FINAL WORD
5
Manage your
vulnerabilities
•
Have a scanning
solution for every network,
system, and software type; don’t limit
yourself to externally facing IPs.
• Scan inside your network, and do
black box and static code analysis of
your apps. Layer your tools, because
no single tool can universally
find everything.
• Scan, test, and scan again. Have a
continual testing process aligned to
your development cycles and patch
releases of your vendors.
• Implement a consolidated reporting
platform that tracks all vulnerabilities
by system and can produce valuable
improvement metrics over time.
• Prioritise web application vulnerability
management. You can get extremely
good guidance from the OWASP
(Open Web Application Security
Project) Top 10, which describes
today’s most critical web application
security risks and how to mitigate
specific types of attacks.
• Automate web application vulnerability
management. Allow web application
firewalls (WAF) to patch a vulnerability
automatically. A WAF requires routine
attention by an experienced engineer.
Many organisations are opting for
managed WAF services versus hiring
in-house expertise.
• Patch everything monthly, including
desktops, laptops and servers, and
especially if you are running Windows.
Don’t skip important patches, as they
will ultimately be required later in a
queue chain of dependencies.
• Keep it updated. Don’t allow end-of-life
software or hardware in your network.
• Force updates to Adobe Flash,
Oracle’s Java, and don’t allow old
“Applications and
user identities form
around 72% of
today’s IT attacks,
yet this is not
generally reflected
in IT budget
allocations.”
www.intelligentcio.com
versions of Internet browsers to run
on company computer assets.
6
Ensure you have the
required visibility
You can’t manage what you
can’t see. It’s particularly
important to make sure you have the
visibility you need into your critical data.
It’s important to properly architect,
implement and continually manage
intrusion detection/prevention systems
(IDS/IPS), security information event
managers (SIEM), data loss prevention
(DLP) systems, and others. These systems
need to have access to all parts of your
network, systems, data, and data centres,
and encrypted and non-encrypted traffic.
Pay special attention to visibility within
new virtualisation software.
“In this new,
borderless security
landscape, it’s
important to know
your company’s
threat profile.”
7
Consider embracing
the dark side, at
least briefly
If you have an application
that could cause significant harm to
your business if it were compromised,
it’s worth hiring an engineer to try
to hack it. If hiring a hacker doesn’t
sit comfortably, implement a public
bounty programme.
8
Use the experts to
help you
Compliance and incident
response are two key areas
for using the guidance of experts.
• Security as a Service is a great option
for effectively managing high-risk
controls that require immediate
response by highly-skilled engineers.
• Test the effectiveness of your controls
and control operators. Don’t let poorly
designed controls or inadequate
operators become the culprit.
• Get help in the event of a breach.
Get the professional experience you
need after a breach so that they can
“Few organisations
today have the
internal resources
required to fight
cyberthreats on
their own.”
make the important decisions that
could have a material impact on the
outcome of the incident.
9
Have a DDoS strategy
The DDoS attack landscape
has shifted rapidly. No longer
are complex, expensive
attacks launched only at high-value
targets. Today’s reality includes bots with
plug-and-play attacks that criminals can
rent at low cost, as well as IoT botnets
that are easy to make and capable of
launching terabyte-per-second attacks.
Having a DDoS plan is critical.
10
Tell the ‘big shots’ about
the likelihood and effect
of a breach
Communicate the possibility
and subsequent effect of a breach
to your board of directors, senior
management and others who need
to be in the know. They need to be
armed with this information rather
than being hit with the reality of a
breach that they never imagined.
Properly done, this should also support
your budget requests.
Anton Jacobsz, Managing Director at
Networks Unlimited, a value-added
distributor of F5 in Africa, concludes,
“Few organisations today have the
internal resources required to fight
cyberthreats on their own. They need
intelligence from outside sources, and
this is where the Networks Unlimited
partnership with F5 can help. F5 was
founded 20 years ago and understands
applications and the network at the
deepest levels. Together with its threat
research and intelligence team, F5
Labs, the company works to provide
the security community with threat
intelligence about current cyberthreats
and future trends to help them stay
abreast of the security landscape.” n
INTELLIGENTCIO
81