Most organizations leave their cyber security up to their system/network administrators and/or programmers. Unfortunately this often results in unpatched systems, disabled firewalls, weak passwords, little to no secure software, and other bad practices that make overloaded IT teams’ and hackers’ jobs easier.
Sadly having a dedicated technical security team is a luxury few organizations think they can afford. That is until significant fines and corrective measures required for security breaches add up. Not to mention every breach must be reported to those affected. It’s a wonder anyone can afford not to have a dedicated team. Impending legislation will require organizations to take cyber security very seriously and hopefully push the corporate impetus from reactive to proactive.
Why is security so difficult?
The primary problem with cyber security is the depth of knowledge one needs to do it well. Not only is it extremely technical but it requires a broader knowledge base than a normal systems administrator, network administrator, or programmer needs. To be an effective cyber security specialist, one needs to be very well versed in all three facets of IT.
All you need to know to become an Android hacker is access to the Android operating system and a bit of programming. The barrier to entry is very low for the bad guys. Those hoping to defend against these hackers need to be well versed in the nuances of how Android works, especially including how to exploit it, so they can recognize weaknesses and (hopefully) proactively patch them or at least react appropriately to fix the damage.
Mobile operating systems aren’t the only target - Microsoft Windows, all the flavours of Linux, and MacOSX are all at risk. Cyber security specialists need to be extremely familiar with all of these operating systems if they hope to defend them. Linux is especially necessary as it is very pliable and can be customized to suit specific needs that both hackers and those who defend against them benefit from.
Networking knowledge is also immensely important. The network gives hackers access to your organization and is your first line of defense against them. There’s a lot to know - routing protocols (like RIP, OSPF, BGP, EIGRP, and IS-IS), management protocols (like SNMP, CDP, SSH, and Telnet), tools (like Nmap and Netflow), and the basic building block of communication on the internet via DNS are but a few. Not only are all of these examples valuable sources of information but they are also vulnerable to attack and should be protected appropriately. Denial of Service attacks targeting SNMP are extremely common right now - make sure your firewall isn’t accessible to the internet via SNMP.
Wireless may be simple to setup at home but to attack or defend wireless networks you need to know how to dump a WPA handshake and crack it with hashcat or AWS. If your network uses 802.1x then you need to understand LEAP/PEAP/EAP and Radius authentication. It is much more complicated to defend wireless against wireless attacks than is obvious to the casual observer.
Setting up and patching a WordPress website is relatively easy but making sure it’s secure is not. You need to understand how web technologies like SQLi, XSS, CSRF work. You also need to be familiar with the top OWASP web attacks so you can evaluate your exposure and protect your site as necessary.
And don’t forget email/SMTP. It, along with SSH and Telnet, are the primary ways to breach an organization because they are usually accessible. Email by it’s very nature is meant to be as accessible as possible. Just because you can set up an email server doesn’t mean you can or have secured it against malicious emails?
That’s just the tip of the cyber security iceberg.
Surely you don’t expect a single person to possess all of this knowledge?
It’s extremely difficult to know all of what’s been laid out above. It would easily take you 10+ years to get expertise in all these things. People with this entire skillset do exist but the cost would send most C-level folks running. Instead might I suggest a more organic approach to building up your organization’s security by employing a diversely skilled team that’s capable of handling the breadth of security demands as a unit.
Got the hiring blues?
Training your existing team is plausible but you can’t count on an immediate return. Not only will it take years to fill in the missing bits with training for your current IT team (who still have to attend to their usual full-time duties) but attacks are getting far more serious so the knowledge gap for would-be defenders will grow at a very rapid pace. Whether you decide to train your current staff or hire new personnel to handle these growing concerns, don't forget LARG*net is here to help. Regardless of your current state of security awareness or preparedness, we can assist you with a variety of services that will undoubtedly be more cost effective and less time consuming than either training or hiring. Interested? Get in touch at firstname.lastname@example.org or call the support line at 519-661-3268.