1 – Lack of awareness, both at a corporate level and at an end user level.
I am always banging on about a company’s most effective security tool being education, and it’s true. Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to make sure their users are educated to use the Internet and Internet resources from a position of awareness and caution rather than blind trust in a technological solution. People should be aware of how invisibly infections can occur and where to go if they are concerned they may be a victim.
Equally people need to be made aware of the real monetary value of their own and other people’s personal information and begin to treat it with the care it deserves, rather than offering it to any curious onlooker through social and professional networking, blogging, telephone calls, bogus surveys and more.
2 – Complacency, when it comes to losing data, either as a result of malware of “peopleware” many companies suffer from being complacent. This ties in very strongly to my first point of education. It is important, and in many cases legally or regulatorally (is that even a word?) necessary to protect the data for which you as a company are responsible. This data can fall into many categories Personally Identifiable Information (PII), Intellectual Property, corporate, state or nationally sensitive information, Financial results, login credentials, patient or customer information; the list is almost endless. Every company has their own corpus of data and the relevant obligation to protect that corpus from both inadvertent and malicious exposure and/or misuse.
Currently many companies are being too complacent in this area and are only prompted into action when a breach or a near-breach has occurred. Organisations need to be able to manage patch levels of all machines within their estate at a moment’s notice and also should be deploying host-based Intrusion Prevention technology in areas where patching is impractical or impossible. Additionally there is a responsibility to both employees and to customers to ensure that they have full visibility over how data is handled under their custodianship and this includes all the ad-hoc transfers that take place every day over services like email, HTTP, FTP, Instant Messaging, USB devices.
Is it OK for a medical secretary to email patient notes to a consultant’s hotmail address so the consultant can look at them over the weekend? Is OK for your software developer to take your source code home on a removable device? Is it alright that your payment processing machine is infected with data-stealing malware because you “didn’t have a window to install the OS patch”? I would imagine not, but until you proactively manage your hardware and software estate and also get a clear handle on the scheduled and ad-hoc movement of data you’re just waiting for the breach to happen while it may already have passed you by.
3 – No root cause analysis. Traditionally security solutions, whether at the perimeter, server or client have focussed on detection, blocking and/or cleaning up the results of malicious software infections but have not offered effective root-cause analysis. People need to know where the malware is coming from, was it a drive-by download, an infected USB drive, email, instant messaging or something else? It is not enough to say “Machine X was infected with malware Y but I cleaned up for you, no need to worry”. This may allow the company the comfort of knowing they got away with it this time (and I stress “may”, do you know how long the malware was there before it was detected?) but it does not give anyone the information they need to improve the security posture and lower the risk level of their business and prevent the same or similar infections from recurring. An intelligent security solution needs to monitor activity on a machine and have the ability to give detailed root-cause analysis even in the event of delayed detection of a zero-day exploit.