March 19, 2009

Basic Measures Would Prevent Most Breaches?

We just finished our March meeting of the Northeast Ohio Information Security Forum and there's one talk in particular that got me thinking about basic security measures. The talk was called "The Top 10 Breaches of 2008" by Tom Eston who is a lead security assessment professional working at a Fortune 500 company. I along with many others in the audience were amazed at the lack of basic security measures in many of the incidents reviewed that if implemented could have prevent some of them.

During the talk there was a fair amount on discussion and comments from the audience. We were pretty harsh and quick to judge the security, or lack thereof, practices of the organizations who suffered the breach. While these folks may deserve the criticism one thing that we all probably didn't think hard about is the fact that they are just like many of us in that they are overworked having too much security work that needs done and not enough time or money to complete it.

That said, the common cause of these breaches appears to be the lack of focus and execution of some basic security measures. We all need to heed the lessons from these breaches and DO THE BASICS:
  • Egress Filtering Rules. Keep that data from escaping your network.
  • Practice the "need to know" principle in access control. Why do they have access to that data when they don't need it for their job?
  • Monitoring of Access. Who's watching the logs showing when someone used their access?
  • Monitoring Outbound Activity Initiated by Servers. Why is that server FTPing out to an IP on the Internet when it normally doesn't?
  • Tighter Access Control on Servers
  • PCI Certified != You're Secure
  • Encrypt the Backup Tapes. Okay, this might be a little more than basic but c'mon - most backup software can do this.
Tom's talk was very good and I recommend you check out the presentation (download from here PDF) as well as his blog

No comments: