Security through obscurity doesn’t work
I been writing articles around security architecture to defend and protect a company, but, these articles take allot of effort and brain power to decipher and most Business Directors and CxO just hire a CSSO and think they have met their MBO to secure the company. Hopefully, this observation will change your mind..
The reality around most if not all company network security, is that its probably secure due to absolute broken, cobbled networks put together.. To give you a example, I worked for one of the largest Managed Service providers that had the biggest banks and governments as customers. It would take 6 months of effort to get the required security clearance up to Protected level. It then used to take about 4 weeks for a System Administrator to be able to figure out how to login into the customer environment and find their way to the system that they were administering.. There were so many gateways and logins, it would take around 6 months for these engineers to be self reliant to go on call without disturbing seniors engineers.
Allot these systems are probably windows 2003 and don’t have virus protection and the only reason they haven’t been hacked, is due to pure dumb luck and Secure by naivety.
If you are responsible for the network security of a company, you need to come to terms and advise the CEO that the reality is that the companies systems are vulnerable and protecting and updating these systems will take a life time.. You are most likely getting hack as you read this, but due to the dumb luck, the software isn’t smart enough yet to get out.. The only solution you have is to introduce SANs Critical Security Controls and Defend the Kill Chain and singing up to a Managed Security Service. Good luck. ha