Sysadmin Blog In case you hadn't noticed, IT security sucks. There is a chronic lack of people trained in IT security, people who will listen to IT security, and even a lack of agreement on how best to go about IT security. Fortunately, a new generation of startups are helping to tackle the issues.
No matter how good a sysadmin you think you are, your network will eventually be compromised. This is a huge problem, because "eggshell security" is still the dominant security model in most data centers.
Eggshell security is the traditional model of having a hardened outer layer of edge defences and a network that is essentially wide open, once the attacker has made it past the perimeter defences.
Administrative account and password reuse is rampant, few systems behind the outer defences have proper firewalls, security auditing is practically nonexistent, and file shares that are open to any user are everywhere.
I am aware of medical insurance companies running thousands of servers with databases of critical subscriber information without anti-malware protection, let alone proper intrusion detection. Retailers with SQL databases filled with millions of credit cards that don't require even the most basic authentication. Law firms with file servers whose entire contents can be deleted by the first person who plugs a notebook into an Ethernet jack on the wall.
Eggshell computing is a fantastically stupid concept, yet our entire industry is addicted to it. We focus on "the bad guys" battering down the WAN with port scans and spam. We ignore the insider threats from people downloading malware, being malicious, or even just Oopsie McFumbleFingers YOLOing the delete key.
This has to change.
There are four pillars to Modern IT security: prevention, detection, mitigation, and incident response.
Prevention – those eggshell shields around the perimeter of the network – is only the first pillar of modern IT security. Here you have things like patching, firewalls, security access lists, two factor authentication, and any other technology you can think of whose primary goal is to prevent security compromises from occurring in the first place. Prevention is not enough on which to base a modern IT security plan.
Detection – real time monitoring for a variety of breach types combined with periodic scanning – is the second layer. Think intrusion detection systems, mail gateways that scan for credit card numbers (or large volumes of data) moving through email, or auditing systems that comb logs looking for things untoward. A frightening number of organisations have no detection systems whatsoever beyond basic endpoint security.
Mitigation is not a technology so much as a series of best practices. The idea is to assume that you inevitably will be compromised and to design all aspects of your network so that a compromise of any given system cannot result in a compromise of the entire network. Think of it as taking the basic premise behind eggshell computing and never doing anything like that, ever.
Incident response follows from mitigation. Accepting that your network will inevitably be compromised, what do you do about it? How do you prevent a malware infection, external malicious actor, or internal threat from escalating their beachhead into a network-wide compromise?
Incident response activities typically involve quarantining systems, imaging them for forensic purposes, reloading from clean backups, redoubling patches, alerting law enforcement and customers, as well as not returning compromised systems to service until the means of compromise has been discovered and countermeasures are deployed.
This last is huge. It's a very difficult and tangled web and relies as much on having monitoring systems that aren't terrible as it does upon good planning and design. Attackers can go from a single beachhead to owning your entire network in minutes. Relying on human response times to incidents is proving inadequate, even for those organizations with the best monitoring, mitigation, and planning.