Embed Size (px)
DESCRIPTION
Citation preview
Kaseya Industry Alert
Avoiding the Seven Deadly Sins ofIT Security
A holistic, forward-looking and flexible IT security strategy can help organizations avoid common pitfalls and meet security threats head on in a cost and time efficient manner.
www.kaseya.com
Deadly Sin #1: Ignorance
“Prevention is more important than detection.”Crawford says that there is no sin greater than thinking you can prevent security threats from breaking into your IT environment. Organizations need to recognize that they have already been penetrated, and maliciouscode is waiting on a server, someone’s laptop or a mobile device to steal information or wreak havoc. Detectingthese threats is just as important as preventing them, and a successful security strategy needs to embrace bothstrategies to keep the organization safe.
Situational awareness is key. Organizations need to know their current security posture, where the defenses lie,where there are vulnerabilities and whether end points are patched and up-to-date on maintenance. A securitystrategy that stresses prevention and detection will help you mitigate the effects of threats.
Deadly Sin #2: Unpreparedness
“We have anti-virus so we’re covered.”Most security strategies are focused on specific threats, whether its antivirus, network security or phishing attacks, but hackers today are sophisticated enough to evade conventional defenses. Organizations need to better understand where the last line of defense stands and develop a comprehensive and holistic security strategy that is able to break down the silos of defense and create awareness. Data flows freely throughout theIT environment from systems to the network to the data center, and information needs to be protected at all levels and stages.
According to Crawford, this is where IT systems management (ITSM) solutions come in. They have the framework in place to follow data throughout the environment and the ability to embrace a holistic approach.ITSM solutions already have processes in place to remediate issues in addition to providing defense and awareness.
Deadly Sin #3: Neglectfulness
“We scan regularly for vulnerabilities.”While scanning is a critical part of vulnerability management, it only covers the assessment and not the remediation aspect of preventing attacks. Organizations also need an action plan to combat threats and bringsystems and the network back to normalcy. Crawford suggests the PDCA plan of action, which stands for Plan,Do, Check and Act.
Scanning encompasses the planning and doing aspects of the plan, but organizations also need to monitor fordeviations in systems’ status and then have a plan of action that administrators can use to remediate issues. According to a study conducted by EMA, organizations that define, follow and enforce policies report having half as many instances that require remediation than organizations that are lacking enforcement mechanisms.
Deadly Sin #4: Short-Sightedness
“Our defenses are up-to-date.”Organizations shouldn’t plan to just win the day; they need a forward-looking strategy that prepares them toconfront security threats that may come up in the future. The nature of attacks is changing daily—essentiallymirroring the changes in technology. Consider that viruses used to be spread on five and a half inch floppies.Then they spread through the internet and email. Now the battleground is on social media and mobile devices.
Crawford says that organizations need to have the flexibility in action, insight and integration. What he means
Kaseya Industry Alert | The Seven Deadly Sins of IT Security
...there is no sin greater thanthinking you canprevent securitythreats from break-ing into your IT environment.
”
“
Most securitystrategies are focused on specificthreats, whether itsantivirus, networksecurity or phishingattacks, but hackerstoday are sophisti-cated enough toevade conventionaldefenses.
“
”
Security is full of assumptions. Organizations think they’re covered, that their networks are safe, systems are updated and that their critical data is protected. In actuality, assumptions are dangerous, taking administrators off their guard while making userscomplacent. You could even say that assumptions are sinful, causing actions and reactions that put organizations, data and users at risk.
We asked Scott Crawford, managing research director for analyst firm Enterprise Management Associates (EMA), to identify the Seven Deadly Sins of IT security and how organizations can avoid these pitfalls.
Kaseya Industry Alert | The Seven Deadly Sins of IT Security
by that is having a framework in place that allows you to respond to future issues through configurationchanges, recoveries and restores. ITSM solutions need to provide you with the visibility into your IT environmentand individual systems. And new strategies, policies and tools need to be able to interoperate within your existing environment.
Deadly Sin #5: Pride
“Security can’t be measured and managed like other aspects of the business.”Crawford says that this is simply not true. Organizations can measure security in any number of metrics, including the percentage of systems covered and uncovered, the percentage of successful security updates versus failed updates and the rate of patch latency. It’s not easy to collect this information, but that’s where automation comes in.
In addition to enabling this automation, ITSM solutions can audit the network to identify known assets and their security status, ensuring security policies are being met fully across the entire organization while uncovering previously unknown exposures. Trends can be analyzed to demonstrate progress and determineneed. Crawford suggests visiting benchmarks.cisecurity.org for more information about what security metrics are important.
Deadly Sin #6: Arrogance
“Our people can cover what our technologies can’t.”It’s dangerous for organizations to rely too much on human intellectual capital for their security needs. As lifeplays out, people move on, and their knowledge isn’t easily replaced. A combination of technology automatingthe mundane, repetitive aspects of IT security management and the technicians to plan, assess and remediate isa much more consistent and safer strategy.
Deadly Sin #7: Avoidance
“Taking a more serious approach to our security will overwhelm our resources.”While building a robust and reliable information security apparatus is not a simple undertaking—especiallywhen you’re talking about large enterprise environments, it is not a herculean feat. Yes, it will require humanand monetary resources to purchase, set up and maintain the necessary infrastructure. However, there are options out there that are ideally suited for just about any sized IT staff and budget. According to Crawford, organizations should consider all of their options carefully including properly vetting solutions and partners and considering both hosted and Software as a Service (SaaS) models.
What should you do now?Organizations should focus on building security strategies that are comprehensive, forward-looking and flexible.Kaseya can give organizations the automation framework they need to implement a holistic strategy that runsthrough the service desk where administrators have a single console in which to prevent, monitor, detect and respond to security threats in an efficient manner.
Visit www.kaseya.com/features.aspx to learn how Kaseya can help you avoid these seven deadly sins and get a better handle on IT security management.
www.kaseya.com
About Kaseya
Kaseya is the leading global provider of IT Systems Management software. Kaseya solutions empower virtually everyone –– from individual consumers to large corporations and IT service providers –– to proactively monitor, manage and control IT assets remotely, easily and efficiently from one integrated Web-based platform.
Go to www.kaseya.com/download for a FREE trial.
Visit: www.kaseya.com | Email: [email protected] | Like: Facebook.com/KaseyaFan | Follow: @KaseyaCorp
©2012 Kaseya. All rights reserved. Kaseya and the Kaseya logo are among the trademarks or registered trademarks owned by or licensed to Kaseya International Limited. All other marks are the property of their respective owners.
It’s dangerousfor organizations torely too much onhuman intellectualcapital for their security needs.
”“
...organizationsshould consider allof their optionscarefully includingproperly vetting solutions and partners and consid-ering both hostedand Software as aService (SaaS) models.
”
“
