Blog post

Network Security Worst Practices (Part 2, Friday the 13th Edition)

By Andrew Lerner | November 13, 2015 | 0 Comments

WAFNetworkingCultureSecurity of Applications and Data

What better time to talk about worst practices than Friday the 13th? Back in January, we published research (and a blog) on the 12 network security worst practices. These “dirty dozen” include:

  • Shiny new object syndrome
  • Culture of no
  • Insufficient focus on users and business requirements
  • Defense with inadequate depth
  • Organizational misalignment
  • Suboptimal branch architecture
  • Security blind spots
  • Uncoordinated policy management
  • Noncompetitive vendor selections
  • Hazardous network segmentation
  • Inadequate end user education
  • Inadequate security event management

For each “worst practice”, we provide a definition and real-world examples, identify their impact, and provide specific guidance to avoid them. Here’s an example (a snippet from the published research):

Security Blind Spots (AKA “Not my job” and “my hardware can’t handle SSL decryption”)

Gartner observes that specific functional areas within an organization’s infrastructure have significant security gaps. In particular, IT security tends to focus strictly on IP security, not the more holistic IT security. Common examples where security is too thin include:

Most security gaps are already known by the security team, but have not been addressed because of other priorities. This problem has played a major role in some well-publicized and high-impact breaches.

Action: Perform regular penetration tests to uncover gaps and highlight the risks associated with attacks caused by security blind spots. Update existing security metrics to include risks related to security gaps. Create specific metrics for security coverage that highlights insufficient visibility in order to defend the business case for specific funding. Consider detection and response as well as preventative controls when architecting security solutions. See “Agenda Overview for Information Security Technologies and Services, 2015” and “A Guide to Security and Risk-Related Hype Cycles, 2014.”

Regards, Andrew

Note:  We will be publishing a new “worst networking practices” note within the next month or two also…

Leave a Comment