Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged firewalls

Thursday, June 10, 2010

To Disclose or Not to Disclose: That is the question

 

With many of the security incidents that have occurred, customers are now uncertain as to which companies they should trust and which companies they should be concerned about.  One way to overcome this hurdle is to disclose information on a company’s security strategy in order to instill confidence.  

But the question arises – is it in the best interest of a company to reveal security controls?  Or is disclosing this information making the company a target for hackers?  We asked our experts for their thoughts on this issue. 

Vaune Carr, a principal consultant for BT Global Services, expressed her opinion on the topic:

When it comes to disclosing a company’s security defenses, many organizations insist on being secretive.  I happen to agree.  If a company has a need to talk about their security strategy, my suggestion is to be more controlled about any discussion of their specific computing environment as opposed to openly publicizing the information where it can possibly be used against them.  Why?

Well, it is simple, really.  An organization that reveals its specific hardware and software measures to the public or to competitors or to others runs the risk of opening themselves up to attack, or they make it easier than it would have been if an attacker had to guess what was on their end.  In fact, while having a public discussion of its security posture, the company may be unintentionally drawing attention to incomplete controls, literally inviting hackers into their networks.  And for those who are confident in their controls, it seems they are basically daring a criminal to prove them wrong and hack into their systems.  Why put your organization in that position? 

Ultimately, it is not the investment in tools that makes an organization good at security.  What makes ALL the difference is how you manage, monitor and maintain these tools.  But in the end, as you decide with whom you want to discuss how good your organization is at security, just make sure to provide some pertinent metrics. 

Jim Tiller, vice president, Security Professional Services for BT Global Services agrees:

I agree with Vaune.  And it’s worth briefly exploring the pros and cons of sharing security information.  Most enterprises will have standardized, best-practice security controls, such as firewalls, IDS/IPS, and the like – generally very predictable.  Add to this that even entry-level script kiddies can determine the type, software and version of many systems. So it can be argued that you may not be giving away information that can’t be easily discovered surreptitiously.  What we’re really talking about are the details and nuances.

Let’s ask the big question — Are there any advantages of sharing security information? Well, in some ways, yes.  A prominent security challenge is knowing what works and what doesn’t.  By sharing information with others, you can learn from one another and find a more refined and effective balance for your environment.  

Then there is concept of information as a deterrent, which is based on the “path of least resistance” for a threat, assuming that when a potential attacker knows your network is being monitored, for example, they will move on to another, less secure target. Unfortunately, this doesn’t apply to many forms of threats – deterrence in infosec is a gamble at best.  Lastly, a consistent and popular argument is consumer impression.  An online bank that shares details on their security controls to customers may increase customer confidence and loyalty; seemed to work for Bank of America.

What we’re really talking about is that disclosing details about your security controls publicly can play to a hacker’s desire to make an example of you. It’s like poking a dangerous animal — you’re increasing the chances of getting bit.  You better be sure of those controls, because they’ll be tested. In fact, I will go as far to say it’s less about the content of the information and more about the culture of the threat. Tell a hacker you’re secure and, regardless of your security control sophistication, they are attracted to you like a shark to blood – you become something to be conquered.

Therefore, as with all things security, it’s weighing the advantages against the risk and managing information disclosure.  It is well within reason to share certain information at varying degrees of detail with different groups and in different conditions, as long as there is clarity on the value-to-risk ratio you get from doing so.  Nevertheless, being a professional paranoid… my default rule is “loose lips sink ships.”

Weigh in with your thoughts.  Do you believe an organization should share security information or keep it under wraps?

Posted at 3:59 PM in SecureStrategies | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

Friday, March 5, 2010

Past the Point of PCI

By:   Sushila Nair, Product Manager, Managed Security Solutions Group, 

               BT MSSG      & 

          Sanjay Mehta, Senior Vice President, Breach Security

The nirvana of that moment in time when you are completely secure without a single vulnerability in sight is unfeasible and, even if it were possible, it would be fleeting.  Despite our fondest wishes for this moment, we accept the fact that our networks are vulnerable and are in a constant state of flux, causing the vulnerabilities to alter and the risks to change.  Organizations struggle with how to continue to develop their core business while managing their risk and doing it all with fewer people and resources than they had last year.  The only way this is possible is to work smarter – but how does that translate into practice?

We accept that our security is flawed, so it becomes critical that we place security devices wherever we have high or unacceptable risk.  It is essential that the security alerts from security products like WAFS, firewalls, IDS/IPS as well as host information and application logs are centralized.  The devices we select are critical and should be chosen in line with risk.  It is worth bearing in mind that web applications are one of our largest areas of risk and were one of the key areas of focus in PCI DSS 1.2 which was based on the forensics of card breaches.

Once the devices are selected, then the complexity of managing this new technology comes into place and again, outsourcing is a serious option for companies that are constrained by head count.  The footprints of what has happened on our network is in our log files, and it’s impossible to check the multitude of consoles for the vast array of product that we have, so it is critical we centralize our log files and have the capability to correlate and look for patterns of attacks.  Unfortunately, security breaches are not limited to 9 to 5 or business hours, so our security monitoring framework must be built to take this intelligence, look for patterns of attacks and be manned 24×7.

This week’s RSA Conference pinpointed the problem of treating compliance as a single point in time. 

Most companies breathe a sigh of relief once PCI compliance is “achieved” via an audit or code review.  IT professionals move on to the next priority, and often, compliance “maintenance” is forgotten.  In doing so, they fail to understand that audits and code reviews are outdated the moment they are completed.  Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews.  And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications. 

In today’s compliance landscape, it’s simply not enough to know that a problem exists.  Sophisticated web application security solutions help companies mitigate problems.  Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

Vulnerability Scans and
Code Reviews		 VS. Web Application Firewalls
Looks at one web application at a single point in time. Provides real-time, continuous security for all protected web applications.
 

Must be repeated for each application change.

  

Profiles each application’s acceptable behavior and automatically learns changes.
 

May not cover every line of code.

  

Secures the entire web application.
 

Can result in inconsistent findings due to vendor interpretations.

  

Provides factual information on vulnerabilities.
 

Does not fix vulnerabilities that are found.

  

Serves as a “virtual patch” that protects each application’s vulnerabilities.
 

Is expensive.

  

Offers immediate ROI.

Posted at 3:08 PM in SecureStrategies | No Comments »
Tags: , , , , , , , , , , , ,

Bookmark and Share

subscribe - log in