Get in Shape

Get in Shape

Seven essentials for enterprise security success

In a year in which some of the biggest names in both physical and logical security have been named and shamed for security lapses and subsequent breaches, reality is bearing down hard on the IT executive. New threats and risks seem to have bombarded enterprise networks at an unrelenting pace. If your organization is one of the many without a comprehensive, multifaceted security program, now is the time to take your head out of the sand. Antivirus programs and firewalls alone no longer cut it. Hackers and malicious insiders long ago figured out that these elementary safeguards are about as effective as a suit of armor made of tissue paper.

Convincing Unbelievers

Unfortunately, it can be difficult to convince the organizations most vulnerable to cybercrime that they even have a problem. The most oblivious among them have no idea that they may already be in the clutches of a hacker because they don’t have the tools or processes in place to properly investigate the anomalies in system and network behavior that raise red flags.

While there certainly are many moving parts in any comprehensive IT security program, everything ultimately boils down to visibility and control. Organizations need to see who or what is accessing their data and be able to limit access based on each user’s role within the IT ecosystem. IT staff need to keep tabs on system configurations and patch levels to limit inappropriate access and service disruptions. And organizations need to be able to look into system logs to spot anomalies and stop attacks before a great deal of damage is done.

Every enterprise is different, and the severity of risk always depends on individual circumstances. But in my more than 30 years of experience as a security professional, I believe a solid enterprise security framework incorporates the following seven fundamentals.

Endpoint Management

As the consumerization of IT continues to push a wide diversity of devices onto many enterprise networks, security professionals now face greater difficulties protecting their networks from the risks that each new gadget can impose. It is time to stop ignoring these issues and start analyzing how much of a threat these different classes of devices pose to your network. It is time to create and then enforce policies that effectively balance user productivity and risk. More importantly, regardless of whether devices are owned by your business or by your end users, they should meet a minimum standard of secure configuration before they connect to your network. This means patch levels must be up to date, unique passwords set for every application and function on those machines, and anti-malware installed.

The devil is in the details, but the overall goal is to ensure that, if hackers do compromise a machine, it is configured in such a way that it cannot become a launch pad for attacks deep into your network. This also means making sure there are no common privileged credentials in embedded applications waiting to be exploited. For example, if a backup task image is installed on every network device that has a common privileged identity attached to it and a hacker compromises that device and finds that password, the hacker has a meal ticket into future network exploits. Be careful of that.

Shared Passwords

Shared administrative passwords are a dirty little secret in the IT community. Many IT administrators avoid creating unique IDs for the privileged users who control the systems and applications on their networks—and fail to change the account passwords frequently—because the work is tedious and takes time away from higher-visibility tasks. However, shared logins can make it impossible to determine a chain of custody on highly privileged accounts, and thus they create an attractive target for hackers sniffing around the network for vulnerabilities. Similarly, it should be a top priority to secure application accounts that use default or common passwords. These accounts are ripe for misuse should a malicious insider or an outside attacker gain access to one of these passwords, since they’ll be accessing data that likely includes sensitive information about your customers and employees.

Log Management and SIEM

Speaking of log management, are logging capabilities turned on for all the different devices on your network? Many times I see organizations falter in this critical regard. In doing so, they fail to gain valuable insight into user and system behavior. Even when logging is enabled, many organizations lack the tools and practices to turn the deluge of data into actionable information. Log management and security information and event management (SIEM) solutions are an essential part of an effective IT security program. These tools are the first line of defense to help IT departments flag nefarious behavior, stop it in its tracks and eventually determine who is responsible. But these technologies can take a great deal of skill and expertise to operate properly. So each organization needs to invest not only in the tools but also in the training to use them. What’s more, you’ll need to make the supporting investments to ensure that the data is useable. If you spend a lot of money on an SIEM solution but then there is no effective identity management system in place supplying the data about who is responsible for security events, it makes that log data a lot less valuable to the organization.

Account Management

When an employee leaves your company or loses a device, do you know which credentials may have been compromised in the process? Without some way to keep track of all of these accounts it’s almost certain that they’ll be misused. Far too many enterprises are cavalier about the process of provisioning and deprovisioning accounts. Even if an organization manages to eradicate shared passwords, if they fail to shut down accounts once they’ve expired, bad things happen. For example, serious risks could arise from a disgruntled former employee who is still able to access the accounting system because no one bothered to shut down his account once he left the company. Or consider the possibility of a current employee who uses a former coworker’s credentials to steal data undetected because the ex-employee’s account stays active. Or if a device with stored passwords is lost and nothing is reset, an outside attacker will gladly take advantage of that opening.

Controlling Access to Data

Even with sound account and password management practices in place, malicious insiders or hackers who gain control of an account with access to too much data can still do a lot of damage. Organizations need to think carefully about how much data individual users can access through their accounts. Ideally, enterprises should implement role-based access so that users touch only the data necessary to get their jobs done.

And even when that practice is in place, it is probably a good idea to limit the volume of accessible data to prevent large scale exfiltration of information through e-mail, USB or screen-scrape dumps. An employee may need to view dozens of customer records each day, but does he really need access to, say, hundreds or thousands? It is of the utmost importance to implement data loss prevention (DLP) controls to help determine how much data should be accessed in any timeframe, thereby helping prevent someone from sending large amounts of sensitive information out the door.

Data Visibility Outside The Corporate Walls

If you are using DLP but then turn around and willingly ship a datacenter full of sensitive information to an outsourced or cloud provider, you’ve just wasted your money. The money you’ll save in the cloud will be squandered once that external infrastructure is breached and you have no way of investigating what went wrong—because most cloud service providers have no concept of DLP and other critical controls.

Enterprises really need to think critically about what they’re getting into when they send information outside the corporate walls. If a data store is too valuable to lose, then it probably isn’t a good idea to let an outside organization with unproven or perhaps nonexistent security controls take command of that information.

Centralization Could Kill You

For the last ten years, companies have been de-siloing applications and data storage, putting everything into giant databases so that anyone can get any information they might need. It’s mighty handy for the IT department and corporate users, but it also creates a huge target of opportunity for data thieves.

The fundamental danger really comes down to a simple rule: If your sensitive business data is in one place, you’re in big trouble if someone breaks into that system.

No need to stop de-siloing applications and streamlining operations. The more centralized your information, the more critical it is to implement solid database security and access management practices. IT executives need to start asking themselves what can be accessed from where, and how much of that access can be limited. Which IP addresses are allowed? What time of day is access permitted? How are users or devices authenticated? Is multifactor authentication needed to add another layer of security? All of these considerations become more important as your data becomes more consolidated.

The more organizations start to focus on these seven essential factors, the greater their chances of avoiding costly security breaches or at least limiting the potential damage when incidents do occur. These fundamentals are all about bringing greater visibility and control to the IT infrastructure. Fail to take control and it becomes not a question of if your organization will be breached, but when.

This article originally appeared in the October 2011 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3