What is the largest gap in security?

5502george5502george Member Posts: 264
So me and some security co-workers were debating this topic.
What is the largest lack in security for businesses?

-I think it is user/admin education and responsibility

The other ideas are

-software security; I agree but with an appropriate baseline and testing this can be avoided.

-hardware security; Again, with a tested and proved baseline there should be no issues

-network security; This is debatable

What is your take and personal experience?

Comments

  • TechGuy215TechGuy215 Member Posts: 404 ■■■■□□□□□□
    In my own experience, Encryption. Within the different companies I've worked for I've seen poor encryption standards, to some companies that have no enryption standards.
    * Currently pursuing: PhD: Information Security and Information Assurance
    * Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
    * Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration
  • SteveLordSteveLord Member Posts: 1,717
    Obvious and most dangerous are users of course. But I would also agree with encryption. I suspect most laptops that contain sensitive information out there are not encrypted.
    WGU B.S.IT - 9/1/2015 >>> ???
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I definitely agree with users/admins. You can have the most secure set up in the world but if it is not properly used and administered it's not going to matter.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    The largest gap is the one some one finds and can exploit.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • 5502george5502george Member Posts: 264
    TechGuy215 wrote: »
    In my own experience, Encryption. Within the different companies I've worked for I've seen poor encryption standards, to some companies that have no enryption standards.
    LOL, my wife told me the other day that her company "x" which deals with nothing but HIPPA and PII just realized that there were regulations governing this type of data. They paid company "x" to implement email encryption to comply with regulation for a good penny!




    .....The funny thing is when they encrypted the emails the intended recipient could not open them ha ha ha
  • jvrlopezjvrlopez Member Posts: 913 ■■■■□□□□□□
    Uninformed/inexperienced users.

    Always come across users downloading questionable software to try and do something outside their rights and access. That or they are just trying to do something in which they don't know the legitimate or safe way to do so. Most of the programs come from questionable sources and are packaged with other by products.

    You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • TechGuy215TechGuy215 Member Posts: 404 ■■■■□□□□□□
    jvrlopez wrote: »
    You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.

    Eeek...You should have atleast a GPO that disables write read/write for USB devices!

    Then, you can have a separate group, to apply an override to users that MUST have this access.
    * Currently pursuing: PhD: Information Security and Information Assurance
    * Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
    * Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration
  • redzredz Member Posts: 265 ■■■□□□□□□□
    Lack of flaw remediation/patching procedures.

    I've seen tons of organizations that either:
    1. Patch without concern for what it's going to do to their systems.
    2. Don't patch for fear of what it will do to their systems.

    You don't even have to be at the "script kiddie" level to figure out how to download and use a custom metasploit module to exploit a known vulnerability. It takes a Google search and a couple free downloads. Oh, and if this is your first time ever using a computer, maybe ~15-20 minutes of familiarization with that weird QWERTY keyboard layout before you'd feel comfortable costing a company millions of dollars due to their own idiocy.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    It depends on the environment and what the organization's security needs are. I would argue for many, maybe most organizations, it's actually patching. Known exploits remain unpatched for far too long, sometimes indefinitely. Both client applications (especially browsers and browser plugins) and server applications sit unpatched and unprotected and make for an easy attack vector. I think this is the biggest gap because it's generally difficult to mitigate known exploits on services that are being used, and when things aren't being patched, what mitigation can be done probably isn't being considered.

    I don't think users are the biggest problem. Yes, training is critical, but it doesn't matter if the majority of what they use is inherently insecure regardless of how they use it, and in my experience (which has possibly just been bad, for lack of a better term) that's probably the case more often than not.

    Edit: Redz beat me to it. When anyone even approaching moderate skill can break in using GUI tools, pretty much every other measure being taken is for nought.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • bermovickbermovick Member Posts: 1,135 ■■■■□□□□□□
    5502george wrote: »
    LOL, my wife told me the other day that her company "x" which deals with nothing but HIPPA and PII just realized that there were regulations governing this type of data. They paid company "x" to implement email encryption to comply with regulation for a good penny!

    .....The funny thing is when they encrypted the emails the intended recipient could not open them ha ha ha

    That's seriously scary that her company didn't know about it, considering HIPPA's been a federal regulation for what? 6 years? I remember working at BCBS:IL at the time and there was a good year's worth of preparation before it went into effect.
    Latest Completed: CISSP

    Current goal: Dunno
  • 4_lom4_lom Member Posts: 485
    +1 for Users/admin education
    Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

  • philz1982philz1982 Member Posts: 978
    Building Automation and SCADA systems. If you go to the right sites you can gain access to the environmental controls for Airports, hospitals, research labs and the like...
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    jvrlopez wrote: »
    Uninformed/inexperienced users.

    Always come across users downloading questionable software to try and do something outside their rights and access. That or they are just trying to do something in which they don't know the legitimate or safe way to do so. Most of the programs come from questionable sources and are packaged with other by products.

    You can imagine the sites and activity these users have at home, and when they bring in USB drives and plug them into work assets, it creates a nightmare.

    This is poor admins.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    ptilsen wrote: »
    It depends on the environment and what the organization's security needs are. I would argue for many, maybe most organizations, it's actually patching. Known exploits remain unpatched for far too long, sometimes indefinitely. Both client applications (especially browsers and browser plugins) and server applications sit unpatched and unprotected and make for an easy attack vector. I think this is the biggest gap because it's generally difficult to mitigate known exploits on services that are being used, and when things aren't being patched, what mitigation can be done probably isn't being considered.

    I don't think users are the biggest problem. Yes, training is critical, but it doesn't matter if the majority of what they use is inherently insecure regardless of how they use it, and in my experience (which has possibly just been bad, for lack of a better term) that's probably the case more often than not.

    Edit: Redz beat me to it. When anyone even approaching moderate skill can break in using GUI tools, pretty much every other measure being taken is for nought.

    I had a customer get owned by the MS08-067 vuln. FIVE YEARS after the patch.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    If we're talking about companys in general, like, all of them, IMO the biggest problem is a lack of investment in security as a whole. I can't tell you how many times I've notified domain owners that their web servers were compromised and serving malicious code to their customers - 80% of the time that organization even HAVING a website was a victory. Forget about them actually having the skills/resources to remediate an intrusion.

    If we're talking about the medium - large size enterprise, I think the biggest concers are network visibility, patch-management, and buy-in/belief from high-level executives in the organization. I used to blame the end-user most, until I saw the ridiculous amount of commodity malware in existence. To give some context, just this year I've seen the following high traffic compromised websites getting Users exploited:

    -YouTube.com - Their ad rotator was serving malicious code to Users which dropped the Sweet Orange exploit kit.
    -SpeedTest.net
    -Glassdoor.com
    -WaffleHouse.com
    -NBCsports.com
    -Bible.org

    ...along with countless popular local companies which generated a bunch of web hits from the area I live in. I won't include them here simply because they wouldn't ring any bells.

    Aside from the time-wasting factor of the sites above, I don't think many of us would disapprove of our Users hitting these sites from a security perspective - yet I saw all of these sites involved in silently dropping rootkits on Users in the last org I worked for.

    In the end we can train our Users not to click links in phishing emails, not to open attachments, not use removable media, etc etc; but if your organization allows web browsing to the internet, the commodity malware will find a way in. Multiply that by 1000 if your org isn't patching Java, Adobe Reader, or Flash on its endpoints.

    Not to say Users shouldn't be educated, or that they aren't part of the problem, because they certainly are. I just don't think Users are the ONLY problem and in many cases they are sitting ducks due to crappy security policy.


    TL;DR

    1. C-level buy-in / Investment in GOOD security people/products/processes
    2. Patching/Admins
    3. Users - I put the Users last because without the two above, they have no hope of remaining secure.
  • jvrlopezjvrlopez Member Posts: 913 ■■■■□□□□□□
    This is poor admins.

    I agree. I don't know how after 5 years of this being a known issue that the ports are still live. I guess its because the company ban is on personally owned USB devices. Funny because removable, company owned media doesn't even come across too often.

    If it was up to me, they'd be disabled entirely unless needed. Maybe even filled with epoxy.

    At least the system is flagged if there is an insert and use. The user's access is then removed until remedial training is re-accomplished. Too bad by then its probably too late.
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • Shadow RealmShadow Realm Member Posts: 15 ■□□□□□□□□□
    In my opinion it would have to be the WAS (Web application Software) and things like Apache and IIS. If you check out Shodanhq.com you would be amazed at how many servers still run IIS 5.0/6.0 all with known vulnerabilities
    Currently Working On: CompTIA A+ and MCITP: Windows 7
    Want To Complete: Network+, Security+, Linux+, CCENT, CCNA, CCNA Security, RHCE, CISSP (Associate)
Sign In or Register to comment.