jump to navigation

Security in 2012 June 30, 2012

Posted by michelemanzotti in Security.
Tags: , ,
add a comment

Recently I’ve been involved in an internal penetration test for a large organization and I would like to draw some considerations from this experience.

We all agree that a system 100% immunes from any kind of attack is an utopia and it doesn’t exist a single standard solution to follow. Also getting in the security business is quite difficult. Both software and hardware companies offer their custom solutions which are able to fix any issues and suit any customer needs. They promote their products with aim of selling as much as possible and attempt to achieve the leadership in the sector. The positive effect from the customer point of view is that the price is low. But most often they don’t realize the consequence of this mechanism.

Upon achieving the leadership in the sector these companies have enough market power to claw money back by selling additional or extra services such as training, software updates and so on. Moreover a big advantage of these companies is the time. Especially in IT field where software, hardware and skills became obsolete very quickly. Thus it’s not a surprise finding in large organizations that use software, web applications and network services out-of-date.

In this context a single update of the software from current version to the latest could be intolerably expensive for the budgets of the organizations and therefore very often they prefer leaving the systems as they are. Also migrating to another vendor is definitely expensive in terms of internal personnel training and return of money invested. So what’s the solution?

Most organizations choose to add an extra security layer such as WAF, IDS, IPS, Firewall and so on in order to protect their system without changing their infrastructure. Although these solutions would seem easy to implement and they are quite efficient, actually they require specific skills to work properly and make the system safety. Moreover again these solutions could become quickly obsolete since the technology changes or systems of the organizations change.

The point is that there isn’t a final stage where an organization could be considered secure, and therefore there isn’t a specific product which is able to make the organization secure. The key is that only through manual cyclic security testing it’s possible identifying and then mitigating the risks that the organization may expose.