A CSO’s quick guide to data security and disaster recovery
Network Box USA (www.networkboxusa.com), the American division of Network Box Corporation Limited, is a leading Managed Security Services Provider (MSSP). The company was formed in response to the increasing danger posed by security breaches, virus attacks and similar threats arising from widespread use of the Internet. It was recently named a strong performer in The Forrester Wave™: Emerging Managed Security Service Providers, Q1 2013 Report. Since 2000, it has served hundreds of global companies, organizations, and government agencies with award-winning, state-of-the-art cyber security built on the Network Box’s comprehensive protection, real-time technology. Network Box USA protects more than 150 U.S. banks and credit unions.
Info Security PG: What are the top security issues facing IT organizations today?
Pierluigi Stella: In my opinion, the top issue is the lack of knowledge on the part of users. The reasoning is simple; a trojan is an executable; hackers can't just send it to you - anyone with a shred of protection will block executables unless their source is well identified and authorized. So what they do is they craft emails which look almost real, and entice users to click on a link. That seemingly innocent act bypasses most protections, because the systems see it as a "user request"; and then we have game over - the trojan is downloaded and from that point on, the hacker is in control. If the users were more aware of this form of social engineering and understood that they need to think before clicking, this strategy would be far less successful. Therefore, rather than chasing the next great technology, make it the year of security awareness, train your users to adopt a safer behavior, send them spoofed emails as part of the training, and make sure they all understand they need to stop clicking! If it looks suspicious, it probably is.
Yes, I could have mentioned BYOD, Cloud, DDoS and so forth. But the fact of the matter is, safe behavior goes much further than any other conversation we can have on technologies.
If we really want to talk technology, then I suggest taking a closer look at the real savings of BYOD - are there any? I personally have yet to see numbers to convince me the savings are worth the risks and the headaches; you’re just shifting headaches from one chapter to another, and complicating your security life. Is it really worth it?
Cloud - it is truly inevitable; if you wish to save money and keep abreast with the times, you can't say no to the cloud. So, as a CSO, you need to embrace it, understand that it is indeed possible to secure it - just treat it as your LAN, make it part of your perimeter. If you have web facing applications in it, use WAF and DDoS protection; if you only run backups, secure them with a strong firewall and IPS.
Another place I would look closely is outbound data leakage. When we think data loss, we typically think hackers; forgetting that our users have a much easier access to data than hackers do. Employees accidentally or intentionally leaking data are a fact, and companies need to pay stringent attention to the possible need for a strong DLP solution.
About Pierluigi Stella
After 15 years at IBM, Pierluigi Stella co-founded Network Box USA (the American division of Network Box Corporation Ltd) in 2003. As CTO, he has extensive knowledge of security issues with emphases on the financial; banking; hospitality and travel; healthcare; and education sectors. Stella is frequently quoted by IT and security industry press, and is a sought-after writer and speaker. He holds a Master’s Degree (Magna Cum Laude) in Electrical Engineering from the University of Naples, Polytechnic School of Engineering in Naples, Italy. He has received numerous industry recognitions for notable career achievements in addition to being the recipient of excellence awards for innovative design.
Info Security PG: What common mobile threats are possible with BYOD? What threats are possible ahead if proactive measures are not taken sooner?
Pierluigi Stella: Up until now, the threats we’ve seen have, for the major part, targeted the device user. Case in point, software like Zeus for mobile will steal your bank information and suddenly, you’ll start seeing your money ‘flying’ to Eastern Europe. Theft of personal information has also been rampant. What we haven’t seen, yet (and I speculate we will soon), is an attack of grandiose size on a corporate network, using a mobile device, at least as a bridge, to kickstart the attack. There are threats that can cross platforms and infect workstations from mobile devices; actually, an email not properly scanned, sitting on any such device, could end up on a workstation and infect your network. There numerous vehicles of attack that can be predicted. And that is why I am (and always have been) a proponent of no BYOD. I see no advantage, little control and lots of security headaches. Show me the real savings and maybe I’ll change my mind.
Info Security PG: What broad steps must be included in a CSOs data recovery plan?
Pierluigi Stella: Data recovery doesn’t fall entirely under a CSO'sresponsibility, i.e., a CSO is tasked with securing the data so it doesn’t need to be recovered. If you’re recovering data because of a hack, the CSO has failed from the onset in my books. Nevertheless, participating in the conversations on the subject, you want to ensure your backups are protected as the source data is. If you choose a cloud backup solution, check the viability of the provider - how is their security, where is the data, how is it shared, who has physical access to it, what SLA do they offer, what type of security audit do they undertake, and so forth. There are many questions that could be raised; but they all point to just how secure will your data be, and how easily and quickly can you recover it if necessary, or, on the flipside, or destroy it. One point to keep well in mind, a data recovery plan is not just about the backup; we often forget the word "recovery" is the most important part of the project. You don't backup your data for the sake of it; you do it so that when you need it, you can restore it - have some clearly specified and well tested procedures to recover your data when you need it. I think you’d agree with me that secure or otherwise, if you can't recover it easily, it's not at all useful.
Company: Network Box USA 2825 Wilcrest Dr. Suite 259, Houston TX 77042 U.S.A.
Founded in: 2003 CEO: Pierluigi Stella / CTO Head Office in Country: United States Products and Services: Managed Security Services Provider Company's Goals: To continue to pave the way in terms of innovation and leading-edge technology, and consistently provide our customers with high quality solutions to ensure that together, we remain at the forefront of the battle against internet security threats. In a recently released report on the emerging MSSP space, Network Box USA was identified as a strong contender -- it is our goal to become a recognized leader within the marketplace. We intend to actively grow and expand upon our VAR network throughout North America. Through focusing on key verticals and the Network Box managed security solution which offers unparalled support, we anticipate aggressive growth in the number of strategic North American VARs during the next twelve months. This increment will, in turn, generate aggressive revenue growth for us and our resellers.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN