The Weidenhammer Blog

Critical Security Controls Permeate Everything We Do

Posted on: January 30th, 2014 | Category: Network Security

I recently attended a local security session that highlighted the TARGET data breach and procedural deficiencies many organizations have in their operations.

Per the speaker, Lance Hawk of Computer Forensics & IT Security, the highly publicized data breach was the result of a hack of Target’s Point-of-Sale (PoS) system using malware called Dexter.  The PoS hardware was infected with the malware and that led to disclosure of Card holder’s account numbers, credit card information, expiration dates etc.  PoS systems are slow to be patched because of regulations and store managers fear of “killer” patches. This makes PoS systems highly vulnerable for attack.

Now consider other Internet Aware “smart” devices that are ripe for attack in your home: That Blu-Ray player that gives you NetFlix; the new 60-inch Smart TV that offers a bizillion video and audio feeds; the fabled refrigerator that sends you an e-mail to get milk before you come home.    Not to mention, when is the last time you updated your Blu-Ray player software?  When did you upgrade your Smart TV with latest patches?  Patching is fundamental to maintaining a viable security posture.

Consider also the list of Critical Security controls from SANS.  SANS the most recognized organization for information security training and security certification in the world.  It publishes the SANS – CSIS: 20 Critical Security Controls – Version 4.1:  http://www.sans.org/critical-security-controls/guidelines.php. This list of controls highlights processes such as Inventorying authorized hardware, software and applications; ensuring the continuous monitoring of vulnerabilities malware and application security; controlling wireless access, data recovery capability and awareness of staff skills; securing network devices, ports and privileges; monitoring traffic flow and audit logs, following need-to-know, account control and data loss prevention; performing incident response, network architecture validation and finally penetration tests.

The very last control listed by SANS if the very first control many of our clients request.  The TARGET breach and the security prowess of SANS further validate the importance of due diligence on processes to improve security posture.  Without the first 10 measures, it is guaranteed that a penetration test will succeed.

Share
Rick Wilson

Rick Wilson

Mr. Wilson has over 40 years of experience in Information Technology and has been directing multi-million dollar technology projects since 1982. He consults on Strategic Planning, Network architecture, Datacenter design, Help Desk staffing, Call Center design, ERP selection, Process improvement, Organizational structure, Voice deployment, Telephony cost control, Technology roadmaps, Scorecards and KPI metrics. Mr. Wilson leads Data Center Co-Location selection projects at a national level and conducts network security audits of financial institutions. He also performs Sarbanes-Oxley audits and analyzes the technical and financial criteria for vendor selection of a 700 site Wide-Area-Network (MPLS). He has also served as an Expert Witness in a civil suit for an EHR deployment in the medical industry. Wilson’s recent projects include leading clients through ERP requirements definition, process analysis, vendor qualification and ERP vendor selection. He also led a Business Continuity project for an $11 billion dollar bank, as well as a multi-million dollar technology upgrade for the Pennsylvania Convention Center. Wilson possesses a B.A from the University of Michigan.