.

Company Wide InfoSec....

<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Mon Aug 20, 2012 7:54 pm

Company Wide InfoSec....

I have worked for a number of large companies and have found that different ones treat InfoSec differently.

One in particular were very keen to make sure IP was not leaked out of the company, they made sure all users were aware of the Green, Yellow , Red designations of data. Anything that was above Green was NOT to go to people outside of the company and Red and Yellow print outs were to be shredded.

But when it came to the security of the network and data on the network it was different. Users were allowed to copy files to USB keys with no encryption. Never once did they employ a company to test the security of the network, relying 100% on the automated scanning tool!

Do you guys find this is often the case with companies? They do a great job in some parts of InfoSec and not others?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Aug 20, 2012 8:52 pm

Re: Company Wide InfoSec....

Yes. I've found that most companies are pretty bad in general and the exceptions to the rule only do some of it well, like you said.

Infosec is hard to do right, really hard. I'm so glad I am on the offensive side of things now because its expensive, difficult to manage and hard to get budget approval for. I think that a lot of companies struggle to find that balance between functionality and security. I also think that a lof companies dont understand that there are ways to mitigate a lot of the risk and problem areas that they face, that might be much less expensive.

I would say 2% of the companies we deal with are proactive about security. It's clear that they have a solid enterprise security program, but we still can usually get in. It's just to hard to do well!!

my 2 cents
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 21, 2012 6:36 am

Re: Company Wide InfoSec....

cd1zz wrote:I would say 2% of the companies we deal with are proactive about security.


This. When overall security is poor, but there are a few tasks done really well, those are usually a direct result of audit findings and/or historic incidents (or someone with some pull saw a really convincing piece on CNN).
The day you stop learning is the day you start becoming obsolete.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Tue Aug 21, 2012 8:04 am

Re: Company Wide InfoSec....

SecurityMonkey wrote:One in particular were very keen to make sure IP was not leaked out of the company, they made sure all users were aware of the Green, Yellow , Red designations of data. Anything that was above Green was NOT to go to people outside of the company and Red and Yellow print outs were to be shredded.

But when it came to the security of the network and data on the network it was different. Users were allowed to copy files to USB keys with no encryption. Never once did they employ a company to test the security of the network, relying 100% on the automated scanning tool!



You could argue they weren’t even doing the first part very well if anyone was capable of walking out the door, with the data on an unencrypted USB stick.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Tue Aug 21, 2012 8:51 am

Re: Company Wide InfoSec....

I have seen the same in my time where companies just do so many things wrong. I have even seen security companies that have made mistakes and have sql and XSS on their site.
Last edited by Jamie.R on Wed Aug 22, 2012 8:07 am, edited 1 time in total.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Aug 21, 2012 1:26 pm

Re: Company Wide InfoSec....

I am currently in a similar position.  I've spent most of my time in the SMB realm as a consultant.  Most of the SMBs that I have worked with are much better off security wise than the big enterprises.  I think what makes this work is for one, their risk of data loss is much greater than that of a large organization.  It could be the difference between closing the doors or keeping them open for another couple years.  They simply don't make the revenue to afford any major fines or have their IP stolen and their business fly out the door to the competitors.  For those that realize this, security means everything. 

Now back to the large enterprises.  At this time many I think are in a reactive state due to some breach or major incident.  They are in clean-up mode and looking for the "magic bullet" to help them protect their data from "APTs."  My problem with their approach to remediate these issues, is the fact they are not even practicing security 101.  How could you take a 501 course when you haven't met the pre-reqs???  You can't even understand the basics but you want to jump right into the advanced skills.  Ok you have the firewalls, the IDS/IPS in place and a switched network with a solid core.  Lets ensure we are using those devices to the fullest extent before buying more crap that no one knows how to use.

Don't even get me started on outsourcing. My feeling is that, depending on the size of the environment, you should have at least one FTE per area.  That FTE should be an expert level for that system.  They should send the tasks to the outsourcing company to complete but at the same time they also understand and can perform the duties required.  They are available on the higher level engineering side.  They can focus on improving the architecture and allow the outsourced company to perform the day-to-day operational tasks.
Certs: GCWN
(@)Dewser
<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Tue Aug 21, 2012 5:17 pm

Re: Company Wide InfoSec....

To contrast that I have worked for a company that did things almost right… The only users with internet access were the office admin team (HR, Front Desk). The Developers and Analysts had no internet, no external email, no USB access and could not print!
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Wed Aug 22, 2012 9:03 pm

Re: Company Wide InfoSec....

I too deal primarily with SMB's, well mostly SB. The major issue I've seen recently is how poorly they deal with employee termination. I got a call from one THREE WEEKS after they let someone go for check stealing. She still had remote access and a working company email. I found out during a routine checkup. They said "Oh, don't bother with her computer, she doesn't work here anymore..."

She had been given significant access to many areas. My head spins at the harm that could have been wrought. I had a chat with the boss and hopefully enlightened him. At the very, very least, call me first before firing anyone so I can cut access and lock their account.

I know many larger companies with real HR departments handle this more professionally. Have any of you needed to step in and fix employee termination processes as part of an evaluation?

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software