Practical IT “e-Security” (Part 1): How to protect your business, yourself, and your family in the “post-Target” age.
The odds are that if you weren’t directly impacted by the recent Target stores credit data breach, you probably know someone who was. And if you don’t happen to know someone who was – well, *I* was impacted by it – so now you do. 😉
The brazen and extensive scope of this attack has, not surprisingly, generated a lot of recent questions, soul-searching, and hand-wringing about the topic of IT Security, and/or what I call “e-Security”.
Given that I was impacted by the breach firsthand – and that I’ll confess that I used to be a IT Security Administrator for a quasi-Federal agency in a past professional life – I decided to share some of my various impressions, thoughts, and suggestions in a series of these blog articles.
One of the first questions that often comes to mind is “how could this happen?” or “how did this happen?” – particularly on such a wide scale in the case of numbers of cards compromised. While doing some of the after-event quarterbacking or second-guessing can be of some limited value (particularly, if that process is used to help learn from the event, rather than just to excoriate the people involved) – the simple fact is that today’s IT systems are so complicated, intertwined, and extensive that it’s extremely difficult for anyone to keep every possible vulnerability or exposure point completely protected.
An analogy I like to use is that of a physical building or facility – such as a hospital – with multiple entrances and exits, and with many different types of persons entering and exiting, at many times of day. Some of those persons may be visitors. Others may be direct staff. Others may be contractors. And others may just be plain up to “no good”. Very few of them will probably “check in” or “sign in” at a entrance desk, even if they should be. Think of these various random persons as if it was traffic or computing applications that’s flowing inside and outside of a computer network.
And there you have it. Unless you have protections, controls, and training provided to your staff, family, or business to help address handling and/or monitoring these activities, you may not even know that they’re even occurring.
And with that, it’s time for another analogy. 😉
A physical building can have many entrances and exits. Some buildings- or their facility managers- choose to hire guards, front desk staff, and/or install cameras to help record or monitor what goes on in the building. It is hoped that some combination of these techniques will help discourage incidents, or at least provide some information about those incident(s) if they occur.
In a traditional computer network, frequently there is one (or more) devices that acts like a “gateway” to the rest of the world – particularly if that network is connected to the Internet. That gateway – and/or firewall (if it exists) – is where all of the traffic (or “people”) go through, regardless of who they are, what they are doing, or if they have benign versus malicious intent.
So my question to most organizations when we do an initial IT security assessment is: Who (or what) is monitoring or watching your firewall or gateway? And the answer frequently is – “crickets chirping”, or, “I don’t know”. In the physical world, that would be the equivalent of leaving the main entrances or exits to the building unwatched, or having a fancy camera system that nobody ever bothers to watch the footage from.
The good news is that there are mechanisms, services, software, policies, and training available that can help mitigate, reduce, and/or (in some cases) prevent or discourage – but not entirely eliminate – many IT security and data privacy risks. Just as is the case in the physical world, with physical security.
Some examples include Two-Factor Authentication (meaning, not relying just on user-generated passwords), having Mobile Device Management (MDM) systems for iPad’s, iPhones, etc., and firewall monitoring services with the appropriate policies applied.
In other cases, it’s just having some good old fashioned training performed and policies writtten, to help ensure that your organization or family is well informed in terms of how to help stay “e-Secure”.
Stay tuned for future additions or tips in a future post[s]…