Something that I've noticed over the years is that lots and lots of companies secure their environments in silos. Each team, division, LOB or whatever is responsible for securing their equipment and they do so at their leisure and discretion. Not only that but within these silos there are other silos. Whoever is responsible for a particular device (server, router, switch, firewall, etc) secures it as they please or not at all.
Traditionally most people who are not security professionals and who get tasked with managing a device only secure the obvious. I've seen servers that have no admin password and only basic folder level security. They were deemed to be secure. I've seen routers, switches and firewalls that were managed via telnet with weak passwords and no password on the console. Then there is the whole "one password fits all" mentality that many companies have. I call this "Security Silos". It's security done in bits and pieces with no consideration for what is going on in other parts of the company in regards to security. It's the "my device is secure and I don't care about your device" syndrome.
What this misses is 2 very important pieces of information.
- A device is only as secure as the weakest link in the network it sits on.
- Security for the sake of security alone is no security at all.
You can lock a server (or any device) down to where it's next to impossible to get into it. Yet if the router that routes traffic to it is insecure then the bad guys will be able to get to the server and pick away at it little by little until they find the chink in the armor. Or they will sit there and watch all traffic into and out of the server until they find something that is of use to them and use against you.
If you secure a device just because it needs to be secure then you are missing out on the big picture. You don't secure a device just because it needs it. You need to understand the purpose of the device in the overall picture of what it is that the business is trying to accomplish. You then secure that device in ways that enable the business to work optimally while remaining secure. This can not be done effectively in silos. Go back to point 1.
Companies often lack the vision and understanding of a overall security program. This is basically a company wide umbrella that covers all aspects of security. It needs to include information and physical (or at least the ability to control physical access to information resources). To truly create this type of program Senior Management needs to understand the need for it and they must support it. The company as a whole needs to be informed about the need for it and they need to understand the purpose of it. IT needs to understand that living in silos will never allow them to truly succeed in their jobs. IT Management and personnel need to be on board with developing a program that will bridge the gap between infrastructure, network, servers, and applications.
If all of these don't work together then you are just spinning your wheels. I'm amazed when I hear apps say that they don't need to worry about security because either the network is secure, the server they reside on is secure or doesn't sit on the internet or that the app itself is secure because it requires a user name and password to access it. There is a lack of understanding of overall security principles between different IT groups. Servers know how and understand server security but they don't understand Network or Application security and the same for the other two.
This is where a overall security plan and program add real value to an organization. It requires leadership and support in order to happen. This is where many programs fail. They get leadership yet management never buys in completely and therefore the program stumbles along. I know that some of you would argue that if the leader was really effective then he would be able to get the necessary support. I agree to a point but I've seen some good leaders who were up against a wall and couldn't get the support. Yet at other companies they were able to get the support and create good programs. Just as a company can't just decide that it needs a security program and never bring in leadership to create it. You can't will it to happen it has to be lead.