Tom Cross (Global) - If X-Force Ran the IT Department

The security landscape is continually evolving. Every day at IBM's nine security operations centers around the globe, billions of security events are identified and tracked for our clients. While most computer network attacks are not successful at accessing critical information or taking down a network, hardly a day goes by where the media isn't reporting the attacks that are successful, in turn impacting shareholder value and impacting public perception and trust.

For the past 15 years, the X-Force team has catalogued, analyzed and researched more than 50,000 vulnerability disclosures. As we visit clients around the world, our team is often asked what we would do if we were running the IT department. Of course, you've got to cover all the basics, but in light of some of successful attacks of the past six months here are ten additional areas that X-Force would devote some extra attention to right now if we ran the IT department.

1. Perform regular third party external and internal security audits
Your network is constantly changing. When new security problems are introduced, you need to find them before the bad guys do. Regular third-party security audits coupled with constant vulnerability assessment and scanning are the best ways to ensure that you understand the complete landscape of your network and where the weaknesses are located.

2. Control your end points
Do you know what systems you have in your network, what software is running on them, and what patch levels and configurations you have? To what depth? The closer you can get to total end point awareness and control, the more secure your infrastructure should become. Do you have a dynamic IT environment that allows you to keep up with security fixes or do you struggle to patch systems due to lack of resources, legacy code, or custom code that is incompatible with the latest technologies? Legacy systems and long patch deployment cycles can become a security liability.

3. Segment sensitive systems and information
In environments where people work with particularly sensitive information, such as classified data centers, employees are typically given separate desktop systems for web surfing and doing email versus the real work. You may not be working with classified information in your office, but it still makes sense to eliminate unnecessary interconnectivity between sensitive data and insecure networks, particularly if your organization is targeted by sophisticated attacks. It's important to keep in mind that interconnectivity takes many forms, such as USB tokens.

4. Protect your network
You need to understand what resides in your network, and you also need to understand who has access. Breaches often happen in areas where intrusion prevention systems were not deployed or were not carefully monitored. When breaches occur, successful investigations depend upon having access to rich log information. The more you are monitoring your network and the more you know about what has occurred in the past on your network, the better prepared you are for breaches.

5. Audit your web applications
Web application vulnerabilities continue to be a common gap that is targeted by attackers of every motivation and skill level. Whether a web application was developed in-house, purchased from a software vendor, or downloaded from the Internet, if it is running on your network, you need to check it for vulnerabilities. If you don't, someone else will do it for you.

6. Train end users about phishing and spear phishing

Many sophisticated attacks involve social engineering or a spear phishing element. Attacks may target personal as well as business accounts and systems. Savvy users may suspect that something is out of the ordinary. If your organization knows that it could potentially be targeted, employees are more likely to report something suspicious rather than ignore it.

7. Search for bad passwords
Even after decades of experience, bad passwords remain a common security weakness. Security audits may make cursory attempts to find bad passwords but constant, pro-active efforts to crack bad employee passwords are much more comprehensive, particularly when coupled with effective policies and end user education.

8. Integrate security into every project plan
The security team must not operate on a footing in which they are constantly chasing down projects that have just "gone into production" by introducing massive security gaps into the network that happen to show on a vulnerability assessment report. Security must be applied into new infrastructure from the beginning. Achieving this requires political finesse-the security organization should be enabled and not a bureaucratic barrier. The security team must constantly demonstrate its value to the rest of the business at all levels.

9. Examine the policies of business partners
In this world of cloud computing and complex outsourcing relationships many of the systems you are responsible for may be operated by other companies. Many "insider" attacks come from employees who work for business partners of the targeted firm. Has your security team audited the practices of your partners? Are their practices consistent with yours? How confident are you in their execution?

10. Have a solid incident response plan

Eventually, prevention fails. Managing sophisticated, targeted attacks is an ongoing process that involves not just being able to identify that a breach has occurred, but being able to respond and investigate, learn and adapt. If you are an important strategic target and you are not aware of any breaches, it may mean you are not looking carefully enough.

By Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force




« Kasey Cassells (Global) - iPhone 4S- Why I'm Not Queuing Up This Launch Day


Patrice Perche (Asia) - Enterprises Revising Strategy to Accommodate New IT Trends »


Do you think your smartphone is making you a workaholic?