Living in an electronic age which is always open to abuse, there is an expectation that users, business, and government systems, infrastructures, and applications are secure – Right!
With the ordinary home user, the level of security they deploy will vary from nothing, to a fully-fledged and secure system, installed with up to date Patches, Malware Protection, and some levels of sensible Perimeter protection.
With the Corporate, and Government deployments however, one could make the assertion that they accommodate sensible, and , and pragmatic levels of security which will secure them, their partners, and above all their clients – and in the majority of cases, this is the mission most reputable organisations peruse to the best of their ability. Sadly, and as improbable as it may seem, the expectation of what security should look like in operational environment, is not always a reflection of reality.
One of the major flaws in the security profile of some deployments is, whilst the Corporate Policies may say System, Infrastructures, and Applications MUST be maintained in an up-to-date level of patch, there can be a gross lack of adherence to the application of Patches, and Security updates in real operational terms. Such shortfalls can range from isolated cases, through to environmental wide failings to apply the required level of security, to assure the environment is safe from the known vulnerabilities.
As an example, consider the hypothetical case in which a Global Business with a strong brand reputation running its business on an out of service e-mail system – would, or should this be a serious issue? Well first of all, if it is out of service, then it has also most likely fallen of the Security Patch, and Update lifecycle. Secondly, it will potentiality be hosting old, and well established Security Vulnerabilities and Exposures. Last but not least, in such a circumstance, the e-mail application may be a little flaky with current technologies, so, all-in-all, would not be a sound basis upon which to run our hypothetical business on.
But what would this mean in real time security terms. Well first of all, given this is an e-mail system, it potentially affects the majority of Business Line operational assets at both mail client (Local) and Server (Remote) where such a potentially flawed application are providing the operational service – so it may also be hosting wide exploitation for the organisation. Secondly, as the mail client and application is out of date, it may gain more interest to hackers, and criminals, as they will be most likely are aware from the mail headers (Footprinting) that the version is out of date, and so its potential vulnerabilities and exploitation are much increased.
The real worry here is, if such slack practices were in place within a real world business, the question is, does this leave system, infrasturute, and applications open to abuse – and does it impact the Partners and Clients which higher levels of exposure
Last of all, one should consider the position of organisations with ISO27001 Certification, or those who are required to comply with the expectations of PCI-DSS – here they are presented with a challenge, with very few mitigations, or countermeasures, and as such the assumption of governance would tend to suggest, in such an insecure profile, this would be out of step with the requirements of security.
In a world of acknowledged Cyber Vulnerabilities, Threats, and regular hacking attempts, should it not be an expectation that business strive to service their perimeters, and assets to the best of their advantage? Is it not the case that not to do so in the face of such significant threats, and adversity, could be considered culpable of an offence? Above all is it not the expectation of every user who logs into an organisation, or has their personal data stored and/or processed within their Corporate Systems, that the level of security is maintained at its optimum – I believe this is, and should always be the case.
