Everyday there is news of a security breach. A hacker has attacked a website with a DDoS or malicious code has infected an employee's computer and has spread it to the rest of the office. These types of security breaches may not have happened to you, but they do happen and eventually they will happen to your network. The question is: Are security events such as these or others completely preventable? The answer is no, however what we can do is help mitigate these types of events by applying a simple security axiom I have taught for many years in my security classes. "Ease of Use vs. Secure"
IT security departments constantly are torn between business directives and security directives. On one hand administrators need to balance the needs of users with the needs of security. The two work in a vacuum most of the time in IT. If something is done in IT that is considered "Ease of Use" meaning its easy for the administrator to create or implement then it probably is not very "Secure". On the other hand if something is "Secure" it is likely to be more intensive to create or implement and not very easy for users to use.
As you can see in diagram above, with "Ease of Use" on one end and "Secure" on the other, business needs for users tend to be less restrictive while IT needs tend to be more secure. If IT implements things that satisfy user needs and not security needs, eventually there will be a breach. However there can be a happy medium between the two so that security breaches are less likely to happen.
Lets take a look at an IT practice to see how this really works.
Last month Vodafone learned a hard lesson about users sharing passwords that access a customer database. Vodafone's Breach
Vodafone's practice of allowing shared passwords with the company (Ease of Use) was easier for users and administrators, however it was not a secure practice. Although Vodafone rectified the issue, it should have never been allowed to happen in the first place. Does your company practice "Ease of Use or Secure"?
- Tom Pruett, Cisco & Security Expert; MCT, CTT+, CISSP, CWNA, CEH, CHFI, CCSI, CCNA, MCSE LinkIn with Tom
No comments:
Post a Comment