Schwartz On Security: First, Know You've Been Breached

Spain's national aeronautics institute found three Mariposa botnet infections on internal PCs, thanks to constant testing. But when it comes to breaches, many organizations still have their heads in the sand.
Antonio's answer is to provide more layered security, find ways of cross referencing what's happening with what isn't happening, and regularly test, compare, and contrast the latest technology. "You need to have one leg in back and one in front," he said, "because hackers are always trying something new."

Overlapping technology helps discover problems that a standalone approach may have missed. For example, in September 2010, INTA began testing three new types of firewalls, including a Palo Alto next-generation firewall. On the first day, that firewall flagged three Mariposa botnet infections running on internal PCs, despite the fact that INTA had deployed antivirus engines on all of its PCs and used intrusion detection and prevention systems on its enterprise networks.

The security team traced the problem to three PCs, running Windows 2000, used to manage warehouse inventory. While the PCs didn't store sensitive information, the infection was still troubling. How had Mariposa infiltrated the enterprise, and why were these PCs still running the old Microsoft operating system? Ultimately, the security team discovered that it had supplied three brand new PCs to replace those old warehouse PCs, but warehouse managers diverted the new PCs to become their new desktops. Meanwhile, the Windows 2000 machines remained in place, essentially off of the security grid.

The lesson: Never assume that just because a security tool isn't flagging a problem, that a problem doesn't exist and someone isn't trying to exploit it. Of course, behaviorally speaking, we tend to do the opposite – we overestimate the likelihood of good outcomes and underestimate the likelihood of bad ones. Behavioral scientists even have a name for this tendency, optimism bias, or the positivity illusion.

How can people combat this tendency? The answer, generally speaking, is to use more automated mechanisms that reduce the need for subjective interpretation. In security terms, it also includes layering defenses to help build a better, automated picture of what's actually happening on the network.

So this 2011 security resolution might sound like back to basics, but it stands to demonstrably improve enterprise security: Never stop testing new defenses and finding better ways to "layer up." Because staying ahead of attackers is going to take resolve.


Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?