As I referenced in my last blog post the last two years have been brutal from a security perspective, we are in the era of the 1) massive data breaches, 2) advanced persistent threats, and 3) major protocol attacks against key technologies such as SSL.
The scary thing is that we, as security professionals, can’t fix just one thing to make everything better. Instead the entire industry has to think of security holistically under a shared responsibility model – that is where vendors produce low risk products supported by documentation, policies, and procedures that enable customers to deploy in low risk configurations.
There is no such thing as being only secure or being insecure, security is not a binary state, instead security is a process that seeks to understand, minimize, and ultimately accept risk. The risk management process is based on knowing that security events will happen – then understanding the likelihood and impact when security events do occur.
This may sound complex, but it’s not. A good security program balances risk and business impact using technical, managerial, and operational security controls. A security control is a policy or requirement – they can range from very pragmatic (disable telnet on all servers) to very fuzzy (ensure a system is in place for asset management).
The good news is that you don’t need to create a security program from scratch if you don’t have one (or if you need a better one) – there are tons of very good security/risk management frameworks to build upon. The even better news – KEMP LoadMaster has hundreds of security controls that can enable you to be successful in reducing risk following any of the below programs.
The SANS Critical Security Controls specify actionable guidance to reduce risk with a focus on high reward actions. If you are scared of creating or growing a risk management program – SANS is a great starting point that should be successful in reducing risk for any size of organization. SANS recommends starting with the “First Five” controls to reduce risk with the least amount of effort and highest reward.
The IEC/ISO 27000 series of security standards are generally adopted by larger organizations; these are internationally recognized (and auditable) standards that have a broad scope and specify everything from a how a risk management program should work to specific recommendations for storage security. ISO 27001 is the starting point as it specifies a “Information Security Management System”. It’s a good risk management standard, but beware, it can be expensive to obtain the standard and doesn’t have a notion of quick wins.
The US Federal Government publishes a variety of documents that can be the basis for a risk management program and for understanding specific technological risk. The starting point for US and DoD standards is the NIST Special Publication 800/1800 series (http://csrc.nist.gov/publications/PubsSPs.html) . Some highlights would be:
- NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing
KEMP Quick Win Security Controls
- Adopt a Web Application Firewall (WAF) – such as the one integrated with the KEMP LoadMaster (link to https://kemptechnologies.com/solutions/waf/)
- Terminate or configure all SSL on a central device – ensure a consistent SSL policy across your entire organization
- Isolate your network correctly – create network separations and use capabilities like layer 4 firewalling in LoadMaster to isolate applications and reduce attack surface
- Enable strong authentication for your end users – require authentication to access network services and move internet exposed servers inside your network using the free Edge Security Pack (ESP) functionality in loadmaster.
If you have questions on how KEMP LoadMaster, KEMP Loadmaster Geo, and KEMP360 can integrate into your security management program or questions on specific security controls please contact our support engineers.
Stay tuned – the next blog post in this series will discuss the distinction and overlap between Compliance and Security!