Information Security in the Movies
For most people, information technology is a not the stuff of action and heroics. Information security and the Internet bring to mind images of uptight computer programmers and tech support workers who know much more about your computer than you ever thought possible.
To be fair, there is quite a bit of room for intrigue in the world of information security; hackers have been able to do everything from fixing radio contests to stealing millions of dollars from cell phone providers. In most cases, however, the damages are more about spending time and money rebuilding a system that hit a few snags and slowed down the company email servers.
That’s probably why Hollywood portrayals of information technology tend to be a little far-fetched, if entertaining. From spies to fast-paced action, the big screen offers a number of ways to view IT in a new light. If you’re in the mood for some IT that doesn’t involve the workday, you might want to consider picking up one of the following “information security” films.
WarGames
Firewall
Hackers
The Net
Matrix
Sneakers
Tron
Johnny Mnemonic
Independence Day
Swordfish
Takedown
Pirates of Silicon Valley
Enemy of the State
Mission Impossible
When it Comes to Vulnerability Management, Variability is Key
If you’re implementing or considering implementing a vulnerability management plan through an IT support firm, one of the top things to look for is variability in the range of services. At its core, vulnerability management is all about putting a safety net underneath your system – and the wider you spread that net, the better your chances of catching anything that falls. That’s why we recommend that you never rely on just one type of vulnerability tool to provide you with all the security measures you need.
Of the types of tools available, the top ones include:
- Vulnerability assessments and metrics, which provide quantifiable results on your existing applications and infrastructure. Only by determining where your weaknesses are and how important they are to your business can you address your problems with the ideal (and most cost-effective) approach.
- Information security scans and penetration tests, which support vulnerability assessments by actually getting into the holes in your system. By simulating a hacker or virus attacking your system, you can determine where you need the most work.
- Restorative measures and patches, which provide the repairs to those vulnerabilities identified during the preceding steps. Discovering weaknesses isn’t enough; you have to take steps to repair them.
- Data and disaster recovery plans, which provide real-time results if the unthinkable occurs. While preventative measures are best, you also have to have the framework in place to deal with disasters after they occur.
Regardless of what type of business you’re in, it is the combination of all these that offers the maximum layer of protection. That’s why you should discuss comprehensive vulnerability management options with any IT company you’re considering. If they can’t provide one of these vital steps, you may be missing out on a key component of information security as a whole.
Information Security: When All the Planning in the World Isn’t Enough
No matter how proactive you are about your information security needs or how many walls of protection you have up against attackers, there will always be a level of threat. That’s because one of the biggest reasons hackers and malware are able to exploit so many businesses is that they make it a point to find new, innovative ways into even the most secure systems. Whether they’re doing it for the challenge or to exploit businesses known for their great security, the outcome is that all companies are in danger of being infiltrated by methods even the best IT professionals have never even considered.
Consider the following scenario:
A company does everything in its power to maintain a cutting-edge vulnerability management plan. Their IT department runs regular scans, patches the necessary holes, and does and annual overhaul of the entire system. They comply with all regulations for information security and have a great national reputation. However, a previously unknown weakness is exploited by a hacker, and all of their client information is now in the hands of identity thieves.
The problem with this scenario is not a lack of planning – the company did everything within its legal responsibilities to keep their system secure. However, what they didn’t do was prepare for zero-day exploits, which are those pesky new ways in that hackers and malware discover while you’re busy running your business.
That’s why the best vulnerability management plans are those that take zero-day exploits into account. By increasing the level of system monitoring and putting an emergency plan in place, you can minimize the damages that may occur when this sort of attack occurs. Businesses can also create a security infrastructure that makes it difficult for attackers to navigate the system or find the information they’re looking for once they are inside.
Because this kind of security planning can be more complicated and in-depth than what your IT staff is accustomed to (or able to fit into the workday), IT consultants are a great option. Not only can you put your security in the hands of someone whose sole job it is to protect your company, but you’re hiring a group of professionals who make it their priority to know what’s coming next on the hacking horizon.
IT Consultants Look at the Big Picture
If you’re a large corporation or a company with a strong technology focus, hiring an IT consultant might seem like a wasted expense. After all, you’ve got all the experience and training you need to implement an effective vulnerability management plan right on site.
However, one of the drawbacks of relying on your own expertise to tackle all your information security needs is that you often bypass one of the most important steps in vulnerability management: looking at the big picture.
Your business is an organic, flexible entity that grows and changes. Because IT provides much of the backbone of the business, it’s important that it remains organic and flexible, as well. Part of doing this means being able to assess what types of vulnerability issues pose a threat beyond the immediate and obvious security issues: you need to be able to make assessments based on the future of your organization and the nature of information technology as it stands both today and tomorrow.
For example, most businesses will prioritize vulnerability issues based on immediacy: which ones are the most important for safety issues right now. While this is going to be a good idea nine times out of ten, there are situations in which keeping all your focus in one area is going to adversely affect your business operations.
Most of the time, companies have to keep in mind such issues as federal compliance issues, threat relevance, business value, exploitability, and impact. Many of these issues can be found on the Common Vulnerability Scoring System (CVSS) scale.
An IT consultant helps by creating a number of what-if scenarios for you. This way, instead of following a rote chart of immediacy, you’re keeping practical business solutions into mind. You can weight the pros and cons of all your options so that your resources are being put to use in the best way possible.
Tech Tip: Upgrade Your Policies and Procedures
So much about vulnerability management has to do with technology. From the hardware and software you use to the communications tools you rely on for remote employees, most information security measures address what you can do to make the technology safer. That’s why so many businesses rely on their IT departments and IT consultants to help them create and maintain their systems.
However, there is another aspect to vulnerability management that has little to do with the equipment you use: policy and procedure management. Considered the real “business” side of running a business, the policies and procedures you present to your employees are the backbone of your company. Your policies and procedures determine a standard for activity, morality, and business practices. They also provide a written resource for use across the board.
That’s why any good vulnerability management plan will include a look at your IT policies and procedures. When done correctly, this means you will address:
- Employee rights and responsibilities
- Data confidentiality issues
- Personal computer best practices
- Routine maintenance and repair
- Workstation configuration
- Risk management
- Security procedures
- Damage control
Putting these types of issues into writing and integrating them into company policy means that you have an additional layer of protection – especially when it comes to legal issues arising from federal information security standards.
After all, you can’t watch all your employees all the time, but by enforcing a general standard company-wide, you can ensure that you’re doing your best to cover all your bases when it comes to information security.
Vulnerability Management: Beyond Patching
Much of the time, businesses associate vulnerability management with patching and other types of IT repairs. To an extent, this is true; a large part of protecting your network against potential damages is to find the holes in your system and repair them.
However, patching is really only a temporary IT solution. Over time, continually relying on patches can start to wear on a system to the point where the solution becomes a problem of its own. It’s a lot like a favorite pair of jeans. One or two holes can be fixed with a needle and threat or funky patch, but there comes a point where your original pants are all but gone, and what you’re looking at is a collection of mismatched repair jobs.
There are a number of reasons why this might provide a strain on your system – and your bottom line.
- Some patches aren’t adequate to fix an entire problem. They may provide an immediate solution, but without follow-through work, the hole might simply reappear.
- Patches typically work for one issue only. You might be required to install several patches for several different holes; this is neither time-effective nor cost-effective in the long run.
- Your entire system can be burdened by “over-patching.” Instead of one, streamlined system, you’re relying on a bulky system that may require additional time for processing data.
- Relying on patches means you stop looking at the bigger picture – a good, well-working system. Instead of spending a few hours every week addressing problems on your out-of-date system, you could upgrade your network and let your system operate at its maximum potential.
System patches do have a time and a place in IT vulnerability management – they can secure your system and let you get back to the job you do best. However, if you find yourself spending more than a few hours a month addressing patches, or if your system hasn’t been upgraded (or checked by an IT professional) in a year, it might be time to readdress your vulnerability management plan.
I’ve Done an Information Security Scan. Now What?
Most companies already know that doing regular information security scans is good business. After all, by being proactive with your IT network, you can find weaknesses before they are exploited by hackers, malware, or simply overuse by legitimate customers. However, part of using information security scans effectively means doing more than getting that regular update: it also means doing something about it.
Vulnerability scanners and other information security scans have become a common part of almost any company that deals with technology and communication. Today’s most popular scans are faster, more accurate, and more effective at finding weaknesses than ever before – and they can be implemented by the most rudimentary IT staff.
However, one of the biggest problems with these information scans is that they only solve half of the problem. They are adept at discovering weaknesses and problems, and alerting you to them. They are not programmed to actually deal with these problems or even tell you how to go about doing it on your own.
That’s why any good vulnerability management plan will help you determine not only where your weaknesses are, but what you can do about them. For example, you will need to determine:
- How important/dangerous are each of the scan findings and how to prioritize them accordingly.
- What types of remediation strategies are available, and which ones are the best fit for you.
- How to patch, reconfigure, or upgrade your network to “fix” the problems determined by the scan.
- What the next steps are in keeping the system secure and up-to-date.
That’s why many companies turn to IT consultants or professional IT firms that specialize in vulnerability management for help. While it certainly is possible (and cost-effective) for companies to run their own information security scans, it can really help to have that professional guidance to make sure all the findings are addressed appropriately. In this way, information scanning is a lot like breaking a bone; while the x-ray technician may be great at discovering where the problem lies, you really want the doctor to set the bone. It’s the only way to heal properly and efficiently.
Understanding Information Security Scans
Information security scans are programs that search your IT network for areas that might need repairs, changes, or other alterations to strengthen your system. There are a variety of different types of scans, and many businesses rely on a combination of features to get the most out of their vulnerability management program.
When choosing or working with your IT department to determine what kind of information security scan will work best for you, you’ll need to consider the following:
- Automation – Some information security scans can be set to run automatically on a weekly, monthly, or quarterly basis. Like most types of virus protection, these scans will alert you to any weaknesses or damages so that you can make the proper repairs. They are also similar to virus protection software options in that running the scan can slow down your operating systems.
- Penetration Testing – Penetration testing is basically your way of becoming a “hacker” into your own system. Your goal is to find a way in – only instead of getting in to do damages, you want to find the doors and effectively seal them off against future attacks.
- Data Compilation – Much of the time, the information you get from an information security scan is highly technical and specialized. While some types will allow for automatic repairs, you may need to call in an IT consultant to help you interpret the results and take appropriate actions.
- Regular Reviews – Because the Internet and information technology are always changing, the protective walls you have today might crumble by next month. If you aren’t using an automated scan (or if your automated scan needs an update itself), you might need to implement regular information security reviews into your company policies.
If you’re in any business that works with clients or communicates on a daily basis (and who isn’t?), information security scans are a must-have. There is no better way to ensure compliance with federal and business regulations and to keep your company running as effectively as possible.
What Exactly Is Vulnerability Management?
Vulnerability management is a bit of an IT buzzword these days. Many companies use it to mean everything from specialized information security measures to standard IT support – with plenty of room for interpretation in between. This can be confusing for businesses that simply want to know what they can do to make their business run more effectively.
At it’s core, vulnerability management is simply a way to address IT weaknesses in all aspects of computers and communication. From finding and reviewing IT issues to preventing problems and repairing them once the damage is done, vulnerability management is a way to keep your business running safely and efficiently – no matter what’s happening out in the big, bad world.
Some of the primary components of vulnerability management include:
- Security reviews, including penetration testing or other quantifiable issues
- Prioritizing vulnerabilities based on the potential for danger as well as the feasibility of addressing them
- Implementing solutions where needed
- Strengthen areas that carry the potential for weaknesses later on
- Regular reviews and updates
- Employee training to ensure proper use of all information security measures
- Company-wide policy and procedure creation
- Capacity planning for expected (and unexpected) company growth
- Disaster recovery planning and damage control in the event of a catastrophe
- Ensuring compliance with federal and state information security codes
Of course, your business will dictate exactly how in-depth each of these categories is and how much time and money you’re willing to put into your information security network.
At the end of the day, vulnerability management is really just a way to safeguard the way you communicate and secure customer information. It doesn’t matter whether you serve one hundred clients or one million; your business is only as good as the IT network you have backing you up.
Choosing Hardware with Information Security in Mind
Information security is typically one of those things that businesses consider after they already have all their equipments and networks in place. Like purchasing insurance or other protective measures, the leading mindset is that information security is like a blanket that goes over existing hardware and software, keeping them safe from malicious attacks or other breakdowns.
However, one of the best ways to have the securest system possible is to consider information security before you start making equipment purchases and setting up your network. In this way, you can cut costs over the long term, since you’ll be taking into account issues like hardware weaknesses, capacity planning, and the growth of your business.
For example:
- Mac computers tend to get far, far fewer viruses than PCs. There are fewer Mac users out there; therefore, it is less productive for hackers to make malware geared toward Macs. The end result is a system with a lower likelihood of attack.
- Wireless systems and networks within the business structure are more difficult to secure than landline networks. This is because wireless systems (even protected ones) are more vulnerable, especially when employees are working remotely.
- Onsite data storage makes saving your backup files easier, but they also pose a risk when it comes to issues like physical accidents and break-ins. Creating a system with offsite storage in mind can save time and money when it’s done upfront.
Although not all of these options are right for every business, the basic concept is the same: the hardware you choose to set up your business infrastructure will dictate how much time and money will need to be invested in information security.
That’s why bringing in an IT consultant early can be a smart—and cost-effective—business choice. Not only will you get the most secure business system possible, but you’ll also be streamlining everything about the way you do business.