Essentials First: Looking for a Target

The Internet has more than several billion possible public IP addresses, so how hard can it be to find a suitable target (also referred to as a mark or subject)? This is the first aspect of security on which people concentrate. Certainly your network’s presence on the Internet is a way for hackers to find you; as a result, you should consider the security of your network from attackers and the value of anonymity. You might have purchased the best security technology to protect your PC, and you constantly ensure that it is up to date with the latest security patches. This includes your firewall, Internet router, VPNs, antivirus software, proxy server, biometrics, and all the best security technologies that money can buy. You have done this, right? Of course not, because these things are a pain to do and you believe that you have nothing anyone would want. We shall see....

It is natural to think that security technology can protect you from the malicious threats of hacker exploits. In this case, however, you might have been yearning for a sense of security but forgotten about the weakest security link: the human factor, which is what sits between the keyboard and the chair. It is this factor that thieves of any type count on; perhaps it’s leaving your door unlocked, not patching your computer or antivirus/malware protection software, or believing you’re safe behind your router or cable modem.

Consider for a moment whether your employees are trained in information and physical security. Would they know what to do if someone tried to fool them into giving away potentially sensitive information? How many sets of keys to the building exist? What are the cleaning people doing when you are not there? Are they disposing of your trash properly, or are they bagging and dropping it into the dumpster? Could an intruder break a window or pick a lock to enter your building undetected, or my favorite, how long have you had the same alarm PIN?

You might think that you have a great IT staff or even a team dedicated to network security, which is a good thing. Security professionals are expected to have a high level of technical competence and, for the most part, this is true. Now how does that awesome firewall completely protect you? What are the threats to the corporation from the inside behind those firewall controls, and what countermeasures do you have in place to protect your corporate assets today?

However, these same professionals often do not expect the same to be true of those attackers and intruders from whom they defend their sites. Many do not take heed of the axiom that “There’s always someone out there smarter, more knowledgeable, or better-equipped than you.” Having engineers who think that they are the smartest people in the company is a recipe for disaster. Trust me, arrogance or a know-it-all attitude is a sure invitation to disaster and a magnet to those with something to prove. Segregation of duty is a very important concept ensuring that one employee does not have the complete keys to your kingdom.

Security is often simply an illusion facilitated and made more believable by the ignorance or naiveté of everyone in an organization. Do not place all your trust in security products; if you do, you settle for the illusion of security. Any security process must be implemented—that is, both technology and rules. (Specifically, all people in an organization must hold to these stated rules.) In addition, you must perform random and repeated audits to determine whether certain people in the company, such as the CEO who does not heed all the rules, bypass any rules or controls. The CEO or other senior executives usually have access to secrets and are the first target for a hacker. Letting the CEO bypass security policies, standards, and guidelines is a sure way to weaken a security policy.

In summary, true security is more than a product; it is a series of processes that encompass products and personnel across an organization—an end-to-end solution set that includes processes and controls with heavy policy governance. The following section covers the importance of having company personnel be aware of the security process.