Network security - Don't double-lock the front door, but leave the windows wide open!
David Groves highlights a few typical network security mishaps and how to avoid them.
Written by David Groves - 01 September 2014
From a vendor’s perspective, security products are great. Unlike most technology products, which are there to do something, security products are there to prevent something. This means that you only notice a problem when they fail to do so.
So the natural sales pitch for any security vendor is to emphasise their expertise and to talk up the potential impact and/or likelihood of a security breach.
The problem is that it’s very hard to tell the difference between a real security expert and someone who has learned the right words.
What the slick salesperson won’t tell you is that security is about people, policies and systems – in that order. If the people don’t adhere to the policy, or if the policy isn’t any good, no amount of systems are going to save you.
Simply put - amateurs hack systems, professionals hack people!
For example, one customer I visited couldn’t give me a guest Wi-Fi access code to run a demonstration, so he suggested I plug my laptop directly into the network cable in their meeting room instead. That’s a policy failure – they’ve correctly identified that wireless access to their corporate network shouldn’t be allowed (although guest Wi-Fi is increasingly a given), but left the back door swinging in the wind!
Another organisation I know failed to disable the accounts of employees when they left. The result was that some of their competitors seemed to mystically know exactly what figures they’d submitted in tenders and were able to beat them consistently on price. That one was a people failure – the policy existed, it just wasn’t being followed effectively.
This is by no means an isolated incident either: a recent survey revealed that in the US, 89% of people who had recently left an employer retained access to sensitive systems. And that 49% had actually logged in after they were no longer working there.
Azzurri has a wealth of experience in securing communication systems – networks, phone systems, and mobile devices. It’s very rare (I can’t recall a single instance during my time here) that a breach occurs once we’ve deployed a system to guard an area. But that’s not simply because of the system that was deployed.
It’s because of the planning that went in to selecting and deploying the right system, making sure that the policies were defined, and the people knew what they were.
So my advice is, before you pick up the phone to a security vendor, make sure you know what you want to guard against, what you want to protect and what your policy should be.
Blog post by David Groves, Product Management Director at Azzurri. - 01 September 2014