Securing a network becomes more challenging when the enemies are deceptive, clever, and savvy snakes, but recognizing the gaps in their security strategies before the criminals do can help organizations minimize detection and response times.
I'm reminded of Macbeth whose valor in war against Norway was rewarded with the title of Thane of Cawdor. In gratitude, Lady Macbeth encourages her husband to kill the king. She advises him, "Your face, my thane, is as a book where men/May read strange matters. To beguile the time/Look like the time. Bear welcome in your eye/Your hand, your tongue. Look like th' innocent flower/But be the serpent under 't." (Shakespeare, I.v.53-57)
The problem with a lot of breaches, especially those that are the result of social engineering, is that many of the attackers are just like Lady Macbeth. They know how to beguile the time. They phish like the innocent flower, but they are serpents indeed.
How, then, do organizations avoid the fate of King Duncan, especially when the extended network provides more opportunities for invasion?
Lysa Myers, security researcher at ESET referenced the Target example, where hackers were able to break into the sales network through an HVAC company.
"HVAC should not give access all the way to the point of sale machine," she said. Segmenting the network can prevent those types of breaches, as can encryption and risk assessment.
"It's complicated protecting the network because it opens holes, so organizations need to develop a principle of least privilege. Access only what they need. The idea is to make it so that if criminals get in with one piece, they can't access the whole puzzle," Myers explained.
If they accept that there is a risk of being breached, companies can stop criminals who gain access into their network by zoning off access through segmentation. There is no one single means of protection, though.
Organizations need to be deploying a balanced and holistic security approach with the right technologies and the right solutions in place before, during, and after an attack in order to safeguard their vital information.
"More businesses need to be aware of risk assessment. Without understanding what they are protecting against, they can't build the best protection. Don't go purchasing programs or creating policies without first understanding their risks," Myers said.
Encrypting everything is another critical step toward creating stronger security. "Encrypt as much as you can, in storage and in transit," Myers added.
Myers also pointed out that there are other pieces to the puzzle, including two-step authentication and user education, or awareness programs.
In reference to awareness programs, Zully Ramzan, chief technology officer at RSA said, "Organizations should conduct exercises to see if the education is working. Look at initiatives and make them more targeted. Identify the employees with a higher propensity for compromises so that you can assess the risks, but I don't think companies should over-invest in awareness programs."
Sign up for Computerworld eNewsletters.