Rather than talking about how secure your enterprise is, IT executives need to own up to the fact that it is insecure and take defensive steps, according to two security experts.
Speaking at the Cyber Security Summit 2012 in Sydney, Black Swan Consulting director, Keith Price, and University of London CSO confidential and security faculty, Professor Paul Dorey, provided delegates with a number of strategies to improve security from within the corporation.
Read more from the Summit: AFP assistant commissioner calls for data retention laws
Get the right security tools
According to Price, IT executives need to resign themselves to the fact that they cannot protect attacks, only detect them.
“In order to detect them you are going to need very complex, expensive and sophisticated tools to discern an attacker’s traffic from the normal traffic that already exists in your environment,” he said.
“To be able to respond, you’re also going to need a series of well-rehearsed scenarios and respond lightning fast.”
Professor Dorey added that the hardest thing for CSOs and CIOs is getting security resources for the operation component because costs inside organisations are under huge scrutiny.
He said that buying the technology is a start but the real problem is the cost of the staff to do the analysis and resourcing.
“Staff can be hard to get hold of and most budgets can’t withstand that level without executive management standing up and backing it.”
Enterprise defensive action
According to Price, enterprises need to be more defensive, find out the “crown jewels” of information that the business runs on and protect the assets from within.
“Stop talking about how secure you are because you’re not. Start talking about how insecure you are and deal with the problem of insecurity.”
Professor Dorey suggested that IT executives build up information on cyber criminals gathered from law enforcement agencies or other legitimate sources.
Price agreed as one of the ongoing issues for corporations in trying to deal with groups such as Anonymous is that, “we don’t know who they are or where they are based.”
“Like we saw recently with the AAPT data breach, they’re going to post information up that they gather without any rules,” he said.
“We’ve got one set of rules that companies have to follow and then we’ve got an adversary that wants to expose information because they want to punish you for transgressions that they think you’ve done.”
Price added that executives should take the time to look at reports such as the Verizon data breaches report which will inform them of what is happening.
“SQL injection and cross site scripting are two of the most common attacks used by cyber criminals so check your public website for these type of attacks,” he said.