Information Security: Identifying Your Weakest Links - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
12:36 PM
Connect Directly

Information Security: Identifying Your Weakest Links

Modern security execs use existing tools to identify areas of risk and find new ones to track, evaluate, and share their progress.

10 IT Hiring Trends Confounding Private, Public-Sector CIOs
10 IT Hiring Trends Confounding Private, Public-Sector CIOs
(Click image for larger view and slideshow.)

The threat of cybersecurity breaches is a top concern among CISOs and technology professionals across industries. As hackers become more advanced, IT execs struggle to identify the best methods for monitoring, identifying, and defending against security risks. 

Information security and risk management are a core focus at Interop Las Vegas, taking place this week at the Mandalay Bay convention center. Industry experts are sharing their experiences, challenges, and best practices in developing a strong cybersecurity strategy. 

In terms of identifying risk, plenty of content has centered on the idea of using existing tools to monitor security risk as opposed to investing in the many new systems on the market.

During an InfoSec session on Wednesday, Michele Chubirka, senior security architect at Postmodern Security, drew attention to the common notion that information security careers might seem like they are more focused on managing tools than defeating hackers. Modern commercial security tools are good, she noted, but nobody has the budget for them, and many security execs have to fight with other IT segments to obtain all the funding they need.

[Who's watching you? The NSA, Surveillance, And What CIOs Need To Know]

What plenty of executives don't realize, said Chubirka, is that existing monitoring systems and network devices also have security capabilities. "You probably already have more than you need" in terms of adequate technology, according to Chubrika. It's not about having the best tools, but rather it's about having the ones that get the job done. Expensive tools aren't necessarily a quick fix. 

"A good security person is looking for anomalies," Chubirka said. "That's where monitoring tools are really effective."

The right tools will be able identify abnormalities and detect malicious activity; some already have canned compliance and security reports. She cited examples of systems, including MRTG, Solarwinds Orion, Nagios, Netdisco, and Wireless Management Systems (WMS). "These aren't dedicated security tools," she said. "We're just using them in that way."

Chubirka also noted that a web browser can be a security tool. Firefox and Chrome have free add-ons for applications that help with security inspections and testing. HttpFox and live HTTP headers, for example, act as analyzers; Groundspeed helps with penetrating applications.

Risk can also be found in third-party providers, explained IP Architects president John Pironti at another Infosec session on Wednesday. Working with third-party vendors, service providers, and partners are a normal and growing part of businesses, and they are an increasing concern among information risk and security professionals.

(Image: Yuri Samoilov via Flickr)

(Image: Yuri Samoilov via Flickr)

Security is primarily about people, processes, and procedure, said Pironti. About one-quarter of the security equation is about technology. However, executives spend plenty of time protecting technology while neglecting business process and data. As a result, the barriers to entry have dropped for adversaries who have money and capabilities available to them.

Pironti advised security professionals to pay attention to the often-ignored area of supply-chain security, as the least-perceived risks can be the weakest links. "I don't think Target thought their HVAC vendor was their highest-risk network," he said, emphasizing this point.

Hackers are much more complex than they used to be, and it's important for security professionals to adopt reliable methods for tracking and evaluating progress in countering them. In another InfoSec session on Wednesday, Mike Zachman, deputy CISO at Caterpillar, said he does this at his organization with a capability maturity model.

Caterpillar's model compares the various components of the company's information security with those of competitors across the industry. Execs can assess the maturity of Caterpillar's program and capabilities to determine a desired future state and identify where improvements can be made. Results are reflected in a single graph, eliminating pages of data and improving readability for professionals across the organization.

What are your InfoSec best practices? Does the guidance above line up with your views on how to protect your organization? Tell us about it in the comments section below.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
5/27/2015 | 3:02:57 PM
Finding crack points
This is going to prove pivotal as organizations adopt the IoT infrastructure. Afterall there will be far more data access points and more cloud interaction. Fortunately, as the CSC CIO Survey shows, CIOs are well aware of the challenges security represent and the significance of finding weaknesses. Peter Fretty, IDG blogger working on behalf of CSC
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll