Information security: do not wait for the "fried rooster" - he will come
Today we want to talk about information security, namely about the aspects of perimeter protection in a changing business environment. Given the growing popularity of clouds, as well as data lakes, management wants to do everything possible to protect the perimeter. In the meantime, IT professionals have to formulate a rationale for launching projects in the field of information security, convincing businesses of the need to monitor security all the time.
“Protect our data!” IT employees are often heard from the leadership of modern companies. But at the same time, it is not always within the company that there is an understanding that security is not a product, but a process, and an integrated one. Constantly developing Internet threats can create various problems for businesses, but the degree and relevance of protection will be individual for each business, and they may change over time.
')
The evolution of security systems occurs simultaneously with the development of IT threats. Often, in order to protect everything “on the highest level”, it is necessary to spend a lot of money and attract a lot of people. In the meantime, you can choose the appropriate level of protection for each asset only if you know the real value of the business. Attackers can pursue different goals - just disable a site ordered by a competitor, steal information, make services unavailable, withdraw money from accounts, or block the work of a company, extorting a ransom for it. And what events are really scary and stand real protection, the leader must decide.
For example, with a business cost of 100,000 rubles, you can generally use only free or everywhere OpenSource protection systems. For a multi-billion dollar business, on the contrary, it is not a pity, and a couple of millions on the Firewall alone - because network penetration can cost much more. Thus, it is possible to decide whether companies are needed, for example, intrusion protection functionality (IPS): if the cost of its implementation is higher than the damage that the intruder brings into the network, then such a system is completely useless.
Do you need DDoS, just depends on what role the site plays in the work of the company. And further, the level of protection against distributed attacks also depends on how much money the site brings - leading portals and online stores can pay tens of thousands for protection against DDoS, and a small site that helps to receive orders will be enough for a $ 100 solution.
Moreover, each attack has its own specific goal, so when building a defense, it is important to understand, in whose realm is our business? Only by answering the question from whom we are defending, and what efforts are ready to make, can you outline the range of actions that need to be taken for this.
But even if the company has a clear understanding of how and from whom it is necessary to protect the data, we must not forget that information security has long ceased to be a product. Once in the past, it was thought that it was enough to install an antivirus on computers, and everything would be fine. Over time, the Firewall was also added to it, allowing you to close extra ports. And since then, many have become accustomed to considering security as a set of solutions. But today it is not.
With the addition, upgrading, or even simply upgrading of each system, a quantum leap in the level of security occurs. For example, application control systems start to be installed on the gateways or traffic between servers starts to be encrypted. That is, companies are building protection as they face new threats. This process has certain triggers that trigger further movements:
1) New legislative requirements
First of all, everyone is afraid of fines and regulatory sanctions. Therefore, business is very active in responding to legislative initiatives. For example, the law “On Personal Data” forced the majority of structures operating in the market to introduce new security systems. Industry standards, such as PCI DSS in the banking sector, also constantly require alignment of information protection systems and communication channels.
2) Infrastructure change
It is good when, in the event of a change in infrastructure, an IT service or a dedicated IS service is re-evaluating risks in order to find out how the protection of the new infrastructure differs from the old one. For example, when introducing cloud technologies or installing servers on a new site, it is also necessary to ensure the protection of the data transmission channel.
3) New services
Especially, public, accessible to everyone, new services are subject to new attacks. When introducing mobile applications, self-service portals and other business-friendly things to the market, it is necessary to analyze possible dangers. At the same time, the introduction of additional protection systems usually increases the security of the entire virtual environment.
4) New vulnerabilities
Maybe not as large-scale as the emergence of new services, the reason, but still able to contribute to the security system - is the installation of protection against vulnerabilities in the entire spectrum of software used by your employees. If during the operation it turns out that one or another software can skip the “intruders” into the network, the security service just has to at least create new rules, which means adapt the used protection tools to the new working conditions.
5) Marketing
Another very popular engine of progress in the field of information security is marketing. Take the same Firewall, which evolved in UTM, and later - in NGFW (Next Generation Firewall). Updating slogans and technologies often arouses interest among decision makers, and updating the Firewall to NGFW or introducing a new IDS system becomes a tribute to fashion, although it increases the level of perimeter security in general.
6) Roast Rooster
Alas, the most common reason for enhancing the security perimeter protection is a blow to the rooster’s beak. When the site has already been hacked, the database has already been stolen, attempts are being made to defend against further attacks of a similar nature. At the same time, a constant factor behind the attackers for at least one step remains a negative factor. After all, having introduced the necessary equipment or software, and perhaps subscribing to some IS service, company representatives forget that they need to continue to take care of the security of their networks. Yes, if you are protected from DDoS after the site has been unavailable for a week, the next DDoS is unlikely to pose the same danger to you. But other new attacks are likely to take you off guard again.
It is possible to move from a “roasted rooster” to more civilized methods of building a protection system, if you choose a process approach to security. That is, you need to constantly monitor how the threat landscape and risk profile for your business changes. Every innovation - whether it is an added server rack, a running mobile application or the activation of competitors - should lead to a reassessment of the situation by the information security and, possibly, the introduction of new echelons of protection, or maybe simply a change in the profiles of devices that can save the company considerable funds .
Someone goes by transferring all this ugliness to an external contractor (which is why analysts recently predict an increase in the ISaaS market (Information Security as a Serice). Others who do not want to wait for the next failure start planning and organizing information security processes on their own. To do this, it is necessary to evaluate the possible risks and learn how to manage them. However, this is a topic for a separate material, and we will return to it in the near future.
“Protect our data!” IT employees are often heard from the leadership of modern companies. But at the same time, it is not always within the company that there is an understanding that security is not a product, but a process, and an integrated one. Constantly developing Internet threats can create various problems for businesses, but the degree and relevance of protection will be individual for each business, and they may change over time.
')
The evolution of security systems occurs simultaneously with the development of IT threats. Often, in order to protect everything “on the highest level”, it is necessary to spend a lot of money and attract a lot of people. In the meantime, you can choose the appropriate level of protection for each asset only if you know the real value of the business. Attackers can pursue different goals - just disable a site ordered by a competitor, steal information, make services unavailable, withdraw money from accounts, or block the work of a company, extorting a ransom for it. And what events are really scary and stand real protection, the leader must decide.
For example, with a business cost of 100,000 rubles, you can generally use only free or everywhere OpenSource protection systems. For a multi-billion dollar business, on the contrary, it is not a pity, and a couple of millions on the Firewall alone - because network penetration can cost much more. Thus, it is possible to decide whether companies are needed, for example, intrusion protection functionality (IPS): if the cost of its implementation is higher than the damage that the intruder brings into the network, then such a system is completely useless.
Do you need DDoS, just depends on what role the site plays in the work of the company. And further, the level of protection against distributed attacks also depends on how much money the site brings - leading portals and online stores can pay tens of thousands for protection against DDoS, and a small site that helps to receive orders will be enough for a $ 100 solution.
Moreover, each attack has its own specific goal, so when building a defense, it is important to understand, in whose realm is our business? Only by answering the question from whom we are defending, and what efforts are ready to make, can you outline the range of actions that need to be taken for this.
Not a product - a process
But even if the company has a clear understanding of how and from whom it is necessary to protect the data, we must not forget that information security has long ceased to be a product. Once in the past, it was thought that it was enough to install an antivirus on computers, and everything would be fine. Over time, the Firewall was also added to it, allowing you to close extra ports. And since then, many have become accustomed to considering security as a set of solutions. But today it is not.
With the addition, upgrading, or even simply upgrading of each system, a quantum leap in the level of security occurs. For example, application control systems start to be installed on the gateways or traffic between servers starts to be encrypted. That is, companies are building protection as they face new threats. This process has certain triggers that trigger further movements:
1) New legislative requirements
First of all, everyone is afraid of fines and regulatory sanctions. Therefore, business is very active in responding to legislative initiatives. For example, the law “On Personal Data” forced the majority of structures operating in the market to introduce new security systems. Industry standards, such as PCI DSS in the banking sector, also constantly require alignment of information protection systems and communication channels.
2) Infrastructure change
It is good when, in the event of a change in infrastructure, an IT service or a dedicated IS service is re-evaluating risks in order to find out how the protection of the new infrastructure differs from the old one. For example, when introducing cloud technologies or installing servers on a new site, it is also necessary to ensure the protection of the data transmission channel.
3) New services
Especially, public, accessible to everyone, new services are subject to new attacks. When introducing mobile applications, self-service portals and other business-friendly things to the market, it is necessary to analyze possible dangers. At the same time, the introduction of additional protection systems usually increases the security of the entire virtual environment.
4) New vulnerabilities
Maybe not as large-scale as the emergence of new services, the reason, but still able to contribute to the security system - is the installation of protection against vulnerabilities in the entire spectrum of software used by your employees. If during the operation it turns out that one or another software can skip the “intruders” into the network, the security service just has to at least create new rules, which means adapt the used protection tools to the new working conditions.
5) Marketing
Another very popular engine of progress in the field of information security is marketing. Take the same Firewall, which evolved in UTM, and later - in NGFW (Next Generation Firewall). Updating slogans and technologies often arouses interest among decision makers, and updating the Firewall to NGFW or introducing a new IDS system becomes a tribute to fashion, although it increases the level of perimeter security in general.
6) Roast Rooster
Alas, the most common reason for enhancing the security perimeter protection is a blow to the rooster’s beak. When the site has already been hacked, the database has already been stolen, attempts are being made to defend against further attacks of a similar nature. At the same time, a constant factor behind the attackers for at least one step remains a negative factor. After all, having introduced the necessary equipment or software, and perhaps subscribing to some IS service, company representatives forget that they need to continue to take care of the security of their networks. Yes, if you are protected from DDoS after the site has been unavailable for a week, the next DDoS is unlikely to pose the same danger to you. But other new attacks are likely to take you off guard again.
Process approach
It is possible to move from a “roasted rooster” to more civilized methods of building a protection system, if you choose a process approach to security. That is, you need to constantly monitor how the threat landscape and risk profile for your business changes. Every innovation - whether it is an added server rack, a running mobile application or the activation of competitors - should lead to a reassessment of the situation by the information security and, possibly, the introduction of new echelons of protection, or maybe simply a change in the profiles of devices that can save the company considerable funds .
Someone goes by transferring all this ugliness to an external contractor (which is why analysts recently predict an increase in the ISaaS market (Information Security as a Serice). Others who do not want to wait for the next failure start planning and organizing information security processes on their own. To do this, it is necessary to evaluate the possible risks and learn how to manage them. However, this is a topic for a separate material, and we will return to it in the near future.
Source: https://habr.com/ru/post/330592/
All Articles