|
|
|||||
|
|
||||||
Company |
ArticleNo More SecretsBy Andrew Plato, CISSP, CISM, QSA There are certain people from whom you must never keep secrets. Your doctor or lawyer are prime examples of people who should not remain in the dark. The reason is simple – doctors and lawyers can only help you if they know the full story. Trust is an important part of your relationship. Information security is largely the same. Whoever is responsible for assessing, testing and correcting security issues in your environment does the best work when they know the full picture. Like your doctor or your lawyer, anything withheld or kept secret may come back to haunt you later. One of the more common myths in information security is the notion that everything must be kept secret. The conventional wisdom among some IT people is that a security assessment should be done “in the dark” sometimes referred to as “black box” testing. The idea is that this is what an anonymous attacker would face, and so should the security analyst. While this technique has a place in security scanning, it’s only one piece of the big picture. (Besides, most attacks are inside jobs where the attacker already has intimate information about the environment) A good security assessment should be a collaborative, productive process. It is designed to improve your infrastructure and practices. Being open, transparent and honest with your security auditors is the only way to facilitate open, honest and practical advice. Likewise, your auditors should work to demonstrate their ability to be trusted with a fair and balanced approach to security. Analysts who rely on fear and scare tactics to motivate you into action are amateurs at best. A good security consultant avoids resorting to fear as a sales or assessment tactic. The reason for openness is ultimately a factor of risk. An attacker is not going to limit themselves to high-value targets. Attackers (be they human or automated) seek the weakest point in any system. Traditionally, this is some human factor or systems that are configured incorrectly. If your security analyst does not know about a system, or security scans are blocked through overt controls, then there is no way to accurately assess the risks those systems present to the organization as a whole. For example, that server squirreled away in the corner of the data center -- part of some old failed initiative -- may seem unimportant. Common sense suggests that it’s disposable and doesn’t warrant attention, but the default passwords and unpatched services present a perfect beachhead for attack. If this server is excluded from the security assessment, the analyst cannot provide guidance on such risks it may present. An analyst’s most effective tool is information, and when information is withheld, then the analyst can’t do the job right. You must trust your security vendor. And if you cannot, then you need a new vendor. Work only with independent, certified experts for security assessments. Not only are such experts specifically trained in security practices, but they understand the landscape of IT security, not merely IT operations. The company who installed your phones or VMware servers might be great company with lots of skilled engineers, but they are probably not the best candidate for an honest evaluation of security. Moreover, when it comes to delicate matters of compliance, specifically PCI compliance, there are a lot of details and complexities in the standards that non-certified analysts simply will not know. So, when talking with your doctor or lawyer, be as transparent as possible, and your health or legal issues will benefit. Likewise, when engaging a security analyst for a penetration test, security assessment or compliance audit – be open, and look for vendors who can provide the trust and expertise you need. For more information, please call 888.ANITIAN, or email Anitian Enterprise Security. |
|
Home | Services | Products | About Us | Events | Support | Info |
|
