By Bob Brown
Oct. 28, 2016
One overarching security consideration for organizations is not automatically embracing the connected everything, just for the sake of it. Austin pointed to his own use of a security system at his house, one that he checked first to make sure had no obvious known flaws and that also is not IP-enabled (it uses coaxial cable connectivity to a central brain box).
Of course avoiding the IoT isn't going to be possible or necessarily desirable, so one course of action for organizations should be to make sure that device and service providers have skin in the game in case a vulnerability does surface. Austin discussed working with a hosting provider, for example, to put in a contract assurances that patches will be applied to known vulnerabilities within a certain timeframe or result in financial penalties. Working with providers that take part in the Industrial Internet Consortium and/or adhere to its security framework can also provide some comfort, he said.
YOU COULD LEARN A FEW THINGS FROM BOTNETS
Dr. Ed Amoroso, who retired recently after 31 years at AT&T (most recently as CSO), is now consulting with companies on IT security via an outfit called TAG Cyber.
He's urged organizations to re-architect their networks in a distributed and virtual way so as to avoid even worse consequences than those resulting from the recent high profile DDoS attacks. Amoroso acknowledged this won't be easy, as concepts will need to be simplified to the non-technical higher ups you report to, but require serious architectural changes to actual networks.
Amoroso doesn't blame the likes of former Office of Personnel Management Director Katherine Archuleta for that federal agency's big breach last year, but rather the IT and security team that stuck with an outdated perimeter-based enterprise network security system in an age where such perimeters have opened up so many holes to accommodate partners, employee remote access and various cloud services.
TAG Cyber view of what enterprise network perimeters really look like -- they've got plenty of holes.
"If you're in a camp of saying 'oh yeah, the perimeter is long since gone,' well go back... Do you still have a perimeter? 'Yes' Is it the primary control in every one of your audits? 'Yes.' Well talking about it doesn't solve it. Do something about it," Amoroso said.
Amoroso advised organizations at the annual Society for Information Management confab to "explode the enterprise," by breaking everything from remote access to email to outsourcing access into the cloud via virtual micro-segments and having security go with it.
One of the beauties of this architecture is that every organization's can really look different, and that's one key to keeping intruders at bay. Amoroso railed against compliance rules during the Q&A portion of his talk, arguing that you're not doing yourself any favors by listing out everything you'll do and swearing you'll never waiver from it. "Should defense be a little more unpredictable?...We need less compliance. If we got rid of all compliance, we'd be more secure," he said, to applause.