"The year of the hack"—that's how many of us will remember 2014. High-profile data breaches at Neiman Marcus, Target, Home Depot, multiple U.S. federal government agencies, and most recently Sony have focused global attention on the challenges organizations face in securing enterprise networks and data. As has been shown time and time again, securing the enterprise is a complex challenge with many aspects to consider. For instance, in both the Target and Home Depot breaches, invaders gained network access through third-party vendors, highlighting the porous boundary between internal and external security. In the Target case, the breach was initiated after an employee opened a malware-laced email attachment, emphasizing the importance of security training across the enterprise. And while the FBI initially tied the Sony incident to North Korean hackers, later evidence suggested that disgruntled insiders may also have played a role in the attack.
Taken together, these high-profile breaches illustrate that vulnerabilities exist in both technical and human (social/behavioral) vectors, and exploits can originate internally or externally with purposeful or accidental actions. Accordingly, a holistic enterprise security strategy requires attention to all aspects of the business environment—including technical, strategic, policy, organizational, and human behavioral areas.
As we enter the second half of the decade, the time is appropriate for reflecting on common mistakes in enterprise security. In this article, I highlight four key mistakes made by organizations of all sizes, and in each case I provide an initial point for addressing that issue.
Key Mistake 1: Separate Camps
In many larger organizations, responsibility for implementing security resides in two separate camps:
- Application developers work to build security into the business software.
- Information security practitioners focus on building walls around the business applications.
Although seemingly comprehensive, this combination of a strong perimeter and robust application security still may not be sufficient to thwart the highly sophisticated and complex attacks launched against today's networks. The physical separation between application developers and information security practitioners can lead to knowledge gaps that prohibit tight coupling of system processes and policies, thus creating vulnerabilities in the interface and exposing the products of both camps to exploitation. This separation also encourages the growth of a cultural divide that hinders cooperation. Security gaps persist because the two camps see the world differently, speak different languages, and have different priorities.
Starting point for addressing this issue
Comprehensive enterprise security benefits greatly from an integrated approach in which security practitioners and application developers work together from project inception. Separate camps can be linked through the formation of a software security group (SSG). The SSG doesn't have to be extremely large, but SSG members should have a mix of backgrounds and perspectives. Engaging this group at the project inception provides an avenue for cross-camp collaboration. This holistic approach to enterprise security, which my co-authors and I refer to as "confluence," provides the foundation for the integration of application development, security appliances, network architecture, and policies and procedures.