You may have heard about Independent Security Evaluators (ISE), the company that broke the iPhone by discovering a vulnerability capable of delivering files from the user's iPhone to a remote attacker. Geoff Gentry, regional director for ISE, delivered "Hackers, Attack Anatomy, and Security Trends," an informative session on how to improve security systems. "When you lack systems with checks and balances, then disaster happens," warned Gentry. "You have to operate on the premise that the bad guys are already in your network." Traditional defenses continue to decline as attackers become more sophisticated and their methods continue to evolve.
Gentry advised companies not to focus on security per se but to focus on where the company's assets are and how those assets are protected. Digital assets are valuable and need to be secured individually. By securing the most important asset with it's own security system, you are going a step further to avoid a security breach — secure assets, not just perimeters.
Gentry explained a couple of test options for a company's defense systems:
- Black-box Penetration Test
This is a test where the company hires another company to try to break through their security system without having prior knowledge of the target security system.
- White-box Vulnerability Assessment
This assessment is where the company hires another company to assess the weaknesses within their security systems. The tester would have a deep level of understanding of the systems that are being tested.
In comparison, the White-box Vulnerability Assessment delivers the best results. Those results included time spent, issued discovered, confidence gained and results. With this assessment you receive mitigation strategies to solve the issues. "You don't want to know if someone can break into your [system] because the answer is yes," said Gentry. Instead of knowing that it's possible, know how to resolve the issues.
"If you don't have access to something, you can't discover it. If you can't discover it, then you can't fix it." Start with security as a priority with your company. By doing this you will save money knowing that the correct security systems and preventative measures are in place to protect your assets, your company and your customers.