Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

7 Deadly Sins of Network Security

Companies that suffer serious security breaches have almost always committed one (or all) of 7 deadly security sins. Is your company guilty?
Page:

Anyone worth their salt in information security will tell you a solid defense is built upon multiple layers of technology, policy and practice. That's defense-in-depth.

The technology layers are a critical piece of that puzzle -- of course. But companies that suffer a major network breach have frequently failed on a more fundamental level. Here are the deadly network security sins experts say are rampant in the corporate world. Avoid these sins and you will have taken a critical step toward a secure network.

1. Not measuring risk

This sin typically involves a failure to take a thorough measurement of the company's most important assets and network configurations surrounding those assets. As the saying goes, you can't protect the crown jewels without first knowing what they are and where they are.

Chuck McGann, manager of corporate information security services for the US Postal Service, is among those who cited the "failure to have a network topology diagram or discovery software to identify what is on your network and what it is doing."

When a company fails to take an accurate measurement of risk, the powers that be are often lulled into the false sense of comfort that comes with simply having antivirus software and a firewall, says Michael Leigh, senior information security manager at Cisco Systems. The bad news here is that some of that technology can become the very problem the organization sought to prevent.

"I find that a number of organizations believe their security appliance/devices (routers, firewalls, switches, etc) are secure and do not layer their defenses around these devices," Leigh says. "Too often these devices are the toe hold into an organization."

Ken Smith, a security solutions architect at Forsythe Technology, says implementing security controls and policies without first understanding business needs and requirements is a problem he has witnessed many times. "It's the primary reason that security practitioners are often thought of as rigid or not adding value to the organization," he says. "When this is the case, users will come up with workarounds that could be worse than the problem you are trying to prevent in the first place."

2. Thinking compliance equals security

Typically the sin committed by upper management, this is the case where a company has invested a lot of time and treasure on meeting the requirements of government regulations and industry standards like HIPAA or PCI DSS, then dropping the ball once all the boxes on a compliance checklist have been checked off.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Acxiom, Boss, Cisco, Cisco Systems, CROWN, Hughes Network Systems, IPS, Verizon

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Beverage Distributor Virtualises Data Centre: A case study
    Low cost servers, used for applications such as sales force automation and workgroup collaboration, had contributed to server sprawl, causing the data center to outgrow available power and cooling capacity. Server virtualisation helped but had begun to slow network performance. “We wanted 10 Gigabit Ethernet connectivity without the expense of building a new data center,” says Rory Regan, network and telecom manager, Coca-Cola Bottling Company Consolidated. “We decided to build a new data center network that would continue to work with our existing servers and storage as we gradually migrated to a unified fabric.” Read this case study
    Learn more »
  • Information Security Policies, Standards and Procedure
    As a result of the adjustments in the way business is conducted, ownership of information does not carry the same clear accountability it once did. Physical and behavioural boundaries used to exist around information management but these can be missing in the modern workplace. Clearly thought-out information security policies, standards and procedures addressing internationally supported standards, will go a long way to addressing the risk exposure these changes have created. In this third paper, “Policies, Standards and Procedures,” we discuss guidelines for effective information security management.
    Learn more »
  • OVUM Report: Governance Risk and Compliance-- GRC usage and buying trends in the ANZ markets
    The existence of an established and stable governance risk and compliance strategy is extremely important to public and private sector organisations as they strive to meet an evergrowing range of regulatory demands. Given the current constraints, it is one of the few areas where the vast majority of organisations intend to either maintain or in many cases increase spending. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments