How does IT Security rank with respect to other company risks?
There are always risks in life for individuals, and so there are risks for companies as well.
In IT risk revolves around data protection (Denial of Service as well as network or equipment failures), continuity of service, preventing IT security breaches, PC life cycle management, training users, preventing misuse of equipment by employees.
The Kaspersky 2014 IT survey Gave data protection of highly sensitive data the highest marks for risk level (their words: “Top concerns of the IT function”)
The response to the survey:
1. Protecting Highly sensitive data 34%
2. Preventing IT security breaches 29%
3. Data Protection 28%
4. Continuity of services (due to Denial of Service – i.e. DOS prevention) 23%
5. PC life cycle management 16%
6. Training users 14%
7. Preventing misuse of equipment by employees 12%
I left out some of the more nebulous items to do with improving IT department, managing IT infrastructure. One could argue that the life cycle management, trainign users, and misuse of equipment could be removed as well.
So the key is sensitive data protection, data protection (backups etc) , and security breaches(especially if we add DOS)
Data protection is not just backups, it is protecting the data from the hackers of he Internet, which includes malware and viruses. Most viruses come in through email, they may not be successful, but most viruses come in via email. Internet users should be trained on how to sue email to reduce this high level threat.
Internet users need to be made aware of tricky website hacked methods.
Tabnapping is One method that preys on user naivete. The watering hole attack is a form of attack where the hacker will infect a website that your targets visit.
I.e. if your target is a vtelecom company, it might be easier to compromise a website that instructs the telecom industry, rather than the telecom co. website itself.
The watering hole attack is difficult to prevent, as now we must prevent on the network lower levels, like on the firewall ingress points. One could prevent it on the Web proxy level, which reduces the Web risks.
Having a very good firewall/IPS system which these days is called a NGFW or next generation firewall would reduce risk levels.
Risk level is always reduced on the level of understanding in the IT department, if the IT department ahs a very good understanding in IT security, running various tests continually, testing for DOS, hacking the site with multiple tools is also a must. the problem for an IT department is the effectiveness of their fake attacks. One has to be capable of attacking your network in an independent manner, even for PCI compliance reasons one must have an independent party doingthe pentesting.
PCI standards says the following in their pentesting PCI standards v1.13:
“Who performs penetration testing?
The PCI DSS does not require that a QSA or ASV perform the penetration test—it may be performed by either a qualified internal resource or a qualified third party. If internal
resources are being used to perform penetration tests, those resources must be experienced penetration testers. The individuals performing penetration testing should be
organizationally separate from the management of the environment being tested. For example, the firewall administrator should not perform the firewall-penetration testing.
PCI security standards created this method to reduce risks, to truly reduce your risk level, one must have an external third party (independent) perform the pentest. It is good to get a second opinion when it comes to security on your network. besides sometimes the most dangerous attacks come from within, and that is most of he time not from malicious reasons but from negligence or incorrect usage.
It is very difficult for your IT people to be on the same Security skill levels as a person who breathes, thinks and does Security every day, and every hour.
Contact us to perform a Pentest of your network.