Basic, straightforward best practices are not followed by many organizations, the firm’s chief executive recently told Infosecurity. And the vulnerabilities that result are among the easiest to remedy, if organizations would only apply these best practice procedures correctly and in a timely fashion, he added. What Cohen alluded to was not the purchase of an additional technology solution but rather – in many instances – simply using your currently deployed technologies in the manner in which they were intended to work.
The company Cohen helped co-found supplies what he described as proactive network security management for enterprises and government agencies. Skybox is one of the few firms that provides cyber attack simulation technology, which replicates possible attack vectors that can exploit IT infrastructure vulnerabilities.
One of the often mismanaged areas includes software vulnerabilities, which all need to be patched in a timely fashion, he implored. It can be an expensive task, said Cohen, that many organizations do not perform on a daily basis.
When patches are applied periodically, the gap between when a vulnerability is first actively exploited and a patch is applied can sometimes take months, which is obviously detrimental to security. “This does not keep up with the speed of discovery of new vulnerabilities and ways to exploit them”, he lamented. “So many systems that are not updated correctly or in time are left completely exposed.”
Another security basic is the firewall, which Cohen called the most established security control on a network. But it’s only over the past few years, said the Skybox CEO, that organizations have started to manage their firewalls.
“Organizations sometimes have hundreds, even thousands of firewalls, with thousands of rules...it’s become a mind-boggling problem”, he observed. The result, Cohen continued, is an out-of-control situation that leaves organizations vulnerable.
He said there are multiple elements to firewall management best practices. First, many organizations fail to establish a policy on how firewalls should be configured, and in many cases where a formal policy exists, Cohen believes there is a large gap between how they are actually configured and what the policy prescribes.
Second is establishing a process to continually review configuration issues, in addition to agreeing on acceptable deviations from the configuration policy.
Finally, Cohen said organizations need to establish a firewall change review process to understand the change, analyze the change from a risk perspective, and reconcile the proposed change policy against real-world conditions.
“These elements, which are very straightforward by any IT service management discipline, are just now starting to get into security practices”, Cohen noted. “These are just best practices that are very common outside security programs and are now just started to be adopted.”
Cohen suggested IT security managers take a step back and consider a more proactive security management approach. “It’s typically way cheaper to close the security gaps before you are hit”, he said. “The historical challenges that organizations have had is that proactive security has not made sense because it is expensive and not practical.” But this hurdle, Cohen maintained, continues to be lowered.
From a resources perspective, while it does not make sense to close every single security gap, Cohen said that if something is critical and an organization can’t afford to be hit in one particular area, then being proactive can pay off handsomely.
“It’s typically very cheap to close a vulnerability when compared with the consequences of an attack”, he concluded. “Implementing automated solutions that can help you be proactive in a cost-effective way can have a huge ROI for any organization.”