ESET Tech Tip
By Cameron Camp, Researcher for ESET North America
Cyber Threat IT Budget for 2012 (without breaking the bank)
With 2011 wrapping up before we know it and 2012 budgets looming (and possibly shrinking), how do you keep your organization cyber safe without breaking the bank or getting laughed out of budget meetings? Sure, you could get the latest server rack full of security widgets (and spend millions in the process), but that’s just not economic reality for many organizations. Here are some ideas that will get you decent defense, and you won’t have to write really small on the check to fit the dollar amount in the box.
1. Know how your networks look to bad guys: Before you blow the budget buying a host of high-flying defense appliances, it’s good to have a starting point – how full of holes are your networks? You can either hire a security firm to test for security problems or task your internal staff with it, but a typical security audit will give you a pretty good overview of areas you need to bolster. You will be as amazed by what they find as by what they don’t find. Most importantly though, you’ll know where you stand. If all you need is a couple of simple devices to shore things up, you’re in good shape budget-wise. On the other hand, if you need to request a not-so-modest budget to plug holes and shore up defenses, an audit will give you solid justification for how the money will be spent and what problems will be fixed. Either way, you won’t be firing shots in the dark, security-wise; you’ll have exact targets defined, and it might be cheaper than you think. It’s certainly cheaper than a data breach.
2. The basics: Ask your employees to answer two questions: What constitutes a strong password, and what makes an email suspicious? The answers will tell you a lot about the current security quotient of your workforce. If the answers indicate some training is required, you should not hesitate to put that in your budget, ahead of technology solutions. Some of 2011’s largest and most damaging breaches could have been avoided if employees had been better trained on these two topics. Even a huge investment in security technology can be undermined by the use of weak passwords and the opening of suspicious attachments.
3. Perimeter defense: There’s a lot of Fear, Uncertainty and Doubt (FUD) about needing the latest gold-plated perimeter Intrusion Prevention/Detection System (IPS/IDS) to survive the attack du jour. While spending on security for your organization is important, embarrassingly cheap solutions, combined with good network architecture and defense-in-depth, work wonders. Organizations with “flat” networks that have no segmentation can open themselves up to problems that are much easier to contain if there are some access controls between different parts of the network. Let’s say someone in Accounting gets infected with Trojan code that goes on a data hunt. On a network without segments, that malware is soon scouring around Sales, Marketing, HR, Customer Support, and so on. By segregating the network according to function, you drastically reduce the potential for a problem in one area spreading to others. It’s a little harder to set up, but when something bad happens, you’ll be glad you made the extra effort. Proper network layout can provide a lot of bang for the buck, and you’ll be a lot more secure.
4. The cloud: Should you be planning on rolling out new services (or reprovisioning them) in the cloud? And what are the security and budgetary implications? The cost savings of moving to the cloud can sound good, but not all functions perform well in the cloud. For example, if you currently perform high-frequency data transactions in-house – transactions that are process and network intensive, then you may find latency getting TO the cloud is a killer. Remember, for every transaction that needs to go over the wire, the wire is now MUCH longer. Frequent round-trips will impact performance. You may have the fastest server in the cloud, but it can be painful to use if you have to take a single-lane dirt road (or what feels like it) to get there. Clouds excel at things like data warehousing, public-facing Web apps, corporate websites and hosted email, but the devil is in the details. Make sure you know how much dedicated memory, CPU and bandwidth (as opposed to shared) you are signing up for. Not all clouds are created equal and that goes for security assurances your provider may make. Be sure to read terms and conditions closely, especially those related to privacy and security. If your business handles a lot of personally identifiable information you might want to have a privacy or compliance expert vet your decision to place such data in the cloud. And if you are new to cloud offerings, get someone involved who has cloud experience (as opposed to just cloud enthusiasm). You’ll be glad you did.
If you run through these suggestions in your organization, you may be pleasantly surprised by what you DON’T have to spend, and that’s the kind of surprise we all love around this time of year. Hey, maybe there’ll be a little leftover for a golf outing…make that corporate team-building retreat!
For questions about security or suggestions of topics you would like to see here, please email me at AskESET@eset.com.