Nov 09 2015

It Takes a Team to Ensure IT Security Works

A team-based approach to information security offers businesses the best protection across the entire network.

Information security requires a team effort. While IT security managers lead the battle against attackers, users must keep networks and systems secure across the IT chain.

Effective team-based security thrives with a multidisciplinary group working toward a single goal: protecting the business.

But building the team isn’t difficult. The difficulty lies in making the team effective. Here’s a primer on creating an all-star security team in a small to medium-sized business.

Help Users Help Themselves

Regardless of an organization’s size, users represent vulnerabilities in the security chain. Users click on malicious email attachments, they reveal passwords to phishers, and they send sensitive information to the wrong people. But users also know the organization. They understand the network, and they’re familiar with the applications.

User knowledge represents a powerful force for early detection of security issues. Security teams must provide the best defenses possible to protect users, including well-managed desktops and notebooks, and a solid security barrier to block phishing and malware from company networks.

Organizations running Windows should deploy Microsoft’s Enhanced Mitigation Experience Toolkit on desktops and servers to block malware, and revisit the configuration of desktop security tools as some products have been updated recently.

Edge security tools — such as email security gateways, firewalls and intrusion prevention systems — should get updates to include new reputation-based filters on IP addresses and URLs, and should have malware sandboxing enabled (if available).

IT Security Requires Training and Education


The number of reported phishing attacks in the second half of 2014

SOURCE: APWG, “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” May 2015

The best tools fall flat without proper user education. A basic security training program provides users with the skills to avoid problems.

On the technology front, launch new web applications to inform users of their last login time, real location (not just IP address) and the number of failed logins. Encourage them to report any activity they don’t recognize.

For communication, a simple monthly security newsletter provides IT managers with a channel to remind users of their role in protecting the company. IT teams can find many examples of security education programs, including articles, videos and newsletter templates, with a simple web search.

A one-way stream of information lacks effectiveness, however. Encourage users to participate in the company’s network security defenses by reporting suspicious application messages, strange emails and similar problems to the IT help desk.

The Layer of Application Vulnerability

Enterprises have shifted applications to web-based graphical user interfaces (GUIs) for wider platform support and user mobility.

However, web-based GUIs create more opportunity for attackers to gain access (even with VPN-protected applications). Security teams must focus on the application layer and work with developers to improve security.

Infrastructure protections — such as intrusion prevention systems, web application firewalls, error-log analysis using security event and information management, and communication encryption methods — are good starting points for sufficient application protection.

Next, add automated tools such as web and host vulnerability scanners to the security toolkit.

Tapping Developers to Bolster Application Security

Regular vulnerability scanning keeps security teams on top of compliance issues, such as unpatched systems.

More intensive scanning for application security vulnerabilities should also join the application deployment lifecycle, but automation covers just the first step.

Developers remain key to application security. Overreliance on automated tools provides a false sense of security. When IT provides a grade of pass or fail based on an automated scan, that lets developers off the hook for thinking about security — an undesirable result.

Instead, IT security teams should educate developers on how to write secure applications. Application security experts can guide developers, review software and reinforce their efforts with some long-term training and guidelines for secure development.

Keeping developers on top of security proves difficult when other application deadlines loom. Some organizations require developers to perform code reviews against the Open Web Application Security Project Top 10 list or pass an automated source code review on new releases — but this gated approach comes too late.

Security must live within the organization’s software development methodology. Security integration takes a commitment from the business, and a realization that security slows down development but saves the organization in the long run.