart of the information security conference season; the RSA Conference has just finished in the US, Blackhat Europe is also behind us and of course Infosecurity Europe is just around the corner.
What I've noticed from the various conferences is that vendors adopt their themes from whatever is grabbing the news headlines. As a result we are seeing a lot of talks and vendors highlighting issues relating to cyber war, big data, cloud security, cyber espionage and any security breaches currently hitting the headlines. Indeed, I have witnessed a number of vendors promote their solution as being the one that would have prevented certain security breaches even though the root cause of those breaches has not been made public by the victim organisations.
So what does this mean to the information security professional? My concern is, that being human, we will get easily distracted from the boring and mundane tasks of managing our on-going information security programmes and succumb to the marketing hype promoting the silver bullet to cure all our information security woes. Don’t get me wrong, it is important to identify and implement tools and solutions to make the job of securing our systems more effective. However, it is equally important in the current business climate to ensure we get the most bang for our buck by investing in the most appropriate solutions for our environments.
Investing in the wrong technology can cause a number of issues ranging from the technology not solving the problem, to the cost of purchasing and implementing the technology far outweighing the benefits it brings, or to having to invest in yet more technology to augment what has already been paid for. These problems not only undermine your credibility amongst the management team but may also result in jeopardizing budget approval for other future solutions.
Let’s be clear, I am not saying that we should not invest in new technology. What I am advocating is that when preparing to attend a seminar or conference that you go there fully informed as to what the particular problems are that you want to solve. Once you know what your problems are, seek out the vendors at the show that are addressing those problems. In other words, go looking for solutions to problems directly impacting you and your business and do not be distracted by the new “problems” vendors are highlighting. These new problems may indeed at some stage pose a threat to your systems, but you may find you can counter many of them by ensuring the mundane and basic controls are already in place and are working correctly.
To reiterate this point I refer to one of my favourite reports of late which is the Verizon Data Breach Investigations Report. This report is the result of Verizon analysing the breaches the Verizon Investigative Response team have worked on and also the incidents submitted by various contributing organisations around the world made up of law enforcement agencies and CERTs.
A recurring theme from these reports is that many breaches were not the result of some sophisticated attack or previously unknown malware, but simply the result of basic security measures such as patching and updating systems not being done correctly. Indeed, the report for 2012 has a statistic that 95% of breaches investigated were “avoidable through simple or intermediate controls”. So if we ensure patches are applied to systems, anti-virus software is updated properly, logging is turned on and monitored, and users are trained to be aware of security risks, then we can greatly reduce the likelihood of a security breach.
,
While all that glitters is not gold, it may take some hard work sifting through ordinary stuff to find a few golden nuggets.
If you do happen to be at Infosec this year, do say hello or indeed pop along to the Keynote Theatre on Thursday where I am chairing the panel discussion: "From discovery to recovery: Developing a robust incident response strategy". I hope to see you there