Cybersecurity Responsibilities for SMBs

Cybersecurity is a topic that many small and most medium-sized businesses care about due to all of the news stories about data breaches, identity theft, and ransomware that have appeared in the last several years.  Some small and medium-sized businesses have realized that having a strong cybersecurity program can be a strategic asset for their particular market niche.  It can be a way of attracting additional customers or a powerful way to distinguish the company from its competitors.

Unfortunately, few small and medium-sized businesses have that attitude when it comes to cybersecurity.  Too many companies still view cybersecurity as a distraction that takes away resources from other important priorities. They choose to do the minimum required by regulatory requirements or even customer demands.

Many small and medium-sized businesses with an Internet presence must comply with not only state and federal laws and regulations, but also European Union laws and regulations, or even other national laws.

The most common cybersecurity responsibilities that small and medium-sized business are responsible for include:

  • Protecting customer’s personally identifiable information in accordance with state and national laws
  • Protecting customer’s credit card information in conformance with the Payment Card Industry’s Data Security Standard (PCI-DSS) as well as state and national laws
  • Protecting customer’s protected health information (pHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Conformance with the European Union’s Data Protection Regulation
  • Conforming with any industry specific laws and regulations

Viewing compliance conformance as a check box rather than a culture or a strategic asset rarely results in a good cybersecurity program, as Sony demonstrated in 2015.

There are a number of security frameworks that companies can use to help them meet their responsibilities.  PCI-DSS is very proscriptive in some areas, while most regulations and laws place more responsibility on each company to make its own decisions about how to maintain a secure environment.

Whichever path to cybersecurity a business takes, there are some common areas that should be addressed.  These include:

  • Day to day IT operational practices including applying security updates, managing systems, managing network traffic, encrypting sensitive data, logging, monitoring, and ensuring technical IT controls are in place and update to date
  • Risk management, to ensure that the company is prioritizing risk remediation and tracking the risks over time
  • Compliance and due diligence, which includes ensuring that relevant laws and regulations are being followed, providing information to customers that are performing due diligence, and performing due diligence to ensure the company’s vendors and suppliers are meeting their security obligations
  • Security awareness training for all employees

How these tasks are organized, or who in a company is responsible for each task can vary widely.  For example in some companies all of these areas may fall under Information Technology.  In other organizations these may be split between IT  and Finance.  In still others the responsibilities may be split between Finance, Legal, and IT.  Some organizations have a dedicated Chief Security Officer and a separate Chief Information Officer.  In organizations dealing with protected health records, it is not uncommon to see separate Security Officers and Privacy Officers.  And of course, in very small businesses, a single person may be wearing all of the hats which makes segregation of duties a very difficult goal to achieve.

In the most secure organizations, cybersecurity is part of the culture. Every executive, manager, and supervisor understands its importance, is engaged in securing the environment, and understands the risk that an insecure environment poses to the future of the company.

Cybersecurity by Segregation

With recent news of Singapore disconnecting its government networks from internet access, and now requiring civil servants to use separate computers, I was asked to comment on the security issues this cybersecurity segregation will cause.

Deciding to disconnect from the Internet is clearly a difficult decision and more than likely a result of a reaction to a painful  situation.  Nobody makes that kind of decision and expects a good reaction. This is not without precedent, however. In North Korea, all websites are under government control.  In Cuba, the only access points to the Internet are at government controlled facilities.  China blocks sites and actively filters content. If you haven’t looked into this, you’re likely to be shocked by how common this actually is. Take a look at this Wikipedia page discussing this topic https://en.wikipedia.org/wiki/Internet_censorship. There are a number of approaches that are used including IP address blocking, Domain Name redirection, censorship and content and search modification or removal.  

As draconian as all of this may seem, it is not uncommon to restrict access, it’s usually just a question of degree. For example, many companies deploy technologies that block access to certain sites from within the corporate network environment. Some ISPs, whether you are aware of this or not, block access to well-known malware sites to reduce the amount of time they have to spend helping their customers recover from infections.

To be completely safe from unwanted viruses, Trojan horses and other malware the only thing you can do is not connect to the Internet at all. Everybody knows this which is why many companies that provide software – such as the major browsers – that help you traverse the Internet, include functionality to help you do that as safely as possible.

A future ‘hot target’ for attackers: How construction companies can improve cybersecurity

by Kim Slowey, Construction DIVE, August 11, 2016

Construction companies are infamous for their reluctance to adopt the latest technologies. Most of the largest companies have made the leap, but for small and mid-sized firms, the process continues inch by inch.

However, as contractors join the digital age and begin to reap the benefits of becoming more connected with fellow employees and the outside world via computers, laptops, tablets and smartphones, they also risk opening their systems up to cyber attacks.

“It’s a tradeoff for connectivity,” said attorney Michelle Schaap of Chiesa Shahinian & Giantomasi in New Jersey. It’s the good and the bad sides, she said, of the belief that people need to be connected on demand.

These assaults on a company’s computer systems and network happen for a variety of reasons — industrial espionage, access to client or employee information or just plain theft. So why are so many construction companies behind the curve when it comes to implementation of policies and procedures that would eliminate, or at least greatly reduce, the chances of a security breach? And what can they do to reduce their chances of suffering an attack in the future?

Why cyber attacker focus on construction will ‘increase significantly’

As it turns out, contractors aren’t the only ones lacking in this arena. “It is endemic to a number of industries,” Schaap said. With the exception of the financial and healthcare sectors, “many industries still have their heads in the sand,” she said.

Those orchestrating attacks know this fact as well. They’re also aware that construction can be a lucrative, high-cash-flow business, which makes them it the more appealing to criminals, according to Percipient Networks CTO Todd O’Boyle. The small and mid-sized businesses tend to be prime targets “because many don’t believe it will happen to them,” he said.

Also, according to Jonathan Gossels, president and CEO of SystemExperts construction companies aren’t typically focused on cybersecurity. They tend to be more focused on the task at hand, which is completing their construction projects within budget and on schedule, he said. Even the smallest companies are a target, though, according to CyberArk CMO John Worrall. “Everybody is a target for attacks because everyone has something of value,” he said.

Why a focus on employees is the key to stronger security

The key to all of this, of course, is getting the message to employees that they have to follow the rules regarding personal use of connected company devices. Even though many people are familiar with how to avoid potentially dangerous emails, there are still those who don’t realize the damage they can cause by clicking on just one link. Education is incredibly effective at reducing the chances of a successful cyber attack. “Make it part of standard safety training,” O’Boyle said.

Of course, Gossels said, contractors should have a clear policy about acceptable employee use, which would include a prohibition on visiting “shady sites.” Nothing good ever comes from visiting gambling or pornography sites, particularly on a company device, he said. Even the best laid plans, however, aren’t completely foolproof.

To read the full article on how construction companies can improve cybersecurity, click here.

IoT Hidden Security Risks

While the security of IoT devices is a growing area of concern for the enterprise, the biggest IoT risk for businesses is if they decide to react to IoT issues rather than plan and prepare for them. Everybody knows that the earlier in a cycle you can deal with a problem, the less expensive it is. The IoT at its core is about sharing data. Some of that data may be benign but in all likelihood some of it will be sensitive, private or confidential and if that data is exposed in unintended ways you may find yourself squarely in the middle of an intellectual property loss or compromise.

When WiFi first starting making its way into the marketplace many organizations were ill prepared to understand the risks associated with laptops that literally travel around the world and communicate with networks you have no control over. All of a sudden, you had to think about all of the “What if?” scenarios of where those systems and the data on them may be.

The question about which devices may cause the biggest problems depends on the industry you’re talking about. The data you care to protect is different for healthcare,  manufacturing,  automotive, travel, agriculture, warehousing or telecommunications.

Regardless of the industry, however, there are common issues that will create potential problems and some of the important ones are as follows:

  • Ensuring that data collected and transmitted by IoT devices are secure in transit and at rest
  • More IoT devices means more opportunities for breaches and hacking
  • Many IoT devices are like to be very small and portable, making them more difficult to trace, monitor or even find

The Brave New World Of Cloud Application Security

by Teresa Meek, Workday Contributor, Forbes, August 3, 2016

As businesses continue their flight to the cloud, their concerns about security are changing. The cloud can offer companies better security than their own data centers — but only if they understand how to manage the responsibilities that come with it.

What Smaller Businesses Can’t Do

For years, security concerns kept companies from migrating their data to the cloud, said Seth Robinson, director of technology analysis at CompTIA, the IT association. But that’s changing as businesses learn that cloud application security isn’t inferior to on-site firewalls — it’s just different.

When it comes to the physical environment, for small and mid-sized businesses, the cloud often provides better security than an on-premise data center, said Paul Hill, a senior security consultant with SystemExperts, an IT compliance and security firm.

Cloud-provider data centers have elaborate physical security systems that few small businesses can match. Security guards monitor everyone who enters, checking IDs and allowing only one person through the door at a time. They monitor the data center with closed-circuit TV and have backup generators, uninterrupted power supplies, and redundant heating and air conditioning.

“A very large company like JPMorgan Chase can afford to build data centers that meet these requirements on their own. But for a small to mid-sized business, implementing these controls would be extremely expensive,” Hill said. Even large companies often turn to cloud providers to avoid the headaches of managing an elaborately secured data center.

Risk Management In The Cloud

As company data moves out of the office and onto myriad devices, companies need to think about secure access in new ways. Everything and everyone — employees, servers, APIs, applications and data — must be given an identity and access level, which must be carefully managed.

Security concerns extend beyond the walls of the data center to the data itself — and that’s where companies sometimes get confused, both Robinson and Hill said. The company remains responsible for the data and how it’s used. The vendor is responsible for managing the security around that data and the overall application.

Though providers aren’t required to perform security audits, many do them to satisfy their customers and ensure transparency. Companies can also do penetration testing and vulnerability scanning of the cloud provider, or have a third party do it for them.

Also — critical in an age of sophisticated hackers — companies should monitor logging activity for their web applications. Cloud providers often offer this as a function of their applications, but not all customers realize its importance, or even that it’s available. It is important to understand what type of monitoring is available and ensure that it is running. “I’ve gone to companies who were paying for it but were never told to turn it on,” Hill said.

Companies should also ask their cloud provider about data loss prevention, Robinson said. This important feature classifies and tags data so that it can be monitored for suspicious activity as it moves across the enterprise and externally to third parties.

Different types of information require different levels of scrutiny. Information about a company and its services doesn’t require the same protection that customer identity or financial data does. The cloud application should be able to easily adjust to the level of protection customers require.

“You can scan emails for character strings that look like Social Security numbers or credit card numbers, and flag it if it’s about to leave,” Robinson said. If a transmission looks inappropriate, it can be identified and addressed before the data is compromised.

Making Your Apps Modular

An additional layer of cloud security is provided by application developers who are building their products with stronger architecture elements than they did in the past, Robinson said.

“If you have a single monolithic application, any attack on that piece of code can take the whole thing down. Modern technology makes the app more modular, sectioning off different pieces and treating each one with security so that if one piece goes down, the whole system doesn’t have to go down.”

The Cloud’s Better, But Preparation Is Critical

Even with today’s sophisticated technology, data breaches remain the No. 1 threat to cloud security, according to the Cloud Security Alliance. They’re often the result of poor authentication standards or weak passwords, which in many cases are the responsibility of the company, rather than the cloud provider.

Companies using the cloud should have a cloud security policy and train employees in best practices to avoid phishing and other attacks. It may seem like an obvious move, but too many businesses are missing the boat — and putting their data at risk. According to a Cloud Security Alliance report, 25.5 percent of respondents said they didn’t have a cloud security policy. Another 6.4 percent didn’t know whether they had one or not.

Cloud applications can offer security equal to or better than an on-site data center. But to achieve it, companies must take responsibility for their own data. That means working closely with the cloud vendor to ensure that adequate protections are in place for company data and any applications that can interact with it.

Reducing the Risks of Shadow IT

I was recently asked to comment on what businesses can do to reduce the security risks of Shadow IT. To read the full article click here and if you just want to read my comments – see below.

Plain talk shadow IT exists when corporate IT is failing in a fundamental way.

Weve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic.

Weve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.

No department or line of business wants to set up its own IT infrastructure and bear that budget burden they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.

It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.

6 ways to reduce Shadow IT security risks

by Joe Stangarone, writer, MRC’s Cup of Joe Blog, July 19, 2016

Summary: A rapidly growing trend, “Shadow IT” is the use of unapproved IT systems and solutions within organizations. End users are increasingly bypassing IT in favor of third party solutions and services. In this article, we explore the security risks of Shadow IT, and a few ways to reduce these risks.

Like it or not, Shadow IT is probably alive and well in your organization. It exists in most companies, but the majority of CIOs and IT leaders underestimate its reach.

How bad is it? According to one report, the use of Shadow IT is 15-20 times higher than CIOs predict.

Why is this such a problem? If uncontrolled, Shadow IT will open your business up to a number of security risks, such as:

  • Data privacy risks: When employees purchase and use third-party software without IT’s knowledge, they could put sensitive data at risk. How can IT secure the data if they don’t know it exists? How can IT ensure that the employee’s software is secure if they don’t know what it is? They can’t.
  • Compliance risks: For many companies, regulatory compliance is critical. The problem is, Shadow IT can lead directly to compliance violations. Without knowledge of user’s activity, the IT department can’t ensure compliance. For regulated businesses, this can lead to data loss, fines, and significant vulnerabilities.
  • Enterprise security risks: Users have notoriously bad password habits. Chances are, if an attacker gains an employee’s login credentials for one site, they can use the same information to gain access to another. If the employee uses the same password for enterprise application access, they’ve just given an attacker the keys to your business data.

The question is, how can you protect your business from these risks? Today, let’s explore that topic. Here are 6 ways to reduce Shadow IT security risks.

1. Discover where Shadow IT is hiding

The first step to reducing the risks of Shadow IT: Understand the extent of the problem. You can do this a in couple of different ways.

First, survey your employees. Ask them what software and services they use regularly. You’d be surprised how many unauthorized tools you’ll uncover, simply because the employees don’t realize they’re practicing Shadow IT.

Second, track network traffic. As explained below, the use of scanning techniques will help you identify unauthorized software and systems that are using your network.

2. Identify the unmet need

Once you’ve identified unauthorized software and systems, you must punish those who are using them…right?

No.

Let me explain. Shadow IT is not the problem. It’s a symptom of a larger problem: Employees aren’t getting the solutions they need from the business. If you try to eliminate Shadow IT without addressing this problem, you’ll only perpetuate the issue. If you want to reduce Shadow IT security risks, you must address the real problem head on.

“Shadow IT exists when corporate IT is failing in a fundamental way,” says Jonathan Gossels, President, SystemExperts Corporation. “We’ve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic. We’ve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.

No department or line of business wants to set up its own IT infrastructure and bear that budget burden – they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.

It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.”

3. Change the culture

Sadly, in many companies, IT has developed a “culture of no.” End users feel like IT only gets in the way. It seems like IT looks for reasons to deny requests rather than try to find solutions.

This “technology gatekeeper” mentality may have worked when IT was the only option, but that’s not the case anymore. Now, if IT is viewed as a barrier, end users find their own ways to accomplish their goals.

As explained below, changing this culture is a huge step towards controlling Shadow IT.

4. Give the users the tools they need

The best way to reduce security risks: Make Shadow IT completely unnecessary. As explained above, Shadow IT largely occurs because the business users aren’t getting the solutions they need from IT. If you successfully deliver these solutions, you eliminate the driving force behind the problem.

5. Educate the users

In most cases, employees aren’t practicing Shadow IT maliciously. They’re trying to solve a problem. Most don’t realize the security risks of their actions.

The problem is, many companies take a heavy-handed approach to Shadow IT. They create policies and restrictions, without telling the employees why it’s important. They take an “us-vs-them” mentality.

If you truly want to reduce security risks, educate your users. Make sure your employees understand the risks involved, and why unauthorized tools and software must be avoided. Then, show them how to solve their problems securely, using approved tools and methods.

To read the full article click here.

 

DNS: How it Works and Best Practices to Defend Against DNS-based Threats

The Domain Name System (DNS) is a central element in the addressing and routing of all communication over the Internet. Many enterprise IT security professionals don’t always know how DNS works, or how attackers might use it to compromise their data. Following is a discussion about recent attacks and exploits that use DNS and some best practices for defending against DNS-based threats.

The Domain Name System is known to be insecure. For many years, the IETF has worked to address this, and it has published the DNSSEC (RFCs 4033, 4034, and 4035). DNSSECprovides DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. It does not address availability or confidentiality. Unfortunately, DNSSEC is still not widely deployed.

In the meantime, new vulnerabilities and exploits of various DNS implementations continue to be discovered. A quick search of the National Vulnerability Database (NVD) on the term DNS returns 434 matching records. In 2016, 17 new DNS related vulnerabilities have been documented and published in the NVD so far. The CVSS scores of these 17 recent vulnerabilities have varied from a low of 4.3 to a high of 9.8.

Some of the most recently published vulnerabilities apply to a narrow range of products such as “CloudBees Jenkins prior to version 2.3” while others apply to a broad range of products.

In February of 2016, a flaw was found in an underlying library used by the DNS resolver implementation that is found on nearly all Linux machines, including many embedded devices that use Linux. This was published in the NVD as CVE-2015-7547. This also impacted product such as Oracle’s Exalogic and a variety of products from Blue Coat (https://bto.bluecoat.com/security-advisory/sa114) as well as many others. The vulnerability can lead to either denial-of-service or the remote execution of arbitrary code.

Different DNS vulnerabilities have different mitigations. For example the list of recommended mitigations for CVE-2015-7547 include:

  • A firewall that drops UDP DNS packets > 512 bytes.
  • A local resolver (that drops non-compliant responses).
  • Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC.
  • No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.
  • No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.

However, some other recommendations that were effective against other DNS vulnerabilities were not effective for CVE-2015-7547, for example:

  • Setting `options single-request` does not change buffer management and does not prevent the exploit.
  • Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.
  • Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.
  • The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.
  • Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.

The primary defenses that companies must manage well are:

  1. Subscribe to services that will inform the IT staff when a security vulnerability for the company’s systems has been disclosed and when a new security update is available
  2. Apply security updates from your vendors in a timely manner
  3. When your vendors publish recommended mitigations to address a known vulnerability, test the recommendations and deploy them if possible

The recommendations above are not unique to DNS vulnerabilities.

The Dangers of Wireless Technology on the Road

How to Protect Your Data in Airports, Coffee Houses, and Hotels

In a recent interview, I was asked a series of questions about the dangers of wireless technology on the road. I’d like to share my responses here as to ways that travelers can protect their data when hooking up to “free” wireless technology in airports, coffee houses and hotels.

1) What is a sniffer?

A sniffer is most analogous to a phone wiretap.  However, a wiretap only listens to the phone line it is connected to versus a packet sniffer can listen to all communications on the network.

2) Are sniffers ever used for legitimate network functions?

Yes.  Packet sniffers are commonly used to diagnose network problems, analyze traffic patterns, and even detect if a user is sending inappropriate data on the network.

3) Why are sniffers so difficult to detect?

Sniffers are designed to be “listen only” devices and are specifically built not to tamper with data as it traverses the network.  However, placing a sniffer on a wired network may require special hardware or device settings on the network switch.

4) Why is unsecured Wi-Fi — such as that found in coffee shops, airports and hotels — the least secure and vulnerable to sniffers?

On a wireless network, unlike a wired network, all local network traffic shares the same channel.  A rogue packet sniffer does not require special hardware or settings you changed on the wireless access point and can capture all the data that is sent wirelessly.

5) How does this happen — in plain English?

The wireless network card in your laptop, tablet or phone will connect to a selected open wireless access point (WAP) based on four pieces of information supplied by the wireless access point: the Service Set Identifier (SSID), the Media Access Control (MAC) address, a wireless channel, and the transmission power.  It is trivial for an attacker to set their wireless network card to look the same as the coffee shops wireless access point.  If the attacker sets a wireless transmit power slightly higher than the WAP’s transmit power, users will connect to the rogue device instead.  The attacker may then use a second wireless card to connect to the legitimate WAP in order to capture unsuspecting users data as it passes through their computer and out to the Internet.

6) Why does it happen?

The primary goal is identity theft or corporate espionage.  By capturing data as it goes across the network any attacker can passively look for unencrypted or under-encrypted data.  Even with an encrypted connection to a website an attacker who has forced all of your network traffic to go through their computer may be able to strip off or reduce the encryption without the user being aware.

7) How can travelers prevent their data from being unlocked and free for the picking?

I recommend travelers should use a paid VPN service that will create an encrypted tunnel between the laptop or phone and to the exit site of the VPN service.

Alternatively, travelers should consider altogether avoiding dangerous free wireless networks and using their cell phone as a mobile hotspot device to connect to the Internet while traveling.

8) Is the threat of data or identity thieves widespread?

It is a universal truth that criminals will capitalize on every vulnerability they find whether it resides in the physical or virtual realm.

Cyber Warfare Exercise: part two

There are only two certainties in a company’s life: Taxes and your network will be hacked.

I recently returned from the 15-day cyber warfare exercise hosted by the Massachusetts Army National Guard.  Attendees included soldiers and airmen from Vermont, New Hampshire, Maine, Massachusetts, Connecticut, and Rhode Island as well as personnel from private organizations such as Mitre and ManTech.

An important change in this year’s event was that actual representatives from the Massachusetts Governor’s IT office, Massachusetts Water Resources Authority (MWRA), and the Massachusetts Department of Transportation (DoT) were active participants.  They were able to give an accurate portrayal of their interests and identify network resources that are critical to them.  This was all vital information to our “Blue Team” defenders.

I was acting as a “Red Team” aggressor and by the luck of the draw I was selected to attack the team of defenders I have been working with for the past few years.  I provided them denial-of-service attacks, phishing campaigns, website defacements, and other “cyber effects” for them to detect, react, and report on.  In several areas my team performed well, but I was most impressed with the cooperation and information sharing between my military coworkers and their civilian counterparts.

I have had some time to reflect on the lessons learned and the direction I want to take my team in the train-up leading to next year’s exercise.

  1. Baseline your infrastructure.

As a system owner, just knowing what accounts are privileged and what servers you have on your network is no longer enough. System owners need to know what kind of traffic is normal within their network, what services/processes should be running on each device and which devices need to talk to each other.  When equipped with this knowledge, a network defender is far more effective at detecting ill intentioned actors on your network.

  1. Know what is most critical.

In previous exercises military personnel played the part of industry representatives and identified key infrastructure as being the domain controllers or DNS servers.  Having actual industry representatives at this year’s exercise radically changed the defenders ideas of what is most critical.  For example, representatives of the Governor’s office identified the Governor’s external website as being critical as it is the “face” of the government in Massachusetts. It is important to have identified those critical systems before an attack to focus the network defense on what is most important to the organization instead of focusing on what the attackers see as most important to them.

  1.  Able to detect wrongdoing.

There are only two certainties in a company’s life: Taxes and your network will be hacked.

Every organization should have a secure and centralized logging server along with sensors, distributed throughout the infrastructure, capable of full packet capture.  Having this in place provides not just data but contextual information about what is going on in your environment.  There seems to be a trend for organizations to spend considerable resources on IPS/HIPS systems, but once an attacker compromises their system they lack actionable information and throw up their hands in defeat. These defensive measures are admirable, but we should operate on the motto: “Prevention is ideal.  Detection is a must.”