Security Assessment From the Outside-In

Posted on by David Wallace

Outside-In security starts with realizing that your company or organization doesn't have all the answers. The Internet is a big place, and the World Wide Web is just one part of it. Connected mobile devices and appliances are expanding their reach every day, and with it, the complexity of a security assessment.

Importance of Security Assessments

Your people rely on personal devices and professional networks, which complicates any effort to protect your company or customers. And the trails of browser histories and email or message exchanges tell you that access controls and passwords only solve a limited set of problems.

Consumer credit and account thefts at Target Corp. in the winter of 2013 displayed Outside-In weaknesses and provided a good reason for companies to dive more deeply into deterring innovative data thieves. It is now a good time to go back to basics and ask some questions about protecting your good name and critical data. Looking at your security assessment process from an outsider's perspective is a fresh way to spot potential gaps.

The Three W's

First, have a look at "What" your content looks like as a way of testing the Internet. Start by looking at search tools you don't normally use (say, for searching blogs or duckduckgo. com for fresh results and a site that doesn't track users). Go deep—look at page 8, 9, or beyond of search results to find obscure hits.

Automated online "spiders" are always crawling public websites to check for updates. You should do the same kind of checkup as part of a security assessment. Is your content appearing on unauthorized sites? Stolen comments, photos, and other details can be used to boost search results for OTHER sites. And they can misuse your name or hurt your company reputation if they don't accurately reflect the way the words, pictures, or videos were originally intended. Another way to check your trail is to use a new computer, or one with a freshly wiped hard drive and browser. You might find unusual cookies that track your history.

"Where" can be a powerful form of identification. Cloudlock, of Waltham, MA, is using geofencing—identifying IP addresses or locations where clients have no business—and blocking access from those sites. Even cloud-based data in Google Apps or Salesforce can be protected from intruders who try logging in from the wrong places.

"When" is another test to determine if a person's timestamp for access is limited in time—servers track how often a user logs in and the duration of sessions to test for suspicious activity.

Customers live outside a corporate firewall but are doing increasing amounts of self-service, so it's important to view your security from their point-of-view. Mobile devices, multiple user profiles and social data streams only complicate things.

JP Rangaswami, chief scientist at, talked about moving IT decisions to where customers and partners engage during a CXOTalk in December 2013. "People now live in the (data) feed, and that's how the customer of today wants to engage with information," he says. He also predicted that within five years, memorized passwords will be obsolete.

What Can Organizations Do?

Mark Orlando of Foreground Security in Washington, DC, has worked with federal agencies and private companies. He recently shared an example of real-time assessment at RSA Conference

Tradeoffs are constantly being made as people make decisions about access, security, bandwidth, or convenience of their mobile-first—or social network-driven—connections. Their corporate IT department has to put themselves in the place of remote users during a security assessment. Hits from remote sites, at peculiar times or from suspicious users, can be a tip-off to future actions.

These days, you can monitor your home's security in real-time using Web-based cameras and sensors. Why not take a real-time view of network and data security?



big data analytics cloud security data security identity management & governance

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs