Anyone worth their salt in information security will tell you a solid defense is built upon multiple layers of technology, policy and practice. That's defense-in-depth.
The technology layers are a critical piece of that puzzle -- of course. But companies that suffer a major network breach have frequently failed on a more fundamental level. Here are the deadly network security sins experts say are rampant in the corporate world. Avoid these sins and you will have taken a critical step toward a secure network.
1. Not measuring risk
This sin typically involves a failure to take a thorough measurement of the company's most important assets and network configurations surrounding those assets. As the saying goes, you can't protect the crown jewels without first knowing what they are and where they are.
Chuck McGann, manager of corporate information security services for the US Postal Service, is among those who cited the "failure to have a network topology diagram or discovery software to identify what is on your network and what it is doing."
When a company fails to take an accurate measurement of risk, the powers that be are often lulled into the false sense of comfort that comes with simply having antivirus software and a firewall, says Michael Leigh, senior information security manager at Cisco Systems. The bad news here is that some of that technology can become the very problem the organization sought to prevent.
"I find that a number of organizations believe their security appliance/devices (routers, firewalls, switches, etc) are secure and do not layer their defenses around these devices," Leigh says. "Too often these devices are the toe hold into an organization."
Ken Smith, a security solutions architect at Forsythe Technology, says implementing security controls and policies without first understanding business needs and requirements is a problem he has witnessed many times. "It's the primary reason that security practitioners are often thought of as rigid or not adding value to the organization," he says. "When this is the case, users will come up with workarounds that could be worse than the problem you are trying to prevent in the first place."
2. Thinking compliance equals security
Typically the sin committed by upper management, this is the case where a company has invested a lot of time and treasure on meeting the requirements of government regulations and industry standards like HIPAA or PCI DSS, then dropping the ball once all the boxes on a compliance checklist have been checked off.