Most people reading this article will not remember when these famous words were first broadcast. It was at the end of a speech by Winston Churchill on February, 9th 1941. What he said was this:
“We shall not fail or falter; we shall not weaken or tire. Neither the sudden shock of battle, nor the long-drawn trials of vigilance and exertion will wear us down. Give us the tools, and we will finish the job.”
It was a speech aimed at raising and maintaining the morale of the British public in the early part of WWII. In it Mr. Churchill referred to the success in winning the Battle of Britain and to the progress being made overseas. Not insignificantly he was at pains to point out that America was now supplying Britain with armaments. “Give us the tools………”
In the modern world the fight against cyber attacks, cyber terrorism, cyber blackmail and all forms of hacking can be likened to a war. A different type of war. One with very few physical casualties but with very serious financial consequences. One where you may never see your enemy. Where you may not even be aware that you have been attacked until serious damage has been inflicted. No explosions, No gunfire. Just a silent, insidious intrusion in to your computer systems. This war not only pits individuals against corporations and corporations against corporations but also individuals against nations and nation against nation. Just who did create Stuxnet?
To fight the enemy Security professionals need to keep asking “Give us the tools…….”.
The tools are many and varied and include Government legislation, International standards on Information Security Management Systems (ISMS), Anti Virus (AV) desktop solutions, network IP filtering devices (Firewalls, IPS, IDS, UTM, DLP), data encryption solutions, DDoS solutions, penetration testing solutions etc.
Some people may be surprised at the inclusion of Government legislation as a tool. However, this is quite weak in the area of computer security. In the UK, apart from the Telecommunications Regulations Act 1998, the Data Protection Act 1998 and the Computer Misuse Act 1990, there is no mandate on how systems should be protected against attack. There is an ISO standard for best practice in the area of ISMS – ISO 27001 – but is there a case that this should be mandated through law for all corporations and Government bodies?
Part of “best practice” for ISMS is the use of Firewalls, IPS, IDS, UTM, DLP. These are very important in attempting to prevent unauthorized access to computer networks and systems. Correctly configured and maintained IP filtering devices can be highly efficient in preventing hacking. Of course the key words here are “Correctly configured and maintained”. Many companies deploy such devices and then fail to keep them up to date with the latest attack signatures, which can quickly reduce their effectiveness. In some cases they are only updated prior to an annual penetration test performed for compliance with regulatory standards (PCI DSS, Data Protection Act, Sarbanes-Oxley, HIPAA, Basel III etc.).
There are many reasons why updates are not applied but the effects can be serious. Best practice dictates that these devices should be tested on a regular basis (penetration tested). This should involve taking the latest attacks and attempting to push these through the defenses to see what weaknesses exist. When an attack is shown to get through the device should be updated immediately with the correct security rule. To make compliance easier, and less expensive, a record should be kept of all testing showing the before and after results.
So, testing needs to be done continuously. It needs to be done cost effectively. It needs to be done with a constantly updating library of attacks. It needs to be done without impacting on the efficiency of the network. It needs to be done with a tool that provides all this and is easy to use.
About the Author:
Will Hogan | Vice President of Marketing and Sales | Idappcom
Will has been in the I.T. industry for over 31 years after initially training in Management Accountancy. He has held positions in general management, financial management, project management, sales management, channel management, marketing, systems analysis and application development. After working in IT Management with a large wholesale organisation he moved to the Netherlands to work in application development / consultancy and project management for three years. Following this he worked in software sales with SSA (a major US vendor of ERP) for 12 years and sat on the EMEA regional management board as General Manager of Channel Partners EMEA, after which he was the Managing Director of IDvelocity, a US Data Collection and Mobile Computing Software company. After living in the USA for three years working for Falk Companies, where he was Vice President of Sales & Marketing and Business Administration, he joined Idappcom.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.