Trident Blog

An informative blog, where Trident Computer Services staff write about the technology that excites them, innovative solutions they have come across, and the ways they are helping people innovate!

Rethinking IT Security

Nathan Burgess - Sunday, July 17, 2016

For many years’ companies have been focussed on the security required to protect their IT investment and their data. Companies have installed firewalls and Anti-virus solutions and many would be quite confident that they have a good level of security in place. Unfortunately, today’s threat landscape has changed so rapidly and is now so broad, that just having a firewall is no longer enough.

Rajitha Udayanga, Security Engineer

To gain a better insight into IT security and the threats posed to a company today, I spoke to Rajitha Udayanga, Security Engineer within the Trident Computer Services group. Rajitha is a Certified Information Systems Security Professional with over 13 years of experience in IT, Network and Data Security. He specialises in a wide range of IT security areas, such as Data Network Security Implantation, Data Network Design and Implementation, Information Security Audits, Information Security Management Risk, Cyber Security Incident Management and Response, IT Forensics.

Rajitha said, “It is extremely difficult to achieve 100% security, you can get close, but you need layered security to achieve anything close to it.

Many organisations forget that people will always be a factor. IT Security professionals have a saying, ‘There is no security, without U’, and it’s very true. Technical controls are only one aspect of your security, most organisations forget that human resource security is just as important.

“True IT Security is a collective effort between people and technology, that way we can reduce risk. But understand, it is extremely difficult to remove risk completely. You can certainly reduce it to acceptable levels, but you cannot remove it completely. Take, for example, the recent successful hacking of the FBI and NASA. They have multi-layered security controls yet were still able to be compromised.”

"There is no security, without U"

Why have things changed so much?

When asked why things have changed so much, Rajitha told me, “People think that hackers are the only people who will pose a risk to their organisation, but the Threat Landscape is so different now that hackers are such a small part. With the prevalence of state support groups, cyber terrorist, insider attacks, and now ransomware, external hacking is only a small part of the risk.

Across all industries, we are now seeing attacks from within an organisation being more prevalent than ones from outside. Recent statistics show that the internal security risk is more prevalent, not because of malicious intent, but because companies now allow staff to bring their own device to work (BYOD). While BYOD can reduce device cost, and empower employees to choose a device that suits the way they work, these devices are more difficult to secure and open up an organisation to internal threats. It’s hard to say to an employee that ‘just because we trust you, doesn’t mean we trust your device,’ but it’s never been more true! Any infection their BOYD has, creates the potential to compromise your organisation’s IT security.”

"Just because we trust you, doesn’t mean we trust your device"

Across all industries, we are now seeing attacks from within an organisation being more prevalent than ones from outside. Recent statistics show that the internal security risk is more prevalent, not because of malicious intent, but because companies now allow staff to bring their own device to work (BYOD). While BYOD can reduce device cost, and empower employees to choose a device that suits the way they work, these devices are more difficult to secure and open up an organisation to internal threats. It’s hard to say to an employee that ‘just because we trust you, doesn’t mean we trust your device,’ but it’s never been more true! Any infection their BOYD has, creates the potential to compromise your organisation’s IT security.”

We're not in finance, so what do we have of value?

Having worked in the education and corporate sectors for many years, I’ve heard many colleagues say that as their School or Company is small, or that since they aren’t dealing in finance etc., that they won’t be a target, but Rajitha’s perspective on that was quite different. “While banks and financial institutions have a lot to lose financially, people tend to forget how much Personal Identifiable Information (PII) smaller organisations hold and just how valuable that is! Think of all the PII a school holds on its staff, present and past students, parents and community!

We are seeing examples in the United States where health care providers are being hit with ransomware and crypto-lockers, and if you look at who suffers the consequences of a breach like this, it’s not just the organisation, but potentially everyone connected to that organisation. Recent incidents highlight that security leaks can happen and can damage the reputation and security of an organisation. Security breaches aren’t necessarily about breaking a system or bringing down a network these days, it’s more about gaining information or opening a door to your information as it is the most valuable asset you have!”

Words of Wisdom!

When asked to give me his most important ‘words of wisdom’ about IT Security, Raj told me he had two:

“You have to remember that the security professionals are playing catch-up, always working on the new holes as they arise. Hackers are on their own timelines, exploring new potentials – they have plenty of time to come up with new threats, and many hackers caught by law are under 20. They are students!”

And

“Every organisation needs a Security Audit or Vulnerability Assessment and Penetration Test to evaluate their risk. While it may show you holes you didn’t know about, or highlight things you have missed, that information is vital to improving your security controls. If you are never tested, how are you to actually know?”

 

Details on Rajitha Udayanga

Rajitha has recently joined the Trident Computer Services group, bringing over 13 years of experience in IT, Network and Data Security to the organisation. Rajitha has a strong technical background in Network, Systems Integration and Network Security and is constantly working to improve performance and outcomes for his clients.
He has worked across various industry sectors (e.g., banking, financial services, service providing, telecommunication and education) with large organisations designing, implementing and reviewing security solutions as well as security and risk management frameworks.
Rajitha specialises in:

  • Data Network Security
  • Implantation Data Network Design
  • Implementation Information Security Audits
  • Business Continuity Planning and Audits
  • Information Security Management
  • Risk Management
  • Compliances
  • Cyber Security Incident Management
  • and Response IT Forensic.

He holds certifications in:

  • CISSP (ID # 317851)
  • C|EH (ID # ECC48949222183)
  • ISO 22301:2012 Lead Auditor (ID #BSI9912901)
  • ISO 27001:2013 Lead Implementer (ID # BSI9912912)

 

 

Nathan Burgess

Lead Marketing Innovator
Trident Computer Services
e: nburgess@trident.com.au

 

Share this article on:
 
Share on LinkdIn Share on Twitter

 


 

Trackback Link
http://www.trident.com.au/BlogRetrieve.aspx?BlogID=14745&PostID=673052&A=Trackback
Trackbacks
Post has no trackbacks.
 

Recent Posts


Tags


Archive