The well known practice and art of providing controls at multiple layers of the infrastructure is nothing new to those involved in the protection of information. As a general rule in defense-in-depth one must assume that at least one layer of the security architecture will fail. The follow-up question is, then what? How well will the systems and data be protected if we lose one layer of control? The current threat environment must also be taken into account when answering that question. Organizations have risks because of the way in which they operate IT, the industry they are in, and the business model they follow. A small manufacturing firm has a different threat and risk profile than a large multi-national bank. But I ask the question, given the advances in technology, is your CIO keeping up? Does he or she understand that security controls are layered with some overlap for a specific purpose? Do they understand the specific risks in their own organization and why the controls were chosen in the first place?
Take for example the use of anti virus. Almost all organizations use AV in some way to protect their systems from the latest malware, virus, and worm threats. But given that new malware threats seems to be growing at an alarming rate that can be directly attributed to the maturing cybercrime organizations run out of Russia, HK, and Eastern Europe and their ever increasing return on investment (run more like businesses than chop shops it seems). Symantec alone counted a 200+% increase in newly detected malware threats from 2007 to 2008. Can your AV keep up? Or better yet, how effective has it been over the last 6 months?
If you said you had an additional layer of security you need to apply to protect your systems, would your CIO understand the difference between policy-based controls that rely on the monitoring of the interaction of system process and applications with the operating system itself and that of AV? If they don’t they may likely fall into the category of answering all questions with, “but we use AV”. I’d question how many of those answering this way understand how effective (or ineffective) their current AV is. If they don’t understand the answer to that question they will likely make the fatal mistake of relying on an out-dated technology (AV) that is ineffective at stopping the new and growing malware threat, rejecting new technology that they don’t understand.
As a side note, infections today seem to come from users browsing the web. And this doesn’t have to be browsing to “suspect” or non-business sites as many mainstream web sites have been compromised over the past few years. The security breach that is self-inflicted is always the hardest to live with as a security professional…all the while knowing you could have done something to stop it if only your CIO could keep up with current security threats and technology.
Comments