Which security products do enterprises expect too much from?

Attackers will thank you for enabling them to bypass firewalls and VPNs by allowing infected laptops to send hostile packets through both into your network.

Enterprises rely on some security products too much while counting on others too little. One product category that companies place too much faith in is encryption, which has vulnerabilities. The OpenSSL web encryption technology’s infamous Heartbleed vulnerability is one example.

Enterprises should assess their information security stance in light of the vulnerabilities that have actually given attackers a foothold and lead to costly breaches, whether for their organization or for their peers. Where an off-kilter reliance on some security products is the crack in these defenses, look at a more effective combination of tools. Don’t ignore tools that are effective yet limit some usability. Security products that enable a lot of usability while masking danger are among those that we do and will continue to count on too much.

Security products that dash hopes and promises

Enterprises have high hopes for security products that will let us down due to native security holes and shortcomings. A number of encryption technologies such as OpenSSL have sprouted gaping security holes, like Heartbleed, enabling attackers to leverage the vulnerability and circumvent the protection.

“That’s like having a really good lock on your house and then realizing that they can just jimmy the door off of the hinges,” says Walter O’Brien, cybersecurity expert, founder and CEO at Scorpion Computer Services. (Note: Walter O’Brien is the genius coder with hacker handle, Scorpion whose firm is the basis for the CBS TV drama, “</scorpion>”.)

The MIKEY-SAKKE VoIP call encryption protocol created by the UK intelligence agency the GCHQ has a backdoor, immediately making it a penetrable form of encryption.

Both Dutch and Canadian law enforcement claim to have retrieved encrypted email information from special PGP/military-grade-encrypted BlackBerry devices, calling that encryption into question.  

VPN encryption protects data in transit between laptops and enterprise networks. But if the laptop is already infected and controlled by an attacker, that connectivity is now a tool for that attacker for the length of the connection time, enabling him to gain control of the network machine on the other end and launch further attacks from there, according to Andrew Ginter, co-chair of the ISA SP-99 Working Group 1, revising the SP-99 report on cyber security technologies.

Smart firewalls are another tool that offers less protection than people estimate.

“People upgrade to a smart firewall and they think great, now we’re completely safe. Then they find out that application security, database security, and source code security have been completely neglected,” says O’Brien.

Often it’s not the type of tool but the preponderance of state-of-the-art products such as for pen testing and network monitoring and anomaly reporting that lead enterprises to check the proverbial box, marking information security as ‘problem solved’. “People get lulled into a false sense of security because they see that their tools run 22,000 SQL injection tests over a given period and they believe they’re safe. Those tests are often just variants on tests that have been around for 10 to 20 years. They’re not cutting edge methodology,” says O’Brien. Dated tests won’t tell you whether you’re vulnerable to something that’s based on altogether new code.

Enterprises shouldn’t expect so little of these products and approaches

Enterprises should inventory, update, and clarify the locations, potential locations (cloud), paths (data paths, transmissions), vulnerabilities, and ingress and egress points of their most prized data. They should rally IS technologies that defend all these against potential, unacceptable losses.

Companies should consider combining AI-enabled (artificially intelligent) security products such as Scorpion Computer Services’ ScenGen (other intelligent security products include examples from Lancope and AlientVault) with products that establish exhaustive baselines such as Scorpion Computer Services’ Normalizer (other baseline security products include Magna from LightCyber). Adding these into the mix with other effective products, perhaps replacing similar products that don’t measure up should sharpen an organization’s edge against intruders, helping it to better test for vulnerabilities and flag behavioral inconsistencies.

The best weapon against attackers is only as effective as the warrior who wields it. Even the best warrior can do nothing if his hands are tied. “Whoever is reading the alerts has to have the authority to take action immediately, to shut down a department, take away someone’s permissions, or have someone arrested. If all he can do is report it at the end of the quarter, it’s kind of pointless,” says O’Brien.

Some protections work without additional effort from security warriors, much like a brick wall does. Organizations should consider using approaches that are natively secure due to the fundamental way that the technology works. “My favorite is unidirectional communications, using unidirectional gateways that permit information to move only in one direction,” says Ginter.

Power plants on the power grid use these to protect their safety systems from external attack. IT can use unidirectional gateways to remotely monitor the network while preventing data from returning inside the perimeter. “The most sensitive of IT networks use unidirectional gateways,” says Ginter.

This flies in the face of two-way data traffic that allows transmissions into the network from remote workers who want to do all the same things they can do at the office. We’ve established that VPNs and firewalls are far from fool proof. Any business that could die from even once losing control to an attacker cannot afford to hand out remote, two-way communication with sensitive, vulnerable systems.

Join the CSO newsletter!

Error: Please check your email address.

More about ArcSightBlackBerryCSOGCHQHPLancopePGPSmartSplunkVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place