In this series of blog posts, I'm looking at an often overlooked and extremely simplistic approach to security as outlined by the PCI Council. We've all seen the 12 requirements for PCI-DSS compliance and some have even had to adhere to those, but what I'm examining applies to a broader audience, basically anyone and everyone that has anything at all to secure. It's a simple 3-step process:
The above 3 steps may seem obvious and elementary, but they're often steps that are overlooked in day-to-day security activities. In this blog series, I am examining how each of these steps can apply to you, your organization and your firewalls. Firewalls are a primary gateway into your company and therefore are a great place to start. In this blog, we'll dig into step 2:
The PCI Council describes this step as the following:
"Remediation is the process of fixing vulnerabilities – including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data."
The first thing to note about the above statement is that you can't fix what you don't know is broken. That's what makes step one, Assess, so important. Once you have assessed your network and your firewalls specifically though, it's time to start remediating the problems that were found.
In a prior life I worked for a vulnerability assessment company. We would scan your network and your firewalls and report where you had problems or potential problems. It was great technology, especially for the time, but there are a few key inherent problems with this approach. First, there are many situations where a vulnerability isn't actually a vulnerability until you add other ingredients to the mix. On the flip side, there are tons of vulnerabilities that aren't actually vulnerabilities in your specific envirionment.
The above scenarios are exactly what drew me to the firewall policy management space, and specifically AlgoSec. We might tell you that you're allowing a certain type of traffic into your network that's risky, but that traffic being allowed is a combination of three rules added together. Not only will we tell you which three rules are contributing to this overall vulnerability, but we'll tell you exactly where and what needs to be changed to mitigate the risk.
Now I don't mean this to be a commercial for AlgoSec, but it's a great example of how to tackle the remediation step. You need accurate and intelligent information in order to effectively secure your network, and you need to know what and where to make changes.
Ask any IT or Security professional and they'll tell you tales of the fine line between security and usability. Users need access to information, applications and data, but all this access ends up turning into security risks. So how do you remediate the vulnerabilities in your network without cutting off all access? There is no golden nugget because each organization is different, but arming yourself with the proper remediation information is imperative.
So once you've assessed your network and remediated as much as possible, while still having the access you need, then what's the next step? We'll dig into this in my next blog post, but keep this in mind – you can't fix the problems that you don't know about and you can't fix the problems that you do know about without knowing how.