Top Business Driven Security Mistakes
(yes I do realize there’s a balance between security and business)
1. Implementing an IPS in a IDS mode with no blocking whatsoever. Under the guise of ‘uptime’ businesses often deploy time tested IPS products foregoing their real value advantage of blocking attacks because IT is wary of impacting the business. Meanwhile a breach such as TJX can cost over $250 million dollars for a similarly sized company. Question is, would the IPS interrupting a few ‘false positives’ cost a company $250 million? Hmm
2. Focusing on compliance and proceedural controls instead of technologies to protect data. Often companies are preparing fpr the ‘audit attack’ instead of the ‘hacker attack’. They have impeckable processes such as firewall review, termination processes and user certifications, all well and good initiatives if you’ve already covered your proverbial security bases with preventative controls.
3. Funded only till compliant. Need I say more?
4. Perfected processes require execution. Many information security professionals as well as their IT counterparts find themselves spending most of their days executing proceedures that cannot be given enough time for proper review due to resource constraints. This makes the controls weak at best and at the same time de-emphesizing real prevention measures.
5. Following the alert rabbit hole. most large companies have implemented SIEM tools to monitor logs and end up following the login failure alert rabbit hole which often ends up to a dead end. For example if you have failed login lockout controls yet you still are required to investigate. Hmmm the red pill or the blue pill? Waste of time (IMHO).
5. Not keeping up with the times. Lack of resources gives the security team an inability to have enough resource time to study or perfect their knowledge. This leads to service failures, outtages etc because they need to have the proper amount of on the job research time to do to a quality job.