Why providers must stop reacting and start acting on security
People who work in the world of information security and technology—from helpdesk to security admin, IS/IT auditor to consultant penetration tester—know there has been one overarching theme that affects almost every organization in some way: the common practice of reactive security.
This means that instead of looking to constantly improve security, keep systems up to date, perform system upgrades and so on, most organizations wait until something breaks before they even think about fixing or replacing it.
As with anything in life, the reactive model rarely leads to any sort of success and frequently forces situations to remain static at best, and often makes things much worse. The difference between reacting to issues and threats and acting ahead of time to reduce the risk is often the difference between remaining solvent and going out of business.
For example, an emergency department visit is significantly more costly than a regular or specialist doctor’s visit that is scheduled. This rings true in virtually any emergent situation—particularly when it comes to a breach, server maintenance, patching, vulnerability testing and an endless list of other things that, without proper planning, can quickly become a disaster.
The examples that enforce this concept are virtually limitless. One example that is all too common is waiting for a new operating system to be released instead of patching a known-bad or out-of-date system. This often happens because it is a time-consuming process to update the old system, but attackers don’t care if you have a new system coming or in place—they will go for the vulnerable one.
Another example that crops up frequently is in relation to incident response (IR). When an incident happens, it quickly becomes obvious to an organization that they need help, but those that can help (forensics, incident response specialists and others) also know how desperately help is needed.
Just like the earlier example of going to an emergency department, think of an incident like a serious car accident caused by bad brakes, causing the victim to be taken by an ambulance to the ED while their car is towed to the shop. As you might imagine, this would cost more than proactively getting new brakes. When an incident happens, it is akin to this scenario, and if you haven’t planned ahead and know who you are going to call for help, then you’ll be paying a premium in several ways. There is no 9-1-1 service for your organization’s information security, unless you set it up proactively.
Many who read this know that this applies to their organization, and while it does mean there is a lot of work ahead, realizing the problem is the first step towards fixing it.
One of the most important things that any and all organizations need to do on a regular basis (at least annually) is to conduct a risk analysis and business impact analysis along with more frequent vulnerability analyses. This is a formal way of saying that organizations need to take a look at the realities of their information security.
Ignoring systems that are vulnerable won’t make them go away, skipping an annual penetration test or vulnerability assessment will not eliminate vulnerabilities. Begin by looking at the situation from a pragmatic perspective, and organizations will be amazed at what they can avoid.