Even though network security is still not very robust in many organizations, trying to find and compromise data across the Internet can still be difficult. In many cases, especially with organizations that carefully protect their trade secrets, the easiest way to compromise a piece of information is by getting a trusted insider who works at the company.
Besides the preceding threats, anyone connected to the Internet is a potential target of attack. There are worms, viruses, and attackers that just want to compromise computers so they can get access to the resources; they often do not really care about the data.
1. Presuming that one line of defense is adequate – There is no silver bullet when it comes to network security. The only way that you are going to be secure is by having multiple lines of defense. A good network architecture starts with many layers, where each layer addresses a different threat.
2. Insufficiently understanding the technology and its nuances, including the many approaches a hacker can take to attack you – Knowledge is power and ignorance is deadly. Only by understanding the offense and the capabilities they possess will you be able to build a robust, defensive posture. Too many organizations build security that does not address the true threat and, therefore, it is ineffective at securing an organization.
3. Thinking enablement, as opposed to disablement – When your approach to an organization’s security is trying to prevent employees or users from doing things, chances of success are much lower. However, when your approach to security is an enabler and as a way to allow people to be successful, selling security across the organization becomes much easier. Remember, in general, if you tell someone they cannot do something (even if they do not need to do it), they will show resistance. However, if you tell people what they can do, they are usually more enthusiastic to help.
4. Forgetting that security is part of a life cycle – Security is not an afterthought or an add-on. Security must be designed into an organization and as an ongoing process. Just because you are secure today does not mean you will be secure tomorrow. Because organizations are constantly changing, security must also adapt and be an ongoing life cycle as opposed to a one-time task.
5. Overlooking the physical aspects of security – Buildings, rooms, data centers, physical computer access, and so on must be taken into consideration. An organization is only as strong as its weakest link. Preventing network security
breaches means paying attention to the importance of strong physical and personal security.
6. Relying on excessively weak trust or authentication mechanisms – Authentication and validating who is allowed to do what across your organization is paramount. In many organizations, authentication is the first and only line of defense, so if it can be bypassed through weak authentication, security of the enterprise is at risk.
7. Failing to understand exposure to attacks on information and infrastructure – Security goes beyond having a firewall or intrusion detection systems. Security means knowing where your exposure points are, prioritizing them, and fixing them in a timely manner.
8. Failing to understand and address the relationships between network, application, and operating system security – Just because all of the single pieces of an organization are secure does not mean that when you put the pieces together the overall system will be secure. You must not only verify the individual components but also the comprehensive systems as a whole.
9. Architecting a system that issues too many false alarms – Unfortunately, there is usually a tradeoff between false positives (system giving an alert when it should not) and false negatives (system not giving an alert when it should). Because false negatives represent a breach, most systems are designed to err on the side of false positives; however, neither option is good and both should be reduced.
10. Inadequately addressing the risk of security breaches from those within your organization – Most networks are designed to prevent attacks from occurring from the Internet. While this is an important vector, insider threat and attacks are just as critical. It is important that organizations understand all potential threats and address them accordingly.