One of the greatest threats to your company’s productivity comes from poor IT network performance. Yet it can be tough to maintain a healthy network in the face of cost constraints, changes to your business, and constantly evolving technologies.

Which can put you between a rock and a hard place, because when it comes to your organization’s IT network, what you need — regardless of whether you’ve undertaken virtualization or cloud computing or unified communications — is a stable framework for delivering communication, applications, and services that provide a consistent, reliable experience under normal conditions.

More...

For quite some time, small and midsized businesses dared to feel safe from most malicious attacks — thanks to their relative smallness. Over the last couple of years, that’s been changing, because larger firms are tightening defenses and, as I’ve said before, the bad guys exploit opportunity.

Which is why shoddy IT security is a wide open opportunity for hackers to rip you off. 

So I’m finishing our list with two elements easily overlooked as you face the hassles of keeping up with criminal creativity.

#9 Educate your employees about security

More...

Did I mention that when it comes to IT security and defense in depth, the more layers the better?

One of the weakest points in many organizations is #7 on our list:

#7 Authenticate

You need to think in terms of both user authentication and information authentication. When it comes to user authentication, before allowing users access to your data, apps, systems, or networks authenticate them with at least two factors (something they know, something they are, something they have). Also …

• Make sure passwords are unique. The same password should not be shared among users nor used on different systems.
• CHANGE DEFAULT CREDENTIALS!  When your system/network admins deploy a new system or service, change the password.
• Consider using an identity/access management system with single sign-on capability to reduce the complexity, risk, and cost of managing employee authentication and access.

More...

It’s appropriate, I suppose, to think of Quest’s list of 10 ways to boost security as layers: Strategy and guiding principles first, then infrastructure basics you may not have considered much. And now a couple of layers that address some of what are sure to rank among 2012’s imminent threats …

#5 Deploy computer security incident response capabilities to better address advanced persistent threats. 

Too often, attacks and breaches take weeks, months, and even years to be uncovered.  According to Verizon’s 2011 Data Breach Investigations Report (which includes information from the U.S. Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s information), 38% of data breaches aren’t discovered for weeks, and 36% aren’t discovered for months.

More...

Now that you’re paying attention to defense in depth and those security control design/deployment principles, you’re ready to think about infrastructure. So here are #3 and #4 on Quest’s boosting security list:

#3 Build security into your virtualization efforts

• Secure your hypervisors
• Treat virtual servers like another access layer to your network
• Monitor and manage your virtual switches 
• Implement VM trust zones based on workload-aware security policies
• Deploy your VMs with a secure virtualization framework/architecture that …
  • Inspects ingress and egress traffic with a purpose-built physical intrusion prevention system (IPS)
  • Implements in-line inspection and automated threat blocking to protect hypervisors from targeted attacks
  • Utilizes vulnerability shielding for zero-day protection of both hypervisors and hosted workloads
  • Enables consistent IPS polices, segmentation, and trust zones across both physical and virtual data center environments

More...

Anyone who visits here to check out my ramblings knows I tend to talk lists. This time I’m beginning a list of 10 ways a business can boost its IT security.

#1 Never forget: Your security is only as good as its weakest link, so build your defenses in-depth and ensure someone is watching your security devices and processes.

Given enough time and resources, an attacker can breach any defense. But attackers’ time and resources are limited — hence they choose easy targets over tough ones.

Your goal is to always be a tough target. Since any single defense has its limits, you want to layer your security and never forget the first rule of defense-in-depth: There is no such thing as total, complete security against threats. Layered security serves to hinder a threat’s progress until either it ceases to threaten or additional resources can be brought to bear. 

More...

Cyber-attacks tend to take the path of least resistance. So what are some of those paths? What vulnerabilities do hackers look for first? 

According to a survey conducted at the Def Con 18 hackers’ convention, poorly configured networks tops hackers’ lists. They like to exploit inadequate security audits and IT staffers who don’t know what to look for when they’re monitoring and testing networks.

Hackers also prefer threats that change too fast to be properly addressed. And they look for insiders who can be persuaded — or forced — to aid their attack.

More...

The thing to remember concerning what you hear about data breaches is that you’re hearing only about what gets reported — and plenty of data breaches never get reported.

Even so, the numbers we do have are plenty scary. A study on data breaches — 2010 Annual Study: U.S. Cost of a Data Breach, published last March — conducted for Symantec by the Ponemon Institute tells us that in 2010 (the most recent info we have), the average data breach cost $7.2 million, up from $6.6 million in 2009. 

More...