One of the biggest mistakes that I commonly see made with regard to IT security is assuming that security is a "set it and forget it" proposition. Threats change over time, and the security configuration that you use today might not necessarily be a good idea tomorrow.
In order to remain secure, organizations need to assess their current security situation on a regular basis. Vulnerability scans must be performed at least quarterly, with a more comprehensive security audit taking place at least annually. These tests can help you to find weaknesses in your defenses.
After conducting a vulnerability scan or a comprehensive security audit, the next step in the process is to review the results. The goal behind doing so of course, is to figure out what can be done to improve the organization’s overall security.
The biggest mistake that I frequently see made in these types of situations is wasting resources trying to address every conceivable vulnerability. Most organizations naturally want to be as secure as possible. However, unless your organization is a really high profile target there comes a point when your security is good enough.
I will be the first to admit that this seems completely counterintuitive. After all, it is probably a direct contradiction to every IT security paper ever written. But look at your organization’s security through the eyes of a criminal.
High profile organizations are the obvious exception to what I am about to say, but for everyone else criminals have two main goals. The first goal is to get the highest payoff possible. This could be a financial payoff, or the payoff could be the entertainment value of vandalizing a system. The second goal is to not get caught.
So if a criminal is trying to get the biggest possible payoff, with the least effort, while also minimizing the chances of getting caught then your network will need to be secure enough that the criminal quickly realizes that a hack is not worth the effort. There are plenty of easy targets in the world. Don’t be one of them. Be more secure than the next network so that the criminals will move on to easier targets.
Again, if you are a high profile target (like a credit card company or a military base) than there is no such thing as being too secure. Criminals have a vested interest in gaining access to those types of organizations, and fully expect the process to be difficult. For smaller, less enticing organizations however, keeping the bad guys out becomes a matter of prioritizing the vulnerabilities that have been detected through periodic security reviews.
You can prioritize the organization’s response to perceived security vulnerabilities by answering a few key questions. For example, is the vulnerability something that is likely to be exploited? What are the consequences to the organization if someone does exploit the vulnerability? What will it take to address the vulnerability?
There are several reasons for taking this approach to addressing security vulnerabilities. The first reason has to do with limited resources. Most organizations have a limited security budget and a limited number of IT professionals who can work on addressing the security deficiencies. Those limited resources need to be spent in the areas where they will have the most impact. It simply does not make sense to spend a large portion of the IT security budget addressing a relatively obscure vulnerability when higher priority vulnerabilities exist.
Another reason for taking this approach is that you want to make the organization secure as quickly as possible. Imagine for a moment that a security scan revealed several vulnerabilities and that the organization has the money and the manpower to address all of them. By prioritizing the list of vulnerabilities, you can make sure to address the most important vulnerabilities first, thereby minimizing the chances of a successful attack.
Every organization uses its own unique method to determine the best way of prioritizing its response to security vulnerabilities. Some organizations choose to start by addressing the vulnerabilities that can be corrected the most quickly. Other organizations begin by addressing the vulnerabilities that they considered to be the most serious. In any case, it is critically important to conduct periodic security scans and to take action based on the results rather than simply going through the motions. Learn more about how to address these concerns with solutions from VLCM and HP, view the case study and solution brief below.
About Brien Posey
Brien Posey is a freelance technical writer who has received Microsoft's MVP award six times for his work with Exchange Server, Windows Server, IIS, and File Systems Storage.
Brien has written or contributed to about three dozen books and has written well over 4,000 technical articles and white papers for a variety of printed publications and Websites.
In addition to his writing, Brien routinely speaks at IT conferences and is involved in a wide variety of other technology related projects.
Prior to going freelance, Brien served as CIO for a national chain of hospitals and healthcare companies. He has also served as a Network Administrator for the Department of Defense at Fort Knox, and for some of the nation's largest insurance companies.