6 hard truths security pros must learn to live with

Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.


Insufficient staffing for deployment and monitoring

Too often, companies buy a great computer security solution, then fail to deploy it appropriately, if they deploy it at all. Months are spent evaluating and arguing for a big security purchase that ends up languishing unboxed in a corner somewhere. Or some unfortunate, lone employee is told to deploy the new solution despite already being overloaded with mission-critical work that is considered their "real job."

The employee puts in a hero's effort to deploy what they can in a few days. They become a pseudo expert on the device and the threats it's supposed to prevent. They do their best to configure the device, and for the next few days or weeks, they put in a passable job of monitoring it.

Then their other mission-critical priorities take over. Pretty soon that cool new security tool is monitored less and less. No one has time to track down false positives, much less follow up on alerts. Not long after, the device is kicking out alert after alert, all of which gets lost in the noise of other poorly monitored security devices. The Verizon Data Breach Investigations Report finds that 70 to 90 percent of all malicious incidents could have been prevented or found sooner if existing logs and alerts had been monitored. It's little wonder given this prevalent, nearly inevitable cycle from deployment to disuse.

Computer security devices are never self-maintaining. They need the right teams, resources, and focus to even come close to their promise. Companies are great at buying capital assets, but they're afraid to increase operational expenses and headcounts. This means built-in failure. Don't set yourself up for it. Get a plausible staffing solution in place before you purchase any security technology.

Hackers need to find only one weakness

Suppose a company has 1,000 Web servers, and 999 of them are fully patched and perfectly configured. All a hacker has to do is fire up a vulnerability scanner and point it to the right domain name or IP address range -- game over. Scanning 1,000 computers takes only marginally longer than scanning one.

A typical vulnerability scan will bring back one or more vulnerabilities on every server, if not dozens of vulnerabilities. When the scan is finished, all the hacker needs to do is pick through the juicy results to decide where to exploit first.

This one-weak-link-and-you're-hosed maxim is nowhere more obvious than in malware campaigns via email. Send a malware-containing message to a large set of employees, and at least one person, no matter how smart, will open the email and blindly follow every suggested command. I've been involved in dozens of antiphishing education tests over the years, and in every case, a fairly large number -- between 25 and 50 percent -- of employees can be phished out of their credentials in the first round. While the conversion rate (as we call it) drops with each successive round of sending another test to those who have passed the prior trial, there will always be some portion of users that responds to every phishing attack.

The more complex your staffing mix becomes, the harder it is to shore up your defenses. Some of the biggest hacks in recent years have come from exploited contractors. One of the most damaging hacks, on Target retail stores in 2013, came from an exploited HVAC contractor.

Sometimes attackers can go right after your most trusted protection. In one of the most sophisticated attacks ever, an advanced hacker group compromised long-lauded computer security company RSA, using an attack centered on several pieces of old, unpatched software. Then they sent a malicious spreadsheet file, which helped them break in.

Forensics revealed that the users would have been prompted with no fewer than five messages warning that the content they were about to open could be malicious. In every warning instance, they had to choose a nondefault answer to bypass the warning, and in every case they did. Once the attackers got in, they stole the digital secrets to RSA's much trusted SecureID key fob and used what they learned to exploit their ultimate targets, which included U.S. military giants Northrop Grumman and Lockheed-Martin. Even if you have your security down pat, attackers will exploit your business partners and use what they find against you.

Even if you're perfect at detecting and remediating vulnerabilities, all an attacker has to do is use vulnerability analysis tools to "fingerprint" each of your operating systems and applications exposed to the Internet, then wait until one of those software vendors releases a critical patch. No matter how great a company is at patching, they aren't likely to patch assets faster than the attacker can make use of tools available within hours of the announced vulnerability.

Advanced Threat Protection: A strategic approach against an increasingly sophisticated threat. A ComputerworldUK event, Glaziers Hall London, 14 May. Register here.

Next section: Hackers can change tactics on a dime

"Recommended For You"

Security org raises Internet threat level after seeing expanded IE attacks Microsoft will patch IE zero day but doesn't give timeline