How to ensure a “healthy” and secure network: Part 2

In my last post, I drew some comparisons between our personal health and our network health. I strongly believe that if we struggle to focus on the basics necessary to keep our own bodies healthy and alive, how can we possibly muster up the desire and fortitude to ensure our networks remain secure?

In essence, it’s my theory that you cannot secure what you don’t acknowledge. In preparing for a recent information security seminar, I was going back and reviewing the common findings I’ve uncovered in my security assessments over the past year. At a high level, every finding had these three characteristics:

1. Lack of understanding regarding what information is where and how it’s at risk
2. Lack of tools and, therefore, visibility into what’s taking place on the network
3. Lack of time management skills required to stay on top of everything being thrown our way

Looking at more of the specifics, I see most networks having:

• Blank, default, or otherwise weak passwords on numerous systems such as firewalls, network switches, physical access control systems, and databases
• Little to no patching of third-party software (i.e. Java and Adobe) and network infrastructure device firmware
• No firewall testing (rulebase, scanning, or just general manual analysis)
• Open network shares that provide access to sensitive information to anyone with a network login (and even those without for those systems with missing Windows patches that can be exploited using Metasploit and similar tools)
• Reactive log monitoring and alerting (at best)
• Wide open mobile devices (no encryption, no passwords, nothing)
• Databases accessible from the Internet
• Internal and external Web applications that have never been tested for security flaws
• Improperly secured wireless networks

All of this and we wonder why we keep “coming down with the flu”.

I know most people are simply doing their best. Like a personal trainer will tell you, take things up a notch or two where you can. Stop living in a state of reaction. Stop letting your network complexity be a crutch – or a security blanket. Get on top of things – not only your network but also the threats and vulnerabilities that keep rearing their ugly heads. I strongly believe that if you focus on these basic challenges and are able to get them under control, you can have a healthy and secure network environment.

Healthy or sick, what’s it going to be? The choice is ultimately up to you.

About the author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security assessments in order to help business executives understand their information risks that actually matter. He has authored/co-authored 11 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver.