As a security professional, I often have “insider” information regarding security issues that individuals and entities are experiencing. Quite often the initial reaction by a security pro will be to cut off access to the source of a threat or exploit attempt. Let me explain why this often is NOT a legitimate long-term solution to a threat.
This can be a good short-term measure, and if the source is still causing problems, then it should be done. However, simply cutting off the source — especially in the face of a network-based attack — is not a good long-term solution because it is trivial for an experienced attacker to switch the source of the attack.
Besides, most companies WANT network access to sites that are the source of an attack, so this method can result in loss of revenue and not being able to meet organizational objectives. This is doubly true if the source is a partner’s web site or perhaps a website used for publicity and “monitoring the competition”. Simply turning off Internet access won’t help the company at all.
So while a permanent block of such sites would make life much better for us, that is NOT the solution. We do not exist to provide security; we exist to provide risk management and risk mitigation. It’s our job to take the owner’s / CEO’s objectives and figure out a way to accomplish them while cost effectively mitigating risk.
So if you are looking to hire a security pro for some reason but their solution to everything seems to be nothing more than “cut off the Internet” or to not install software you absolutely need to make a profit, you’re not dealing with a security pro. Yes, such actions will eliminate many threats (but not all — not by a long shot) but could also hinder your ability to continue to function as a company.
Perhaps such an approach was acceptable 10 years ago, but with the wide range of risk mitigation tools available nowadays to security professionals, this “cave man” approach is no longer appropriate. So when you look for security help, make sure you get it from somebody who “gets it” — who understands that their job will be to help you manage and mitigate risk. Otherwise, your business might be secure — but not for long if your “security pro” prevents you from doing business!
P.S. — Best wishes for a happy, safe, and blessed Thanksgiving to my American readers.
If you found this post to be helpful, you can say "thanks" and support this website by clicking here.
You must log in to post a comment.