Successful protection of assets, whether data, physical or human is a mindset. Careful assessment of vulnerabilities, clear procedures, a defined chain of control and sound infrastructure are essential key components, but experience has shown that this is insufficient to withstand a persistent or structured attack, where weaknesses that must necessarily exist can be exploited by their very predictability.
Just as in warfare, several lines of defence are needed, each line should be proportionate to the risk, and no individual defensive line can be regarded as complete without maintenance - we have to keep in contact with the attackers. Then obfuscation plays a diversionary role - whilst not actually adding to ultimate protection from a specific attack, it will deter and delay casual and automated probes.
This mindset then is vigilant, open, flexible, and proactive and reactive. Behind every feint, each probe and every successful breach, there is a human driver, with signature characeristics, weaknesses, reasons for attacking and escape routes. It is our task then to accurately define our position, our weaknesses, our critical assets, and deploy the necessary defence in depth to be aware of the attack landscape from time to time, and be ready to react to potential breaches with appropriate countermeasures.
Although beyond the scope of this overview, it is worth noting that the greatest successes in this centuries old battle of wits between commercial and warring adversaries have been achieved through counter strokes and planned deception. When the blinding intelligence coup that yields game changing data turns out to be a carefully planted feint, consuming the attackers resources in obtaining and acting on it, thus diverting attention from the real target, the security can be considered successful. Not many SMB will have the need or resources to execute such a strategy, but it is a powerful and very low overhead approach to maximising not only defence in depth, but can be a powerful offensive strategy as well.
"The best form of defence is attack" - ancient Proverb
The human factor in security has long been a conundrum, and always will be - the genius instinct that leads a security officer to find the trojan horse, or the uncharacteristically crass error of the chief information officer being owned through opening a compromised email payload - it is the human factor that defines our security. The need of educating staff about security therefore is critical, as long as they are not themselves compromised.
The need therefore comes down to a training and procedure regime that assists staff to understand the basic vulnerabilities, provides a route for those who wish to understand and help further, leading them into the essential clearances needed to have this insight, and provides honeypots for those who are not loyal. In practice, the staff at the sharp end will be the ones that see the new attacks first - spear phishing emails, spoof phone calls to gain information and access, and unusual behaviour on company networks. Providing a reporting channel which rewards staff for diligence without revealing specific usefulness is a valuable tool.
Anybody watching the corporate firewall will know that there are frequent and sometimes quite persistent attacks being made on even small companies with little apparent data to steal. Automated, and then additional manual assessment of these logs is a valuable tool in quantifying the need for security.
Next generation firewalls have greatly enhanced security for SMB customers. For the first time there is a cost-effective system that provides integrated anti-virus clients on the PC, together with network protection at the perimeter. Furthermore, the perimeter is now around each roaming device, each branch office, working seamlessly with the LAN perimeter we have always worked for.
Our security assessment service puts all this together in one simple "approved practice" package that gives you confidence that your data is secure, that your due diligence has been done, and that you have an insight into the type and severity of threats deflected by your security. No longer is it a hope and pray operation, regular testing and assessment illuminates the landscape, so your management have the facts and understanding necessary to react proportionately to the environment you are in.
"Nothing is more terrible than activity without insight," Thomas Carlyle