THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
What seems to be all the buzz these days is the deployment of critical infrastructure or Software-as-a-Service (SaaS) applications into a cloud environment in order to provide additional security. While most businesses are looking for the benefits that this offers to them and their customers, an area of concern is the alignment of their business operations and that security meets their specific needs or requirements. Cloud Security Companies and organizations are looking for the following when it comes to the migration of their infrastructure to the cloud:
Centralized Security Cloud security is all about control. If you are able to control access requirements and resources from one online portal, the company will save on having to deploy specialized personnel to a data center. This is how services such as AWS (Amazon Web Services) are accessed and managed. The centralization of the security means that the IT Security Pro will have more time to devote to other areas of the infrastructure, like perimeter defenses or vulnerability scanning. Reduction in Costs One of the biggest reasons if not the sole reason that an organization will choose to deploy infrastructure or applications to the cloud is the cost savings they get from using the resources that are available within that environment. Whether it is the bandwidth, server resources, or just the overall cost savings from not having to pay for a capital expenditure. Businesses continue to move to the cloud in order to gain a financial benefit from the move. This can be a significant amount, so thinking about security and how it will be used within that environment should be understood before anything moves to the cloud. Reduced Administration
The reduction in costs that a company might see from moving to a more cloud centric environment is directly associated with the reduction in the administrative costs. With streamlined services and online portals to access all of the resources in the cloud infrastructure, companies may employ a fewer number of admins than they would if they had to create the environment on their own. Also, the people who do fill these admin roles are going to be crucial to the deployment and maintenance of the cloud environment after the deployment. Reliability of Services When we look at cloud services, one of the most significant aspects that we take into consideration is the reliability of the services that are offered (up-time percentage is a BIG one here). Additionally, looking at the redundancy of various services such as:
Summary While there are a lot of reasons to move to the cloud, a business should determine how they will address security and what sort of benefits they are looking for from this critical realignment of their network architecture. Whether it happens to be overall cost savings or the enhanced capabilities that the cloud offers, IT Security and how that will be addressed needs to be a part of the discussion. Understanding the security posture once the critical assets are migrated is the wrong time to try to figure out how your security posture will be effected in such a move.
0 Comments
When it comes to providing security to users who utilize their banking services, many companies do not do everything they can to protect their user accounts. This lack of support or enhanced capability can lead to accounts that may be susceptible to potential attacks. Additionally, banking institutions continue to lack security support for their online portals or account access. Security Requirements When it comes to banking, there has been a lot of focus on the bank as a whole and how they process user payments or processing those payments. This has left a hole in the security requirements that can allow user data to be accessed or hacked by a dedicated attacker. An example of this lack of security can be shown with their limitation on user account password complexity, only allowing the following
Making it a Challenge When it comes to hacking, or attacking an online portal, or a user account, an attacker will want to spend as little time as possible for each of the accounts that they try to compromise. This means that they are not looking for a challenge and will want to make sure that the account they attack will be easy to compromise. By not adding additional characters to the mix of potentially used, this drastically cuts down on the amount of time it would take to crack an account. Time for Cracking
Due to both the complexity of the password that is being used, there are some basic periods for which those passwords can be hacked given the right circumstances in which to do so. Here are just a few examples:
Online Portals When it comes to credit card safety, it starts with the online portal for customer service. These sites have limited security requirements as they are meant for a way that the customer could quickly access their credit card account data. Additional security measures are needed with these specific accounts to the ability that they have in providing access to funds, resources, and data on the bank’s customer. While functionality on the online portals is needed, sometimes the security measures do not meet the same standards as other areas in the support services of the bank. The lack of enforcement of multi-factor authentication (MFA) is one of the specific solutions that should be in place on all online account access portals. Additionally, time-out or account verification during additional requests should also be enforced in order to prevent an attacker from gaining additional user account details or funds. Summary One of the glaring areas that come from banks and other institutions is that they are unwilling or unable to protect their customer’s information by the simple enablement of more complex passwords using special characters on user accounts. No matter where you use your password, you should feel safe in knowing that the bank or organization that supports the site is doing its best to protecting your information. If a bank or other institution is unwilling or unable to provide for basic security of your data, then looking for those organizations that do, should be important for you. Even card brands such as Visa, Mastercard, and AmericanExpress fail to support the inclusion of special characters in user passwords (NetSpend/ Visa and BlueBird/ AmerEx). This one addition to the password complexity equation could mean the difference between being hacked and not. In addition, the inclusion of just two more characters (10 total) is enough to make a simple hack into a costly one in time for the attackers to accomplish. Reference: https://thycotic.force.com/support/s/article/Calculating-Password-Complexity for the times taken in order to crack the passwords. When it comes to the consulting industry, there is a growing area that is currently seeing huge growth, and that is of the IT Security Professional becoming a consultant. No matter if, the professional works as part of a team or independently, there is a growing need for these skills. Additionally, those companies that specialize in connecting consultants with professionals are continuing to show growth as well. Security on Demand Let’s face it, having an IT Security Professional onsite can be an expensive proposition for any company, especially those with specialized needs. The need for those specialized skills can increase the costs of having someone on staff with all of the required skills, let alone having to maintain them as well. Add additional certifications onto that list of wants for the company, and the price for those resources continues to go up. This is why the consulting industry has been able to flourish in recent years as they are able to pair the professional with those that can use their skill sets. Having the ability to call upon an IT Security Professional when you need them for a particular project allows a company to use its capital more effectively. Also for the consultant, being able to work on projects and when they want to also has its advantages as well. Increasing Costs The drive for the market in the technical consulting field has been the increasing price of doing business in the digital age. With all of the regulations or specific industry requirements, companies are in desperate need of security professionals that can help them obtain, and maintain compliance. No matter what market the company may be in, regulations are requiring companies to spend money in order to do business in a particular industry. Additionally, the public is also pushing for more regulation in order to combat what seems to be the endless parade of data leaks, and network attacks. In order to protect customer’s data, more and more states are enacting regulations that protect their citizens. Knowing about these regulations and how to be in compliance with them takes specialty training and knowledge of how this effects the business as a whole. Specialty Skills
The key skills that a consultant can bring to a potential client’s business can be some very specific specialty certifications or experience. Some of the very specific skills that are popular are the following:
Contractors for Hire Another growing trend is to hire potential employees as contractors prior to offering them a full-time job offer. (Think of it as an extended test drive of job audition). While most companies will know exactly what type of skills they are looking for in a potential employee, what some companies will focus on will be cultural fit. This is not something that can be taught in college, and so the skills here are either there or they are not. Contractors also play an important part in helping to supplement staff when skills or manpower are badly needed. Having contractors on staff for a particular project is a great way to manage the resources that may be needed to complete it. Additionally, consultants and contractors are very beneficial to businesses that would not normally be able to secure the services of an IT Security Professional on staff. Summary Contractors and consultants are able to bring experience and specialized skills that companies may be missing on their staff. Being able to augment the company’s staffing requirements also means that in the long run the company benefits by just paying for the skills they need and not the ones that they don’t. Having an IT Security Pro on staff can be expensive, but so can not having one when you really need one as well. There is a wealth of knowledge and experience that comes with the employment of an IT Security Pro and having access to those skills on a regular basis can mean the difference between being in compliance or not. If the company or client is unable to afford an IT Security Pro, then the next best thing is to have one on call or on a contract. The skills that these highly trained professionals bring to the table is one of the reasons that they are so sought after, and it is one reason why they demand such a high premium as well. After all, we are worth it in the end. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|