Must is such a charged word. So when someone tells you, you must do something, it needs to be something worthy of the grand imperative.
If you’re a large company, especially a publicly held company, and you are providing remote access for internal users, either email, or VPN, or anything really, and you’re not using a secondary form of incident detection, you are (in our opinion, which is not legal advice) a negligent fool, putting the entire company at risk of catastrophic loss. There’s a list of things you *should* be doing.
That’s pretty strong language. Put another way, if you’re not operating (and testing, and verifying) a detection system for evil access attempts, you’re an idiot. And if it comes out in some sort of court case, you’re going to get slaughtered. Unless opposing counsel is equally dim (we’re available for consult in such situations).
This detection stuff is IN ADDITION to any sort of strong or secondary authentication scheme. Strong authentication only gets you so far. It knocks off the low end evil-doers. It does nothing to stop the more sinister, serious bad guys.
What makes it truly damning as a failure to execute by management, is that detection is such a simple addition. It’s not expensive, it’s not complicated. It can be done with a tiny outdated computer, freeware linux, and a couple of shell scripts. Which is why, if you’re not doing it, you deserve to be hung by the thumbs at the shareholder’s liesure. Or your customers. Whoever will be most angry that hackers broke into your company and stole your precious data.
It’s not even hacking, really, since a monkey could be trained to do it. Still criminal, though.
Without detection apparatus, you are so far off base as to be playing a different game. Tiddlywinks, maybe. Ball and jacks. The disdain that should be leveled at such companies in the here-and-now is extreme. You may as well just resign in disgrace now, and save us all the trouble of a court case down the road. This is negligence. Gross negligence, in the disgusting sense, not the legal sense; that’s for a jury to decide. [update] Here’s an excellent current legal example of negligence in action and the legal implications. If you fail to do something so obvious that an average person would think it should have been done, you are negligent. Ask a lawyer to explain negligence law, we’re just geeks.
And if you’re not a large company, take a second look at that part above where we describe how easy it is to set up monitoring. Do it. You don’t need $100,000 custom supercomputers with lots of shiny blinking lights. They have some neat bells and whistles, but the fundamentals are available for less than $1000. So do it.
If you’re a tiny company, you shouldn’t be providing that sort of remote access. Use gotomypc.
ftp, smtp, http, https, smb, rdp, etc…: we see these things too often still, publicly accessible, with no secondary level of security. Shame on you. 3rd graders can break into your company undetected using smart phones. It’s 2012, and it’s high time we started holding people accountable for lax security.