What better time to talk about worst practices than Friday the 13th? Back in January, we published research (and a blog) on the 12 network security worst practices. These “dirty dozen” include:
- Shiny new object syndrome
- Culture of no
- Insufficient focus on users and business requirements
- Defense with inadequate depth
- Organizational misalignment
- Suboptimal branch architecture
- Security blind spots
- Uncoordinated policy management
- Noncompetitive vendor selections
- Hazardous network segmentation
- Inadequate end user education
- Inadequate security event management
For each “worst practice”, we provide a definition and real-world examples, identify their impact, and provide specific guidance to avoid them. Here’s an example (a snippet from the published research):
Security Blind Spots (AKA “Not my job” and “my hardware can’t handle SSL decryption”)
Gartner observes that specific functional areas within an organization’s infrastructure have significant security gaps. In particular, IT security tends to focus strictly on IP security, not the more holistic IT security. Common examples where security is too thin include:
- Fiber channel storage area networks (SANs)
- Time division multiplexing (TDM) voice infrastructure
- Secure Sockets Layer (SSL)-based traffic (see “Security Leaders Must Address Threats From Rising SSL Traffic” )
- Application security, including both application development and third-party security solutions (see“Web Application Firewalls Are Worth the Investment for Enterprises” )
- Security tools with limited feature capability for IPv6 (in comparison to IPv4)
- External cloud-based services including SaaS, PaaS and IaaS
- Mobile security (i.e., allowing mobile devices to connect to the email server, which provides access to email, contacts, calendar and attachments)
Most security gaps are already known by the security team, but have not been addressed because of other priorities. This problem has played a major role in some well-publicized and high-impact breaches.
Action: Perform regular penetration tests to uncover gaps and highlight the risks associated with attacks caused by security blind spots. Update existing security metrics to include risks related to security gaps. Create specific metrics for security coverage that highlights insufficient visibility in order to defend the business case for specific funding. Consider detection and response as well as preventative controls when architecting security solutions. See “Agenda Overview for Information Security Technologies and Services, 2015” and “A Guide to Security and Risk-Related Hype Cycles, 2014.”
Regards, Andrew
Note: We will be publishing a new “worst networking practices” note within the next month or two also…
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.