Contact Us
Name
Email
Comments

Blog

Security - Know what you know
Often national defense strategies are distilled down into sound bites.  Some of them include such nuggets as “Trust but verify” and “know what you know”.  These famously captured the twin concepts of understanding yourself and your opponent, as well and paying attention to what you believe to be true.  Nowhere is this more important than in your organization’s security posture.  If you do not know what is running on your systems (both desktops and servers) and their patch level, you cannot know your exposure.  If you do not verify that a patch has applied successfully you may be lulled into a false sense of security. 
 
Knowing what you know is critical for two reasons.  As indicated before, this provides insight into what you might need to patch.  During a prior scan of our systems we discovered an application that was installed automatically and quietly by Adobe.  It is not used by our servers in any way and, because we did not know it had been installed, we did not know it was out of date.  This application (and version) was subject to some flaws that could be exploited by a bad actor.  It effectively made our servers susceptible to malicious attacks and we would have no idea.  Our solution was an easy one; we simply needed to uninstall the application in question.  We suffered no issues with this software and it has been fully removed.  However, the point here is the importance of running regular system scans and immediately following through on any issues found.
 
The second risk of not knowing what you know about your environment is that you cannot know what is important.  The benefit of understanding your systems is that you know what activities or risks are critical and what is just noise.  In a past life the company for which I worked was under attack.  As we began to evaluate the attack we were able to determine that the service in question (and under attack) was not in use anywhere in the company.  This allowed us to take a simple action of blocking any access that might be used for this service instead of trying to figure out all of the nuances of the attack.  We saved many hours by knowing what we had running.  We did not have to try to build a higher wall when the attack was already being addressed by our moat.
 
Knowing what you know allows you to focus your efforts on what is really at risk and ignore areas that are not real risks.
 
Trusting but verifying helps to protect against presumed security that is not, in fact, in place.  It is like double checking that the oven is off.  If you assume, you may be wrong and your house may be at risk.  It is important to check what you believe to be true.  This involves everything from patch levels and installed software to something as simple as user behavior.  Do you know that users are not sharing passwords?  Do you know that they are locking their screen when walking away (it is much easier to walk up to someone’s desk than to hack in)?  I have heard the adage “inspect what you expect” for many years.  This is a valuable practice, not just in performance monitoring, but also in security.  Just because you have a policy against a risky behavior does not mean that the policy is being followed.
 
These two practices will help to increase your awareness of your organizational risks and will help to reduce the risk to which you are exposed.  They are really foundational to your company’s security.
 
 
 
Mark Martens, VP of Technology and Operations            
 
 
 
No comments have been posted

LEAVE A COMMENT