It’s rare now to read about breaches that resulted from direct attacks on the data center, as organizations have done a great job at securing their network infrastructures. But, with business applications moving to the cloud and mobile users connected all the time, traditional appliance-based security measures can no longer protect the modern business. The glass box is broken, the perimeter has vanished, and attacks have shifted to the weakest link: the user.
Users are routinely putting their organizations at risk by downloading unverified content, clicking on malicious links, bypassing security controls, or simply reusing old passwords. Yet, while it’s easy to point the finger at the users, it’s still our job as security professionals to be proactive and protect our users to the best of our ability. Yet over time, bad habits often slip into our security practices and we find ourselves taking shortcuts or making assumptions that we shouldn’t.
Here’s a reminder of some of these practices to avoid—the seven deadly sins that will get your users hacked.
Sin No. 1—Sloth
As it relates to information security, many just don’t have the belief that they can stop the bad guys. Many organizations have adopted the mindset that they will be breached, which often leads to complacency and a willingness to accept increased risk. For example, did you know that most organizations don’t inspect SSL traffic, despite the fact that that is where more than half of advanced threats hide? Well, it’s true, according to Zscaler’s ThreatLabz Research. Don’t be one of those organizations.
Continuing down the path of complacency will not have a fairy-tale ending. Organizations need to think outside the box and to the cloud for the highest level of security and compliance.
Sin No. 2—Gluttony
In many ways, we in IT security are gluttons for punishment. We do risk assessments, which reveal security findings that drive us to a new piece of software or hardware that will work as a patchwork bandage for said findings, which then, ultimately, have us presenting a business case to buy more. The next quarter or year we do another risk assessment and the cycle repeats itself, with no end in sight to the smorgasbord of findings and bandages. In turn, this ecosystem of numerous disjointed security appliances makes it hard to maintain an effective security posture or scope of visibility, especially when insider threats, often by virtue of human error, are the top cause of data breaches.
It’s imperative for organizations to break free from this vicious cycle and look for a platform that offers real-time correlation across threat prevention techniques so enabling new services is as simple as clicking a button.
Sin No. 3—Lust
Mobility is a way of life, and enterprises need to contend with every employee’s yearning for fast and simple internet access. The need for speed and simplicity, fostered by the likes of software as a service (SaaS) solutions, has rendered the virtual private network useless. It’s slow and often deemed an unnecessary hurdle to accessing the web. As a result, users go directly to the internet and, in the process, bypass security controls. Mobile device management and enterprise mobility management solutions have surfaced in response, but although they’re a great way to manage mobile devices, they don’t protect mobile users from threats.
Your security is only a good as your weakest link, and having mobile devices bypass security controls is leaving you exposed. Proxy auto-configuration files and mobile agents are great ways to enforce security and compliance for mobile devices and provide a seamless user experience.
Sin No. 4—Pride
Ask just about any security architect within the top Fortune 500 ranks if they are proud of their design and they will surely say yes. But just months later, they’re on the wall of shame facing a security breach. According to a recent KPMG survey, 93% of organizations responded that they had experienced infected computers with command and control servers; 52% observed malware coming into their network that was new and previously unknown to antivirus vendors; and 79% of organizations experienced some form of data leak. But when asked why, they said that it’s not the architecture: It’s the security analysts, who didn’t see the indicators as they came through multiple-point solutions or the security program overall, for not providing the right level of staffing—anything but their architecture.
Security appliances in the data center were great at protecting your servers in the data center. But, now that attacks have shifted to your users, your security architectures need to adapt. Effective threat protection requires you to inspect every byte of traffic and use techniques such as behavioral analysis and machine learning to protect against zero-day and emerging threats.
Sin No. 5—Envy
It’s OK to be more than a little bit envious of a company that has figured out how to address the majority of its security challenges by leveraging the cloud. It’s better than buying piecemeal solutions just because another organization bought it too. In a world with boundless solutions, organizations need to make compromises between how much money they have and their level of security. And, quite frankly, we should all be modeling ourselves to be more similar to the organizations that can truly block those zero-day phishing attacks that many users will ultimately click on anyway, whether it occurs in the office, at home, or over SSL.
Fortunately, in a SaaS world, envy is a thing of the past. Salesforce, for example, is used far beyond the scope of the Fortune 100. While cloud security is quickly being adopted by some of the largest enterprises, it’s also within reach of SMBs. With cloud security, even the smallest company can afford the same level of security as organizations with billion-dollar IT budgets.
Sin No. 6—Rage
Often, IT managers blame users when they get infected with malware or fall victim to the latest phishing attack. But it’s not practical to blame a user for being infected while visiting a top-100 website that’s been compromised. The real issue to focus on is how the malware got through the current security controls. It’s the job of security professionals to keep users safe.
Blocking threats by matching signatures and destinations is no longer sufficient. To prevent attacks, security solutions need to inspect all traffic for malicious objects, JavaScript, code obfuscation, Zero-Pixel iFrames, images, and more.
Sin No. 7—Greed
Everyone wants more products, more responsibility, believing this equates to a better security stance. But there are simply too many interfaces, tools, and siloed programs to deal with, each one working in isolation, re-creating the wheel a hundred times instead of working through a consolidated front.
Thankfully, leading organizations are figuring out how to best leverage the cloud to solve these problems, elevating the entire security IT organization process to new heights. This allows security professionals to grow and scale their own capabilities far beyond what was previously believed possible.
Protect Yourself From the Seven Deadly Sins
In all, the seven deadly sins can be curbed with corresponding measures. Securely enable your business for cloud and mobility, block threats inline, distrust all traffic (inspect every byte), and eliminate information silos. Cybersecurity can make or break a business—avoid the repercussions of a breach by putting the right security measures in place. n
Deepen Desai is the director of security research at Zscaler, a cloud security provider.
It’s easy to point the finger at the users, but it is the job of security professionals to be proactive.
Cybersecurity can make or break a business—avoid the repercussions of a breach by putting the right security measures in place.