The proper training of the personnel that are tasked with addressing risks and securing the infrastructure is an important consideration. A common misconception among non-technical individuals is that “someone who is really good with computers” can address any computer-related issues. In reality, computer experts specialize in particular technology areas. Security is a very specialized area and requires appropriate training and knowledge. Security professionals must be in a position to both identify vulnerabilities on a network, but also be in a position to identify attack patterns on the network.
Perhaps the most difficult concept for management to embrace is that security professionals are in a constant state of learning. Because new attack methodologies are created as soon as new defenses are developed, it is important to track new trends and issues. This cannot be accomplished by attending one class or conference per year. New threats emerge regularly — some would argue daily — and trying to play catch up once a year is simply not enough.
Those intent on addressing security issues and risks should be actively involved in networking with other security professionals. They should also monitor security focused websites to track postings of new issues. Knowing issues that face currently installed software as well as popular operating systems is absolutely mandatory.
When I first started studying network security, the primary focus was on perimeter defenses, such as firewalls, access control lists, and intrusion detection systems. Monitoring incoming traffic was the critical issue. Now, with the creation of bots and rootkits, it is equally important to monitor outgoing traffic as well. End-users are now being targeted more frequently.
Younger employees are now much more technically sophisticated than in previous generations and are more likely to install unauthorized software or connect personal devices to the network or systems. In one organization, an employee actually used client credit card numbers to shop online during business hours.
Network risk management is a complex process requiring time, resources and skills; however, with the proper planning and research, organizations can address threats in a timely and cost-effective manner..
John Mallery is a managing consultant for BKD LLP, where he works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of “Hardening Network Security,” published by McGraw-Hill. He can be reached at email@example.com.