Technology alone will not produce us secure from personality robbery or corporate security breaches therefore deploying more frequently gives little greater than a fake sense of security. Nobody argues that there is a considerable amount of sophisticated emerging Outdoor Equipments engineering available. We disagree this engineering won't necessarily succeed in mitigating the risk - perhaps not because of technological imperfections, but rather too little functional discipline. Put simply, the issue is not engineering but the way in which it is deployed.
Below are a few examples.
1 Firewalls
Over fifty percent of the firewalls we review are used with flawed configurations. While many of these flaws do definitely not represent important vulnerabilities, it is incredible the degree to which that critical first line (and sometimes only line) of security, isn't constructed right.
Case: Certainly one of our customers had us check the firewall that regulates their use of a dealer - a big national bank company provider. That merchant managed the firewall but our customer was concerned with the configuration because this merchant had countless customers and if they had had too much network access, then possibly, therefore did every one else. The effect was that the lender service provider firewall did nothing. That is proper nothing. While the financial institution company only required to allow its consumers entry to a couple purposes, it allowed use of hundreds (yes, hundreds!) of applications. More, when confronted by that, the bank supplier claimed so it was not a protection risk since they'd a network safety staff, went periodic runs (which produced countless pages of vulnerabilites) and... had a firewall in place.
1 Intrusion Detection/Prevention Techniques (IDS/IPS)
An IDS/IPS is just a system that monitors system traffic for perhaps malicious activity. As an example, if it registers a port check it would send a contact to a system supervisor (intrusion recognition system) or it could arrange the firewall on-the-fly to stop access to the system from the offending IP handle (intrusion avoidance system). These techniques are often implemented being an add-on to a firewall helping to make feeling while there is usually a firewall sitting between the inner corporate network and the Web and it is in a position to see malicious traffic such as hackers seeking to get into the internal network. While this is an instinctive position to put an IDS/IPS, most companies have aspects of larger risk which are usually perhaps not the place where they set their IDS/IPS detectors: knowledge breaches from the interior (I.e. harmful or unintentional staff compromises) or from spouse system associations (such as a credit card processor) and other business partners. Inside our experience, all of the IDS/IPS programs deployed are both maybe not constructed effectively or don't monitor the best risk section of the network.
Case: A business with about 100 places nationwide with an IDS that creates thousands (yes, I said millions) of day-to-day signals because the vendor that fitted it didn't take some time to great tune the setting to tailor the sensitivity stage effectively. Result: the network administrator just dismissed the alerts; countless 1000s of dollars lost; executives with a fake sense of security.
1 Demilitarized Zones (DMZ)
A DMZ is a term for part of your corporate system that's partitioned off from the remaining portion of the internal network - being a submarine has watertight doors therefore that when one the main submarine gets flooded it will not provide down the complete vessel. DMZ's can be used to variety harmful purposes such as e-mail or internet servers. The reason is that since those machines should allow system contacts straight from the Web, they might get hacked, and when they do, you certainly don't need the remaining network and each of its data to be at risk. But, that major purpose of a DMZ isn't reached most of the time because the system components used to produce a DMZ, such as a firewall, switch or VLAN, are designed incorrectly.
Example: Recently a bank had a website host that got hacked however the affect was little because your website didn't sponsor sensitive information and was located on a DMZ - therefore no issue, proper? Improper; the DMZ arrangement was mistaken and once the hacker received control of the machine they'd unrestricted usage of the remaining inner system making clients'confidential information in danger - time for you to send the "oops, we got hacked" letters to customers.