Page 10 - Cyber Warnings
P. 10
mitigated by a few more locks on the door. In addition to impeding employee work, this
approach can also alienate the same employees you are trying to unite under a common
security cause. If your employees are truly perceived as threats, then you don’t have a
security problem, you have an HR problem. Stop hiring people you can’t trust. You might
not have a 100% success rate, but you can probably get pretty close.
Rarely do interviewers probe beyond work experience and technical skills into issues of
character. Attackers have good technical skills too. If you aren’t weighing the character
of the individual you are hiring, then it is possible that you are walking an attacker right
through the front door and handing them the keys to the kingdom. In athletics, if a scout
cannot find good recruits, the team loses. Security is no different.
• Hire security experts with software development knowledge (preferably
experience). Years ago when I began focusing on security, a well-known industry expert
told me: “Most of this industry comes from a system administration background, and they
are desperately trying to learn how to program. You have a leg up on all of them --
you’re there already. It is a lot easier to teach a software developer network security than
it is to teach a sysadmin application security.” I have found this to be an ever-increasing
understatement. Expert software developers likely already have a base of network
knowledge. Also, a network can be perfectly secured and still be wide open for attack via
tunneling through software communication protocols.
Without understanding software development, how software uses computer memory,
and how protocols are constructed, it is weak footing to protect, detect, and respond to
attack. So when hiring, be aware that there’s a big gap between knowing how to
configure firewall rules and how to read packet captures, detect malicious web traffic,
and identify code vulnerabilities. Even with expensive tools which automate some of
these tasks, your security expert absolutely needs the skill-set to get their hands dirty
and diagnose problems by hand.
Shore up your defenses
Security endeavors can easily die on the vine due to budget constraints. But you’ve already
acknowledged that there is a threat too serious to ignore, and a complete commitment was
made to a secure direction. It’s time to clean house, without any expenditures on commercial
security tools.
• Self-audit and document your firewall configuration. These are your primary outer
sentries. They aren’t going to stop all attacks, but they will stop some; and they reduce
the number of pathways through which attacks can travel, which aids in intrusion
detection. Deny all, allow few. No commercial tools needed.
• Self-audit and document your DNS configuration. These are the information booths
which direct visitors to your endpoints. Misconfigured DNS can be a primary source of
information leakage, or it can aid attackers in spoofing attempts which promote
10 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide