Recently, a co-worker and I went to annual conference held by LabTech called Automation Nation. The event was filled with hundreds of like-minded IT folks from around the country and this year the keynote speaker was Kevin Mitnick. If you do not know who Kevin Mitnick is, he is a genius former black-hat hacker turned white-hat hacker and consultant. During his keynote speech, he began to demonstrate how easy it was to infiltrate systems using various methods. He was sending malicious code onto systems that were supposed to be “protected” by a well-known antivirus program. I kept waiting for it to catch some aspect of the attack, or at least warn us that something questionable was going on. It never did. It reminded me of how dated the term protected really is, and how nonviable a single approach to protecting our systems really has become.
At NetRes, we used a multi-faceted approach to protecting systems. We implement an IT security suite that includes, a Firewall, Antivirus, Anti-Malware, DNS protection, and Security reviews of servers etc. But it really is about more than all of these layers of protection. We have to change the culture of the companies we work with to partner with us. We can implement all of these safeguards, but if employees are cavalier on password security or physical security, use the internet recklessly, or honestly do not possess some paranoia about protecting themselves it makes what we do less effective. There is not a single program that can fix or patch all the vulnerabilities that exist. It is about forming a partnership, creating a plan, applying that plan, and enforcing it internally.
Our Service Manager, Robert Ludiker, has a motto he likes to bellow, “Think Security”, which serves as such a great reminder to our staff.
I am one of the members of the NetRes project team that performs security and network assessments, and I hear “Think Security” from the moment I walk in the door until I’m finished reading the thousands of pages of extracted data that come from our assessment tools. In between, I walk around the client’s office, looking for gaps in security, lapses in judgement, or risky behaviors in general. The drumbeat of “Think Security” continues the entire time.
Many times, the report I present to the client’s executives or IT staff shows that they have simply been overlooking potential problems because they became blind to them. In most cases, familiarity breeds complacency. I try to relay all the hidden vulnerabilities in a way that suggests, “It’s better that I found it than someone out to do you harm.” Needless to say, I have caused considerable heartburn in my 3 years of doing assessments, but in all of those cases, the overwhelming sentiment has been appreciation, along with heightened sense of determination to enhance security.
I think there is a simple way to sum all of this up. During the Q&A session that followed his keynote speech, Kevin Mitnick was asked if there was an Antivirus program he uses or recommends. His response was that he does not recommend products, because security is not about a single program. He said it is about making you and your company less desirable by removing your network as the “low hanging fruit” for the attackers. Education and training, software security, physical security, and drive encryption are all ways we can lessen the risk. Let’s partner together and create a security plan that can help you sleep at night.