The Gear Myth
Technology alone will not make us secure from identity theft or corporate security breaches so deploying more often gives little more than a false sense of security. No one argues that there is a tremendous amount of advanced emerging and existing security technology available. We argue that this technology will not necessarily be effective in mitigating the risk – not due to technological flaws, but rather a lack of operational discipline. In other words, the problem is not technology but the way it is deployed.
Here are some examples.
1 Firewalls
More than half of the firewalls we review are deployed with flawed configurations. While many of these flaws do not necessarily represent critical vulnerabilities, it is amazing the extent to which this critical first line (and sometimes only line) of defense, is not configured right.
Example: One of our clients had us test the firewall that controls their access to a vendor – a big national bank service provider. This vendor managed the firewall but our client was concerned about the configuration because this vendor had hundreds of clients and if they had had too much network access, then perhaps, so did everybody else. The result was that the bank service provider firewall did nothing. That's right nothing. While the bank service provider only needed to allow its customers access to a few applications, it allowed access to hundreds (yes, hundreds!) of applications. Further, when confronted with this, the bank service provider claimed that it was not a security risk because they had a network security team, ran periodic scans (which generated hundreds of pages of vulnerabilites) and... had a firewall in place.
1 Intrusion Detection/Prevention Systems (IDS/IPS)
An IDS/IPS is a system that monitors network traffic for potentially malicious activity. For example, if it detects a port scan it might send an email to a system administrator (intrusion detection system) or it could configure the firewall on-the-fly to prevent access to the network from the offending IP address (intrusion prevention system). These systems are often implemented as an add-on to a firewall which makes sense since there is typically a firewall sitting between the internal corporate network and the Internet and it is in a position to see malicious traffic such as hackers attempting to access the internal network. While this is an intuitive place to put an IDS/IPS, most companies have areas of higher risk that are often not the place where they put their IDS/IPS sensors: data breaches from the inside (I.e. malicious or unintentional employee compromises) or from partner network connections (such as a credit card processor) or other business partners. In our experience, most of the IDS/IPS systems deployed are either not configured effectively or do not monitor the highest risk area of the network.
Example: A company with about 100 locations nationwide with an IDS that generates millions (yes, I said millions) of daily alerts because the vendor that installed it did not take the time to fine tune the configuration to tailor the sensitivity level effectively. Result: the network administrator just ignored the alerts; hundreds of thousands of dollars wasted; executives with a false sense of security.
1 Demilitarized Zones (DMZ)
A DMZ is just a name for a part of your corporate network that is partitioned off from the rest of the internal network – just like a submarine has watertight doors so that if one part of the submarine gets flooded it won't bring down the whole vessel. DMZ's can be used to host dangerous applications such as email or web servers. The logic is that since those servers must allow network connections directly from the Internet, they might get hacked, and if they do, you surely don't want the rest of the network and all of its data to be at risk. However, this primary purpose of a DMZ is not achieved most of the time because the network components used to create a DMZ, such as a firewall, switch or VLAN, are configured incorrectly.
Example: Recently a bank had a web server that got hacked but the impact was minimal because the site did not host sensitive information and was hosted on a DMZ – so no problem, right? Wrong; the DMZ configuration was flawed and once the hacker gained control of the server they had unrestricted access to the rest of the internal network leaving customers' confidential information at risk – time to send out the "oops, we got hacked" letters to customers.
So clearly, the existence of security technology/controls does not imply security. This is a common gear-myth theme – it is not the existence of a control, it is the effectiveness of the control that matters. As it turns out there is no glamor in security as it is not about high technology gizmos as much as attention to detail, about good IT people and operational integrity, where technology is deployed carefully, peer reviewed, managed with a process in an organization run by executives that are aware that the small things matter.
Redspin's penetration testing services feature the latest skills required for a successful security audit. http://www.redspin.com
Article Source: ArticlesBase.com - The Gear Myth