We must know the most significant vectors for attack and know that all the security technology won't stop all the attacks, says Ward Spangenberg, director, security operations, Zynga.
The media reported on several DDoS attacks against credit card providers, search companies, government agencies and independent organizations in 2010. We also heard about a number of organizations that lost sensitive information that ultimately helped to support a thriving stolen data market. We cannot eliminate the attacks and stop all malware, but somewhere along the line, we should have stopped and reminded ourselves to “be prepared!”
We build firewalls, deploy IDS, review and check for compliance, but are we really prepared? Have we built a significant knowledge set to protect us against a major outage? A flooded data center? Lost power? Zombie attack? How do you prepare for something you don't even know is coming? Let us look at how I define being prepared.
To begin with, we must know the most significant vectors for attack and know that all the security technology won't stop all the attacks. Next we must ensure that the support team has reviewed and practiced handling attacks with defined processes across the known vectors. Additionally, we must ensure that users are educated to look and report things that don't look right.
Understanding significant vectors for attack could be an column in itself, but there are some areas that are continually highlighted every year. Code needs to be reviewed – whether it is examined for SQL injections, cross-site scripting or proper authorization and access from accounts and services. Patching vulnerabilities remains high on everyone's list – vendors are constantly looking for models to help get information to us more quickly.
A good chess player will tell you that they can see several moves into the game based on their opponent's moves. Adopt this philosophy with regard to your own security strategy. Imagine how you would attack the infrastructure. What would you break?
Occasionally, you are going to discover that all the solutions you have deployed are worthless. It is important to remember this: An attacker may have access to limitless people, machines and bandwidth, while you only have what has been engineered into supporting day-to-day operations with some growth potential. This is where good plans come into play. Know how to shut off and protect resources – disabling sections of the network, shutting down access to critical resources, and slowing and mitigating as much damage as possible will guarantee that after the attack subsides, the business can return to normal operation.
Your last line of defense will be your people – exercises, training and the occasional cold beer with your team to see what you are missing will fill in those last few holes. Be that leader.
[sidebar]
Know thy vectors
Build secure code, Spangenberg says, to prevent attackers from taking advantage of vulnerable holes in your perimeter. If you can't build it in, then don't forget to patch.
No silver bullet
More important than leveraging a particular solution is quantifying risk, he says. That means thinking ahead to understand your enemy's expected next move.
Damage control
There is no way for an organization to stop all breaches, Spangenberg says, so a security pro's job also is to know how to respond if something does happen – to minimize the fallout.
Leader of the pack
Gain the trust of your team by teaching and training them. And spend time with them – maybe out of the office – to learn where the gaps are in the business' security posture.