Whether you require a software vendor to check the inputs to the programs you purchase or that any vendor provide a product or service as agreed, if it's something you must have, especially for security, put it in a binding contract.
Have liability insurance in the event that the vendor did not do it. Require that the vendor have insurance in case they don't do what they say they will. Ensure that there are stipulations in the contract that the vendor must test that they did what they said they would.
"In the case of the software inputs, there's testing called fuzzing that is very inexpensive," says Cohen. Use an independent testing lab for the testing. Require the lab to certify the test. Make sure the testing company has insurance.
#5. Architecting security is cheaper than designing, implementing, or coding it
Many enterprises have flat networks. "They have firewalls, but inside the firewall they have a bunch of compute and that's it," says Cohen; "it's a hard shell with a gooey center." Hackers use phishing and other attacks to get beyond the firewall and into the gooey center.
"If you architect your network, partitioning it into zones and micro zones, you can differentiate how you protect servers from how you protect workstations," says Cohen. You can have a network that will operate properly even though parts of it are failing due to attack. Then even an attack that is successful is only partially successful.
#6. Defend using deception
"Deception technologies change the leverage between the attacker and the defender so that it is easy for the defender and hard for the attacker," says Cohen; "deception is relatively easy to do."
Hackers search for vulnerabilities in your protocol space, address space, and services. With deception, where you don't have a webserver running on an IP address, you have a deception that looks like a webserver to hackers.
They hit that and try to break into it. After the first 50 or so times that the same user tries that, a network device that is watching will make sure that user gets a deception every time from then on. There are other types of deception.
#7. Don't use security that turns users against you
It's about workload on the user, sometimes called security load. Security keeps increasing requirements for the user to interact with security measures. The user has to make increasingly complicated decisions. "The security load causes the users to make bad decisions," says Cohen.
Popups are good examples. "It says, 'you're doing something that might be dangerous, do you want to proceed?'" The user doesn't know what choice is more secure. They do know that if they say "no" they can't proceed and so they can't get their work done. Security that puts these kinds of decisions in the hands of the user does more harm than good.
Sign up for Computerworld eNewsletters.