Common wisdom says that we humans use less than 10% of our brains’ capacity in a lifetime. I assert that the same is true for enterprise networking hardware and software.
As referenced by Paul in his recent post, we very frequently run in to organizations that have an overwhelming urge to add something to their systems to make them more secure. In reality, some of the deepest changes that will have the biggest impact on security are all around you in the environment you already have.
For example, all Cisco switches support VLANs, but a full half of the organizations we have dealt with have not seriously explored using that functionality to help separate network devices from each other. Where VLANs are implemented, at least 75% of those organizations don’t properly use a firewall or layer 3 access lists to prevent traffic from flowing between the network segments. Back down to layer 2, all Cisco switches support some form of MAC filtering or limitation of MAC addresses per port, but even those basic controls are almost never enabled in deployments we’ve seen. These are defenses for some of the most basic network attacks and can be enabled safely in some combination for 98% of all deployments.
The examples could go on endlessly, but the important thing to illustrate is that most all of your network is only delivering 10% of its potential from a security standpoint at any given time. Unlike the brain, accessing the remaining 90% is as simple as testing the functionality, configuring it, and deploying it to current installations.
To make the point directly, your organization has likely been purchasing all the hardware and software you need to be secure for years. The missing piece is the knowledge and experience required to put the pieces together in a way that makes them work effectively and securely together. That’s where we come in.

How Much Gets Reported
It’s a pretty well-known fact that far more crime occurs than gets reported to authorities, and far more gets reported to the authorities than gets reported on by any form of media. Cybersecurity attacks are no different.
Because we assist in the investigation and incident response of many of these cases, we’re constantly on the lookout for reporting of those incidents by independent sources. By our own research, 1 attack gets reported in the media for at least 73 that happen without any mention to the public. Of those, we see scant few actually make it to what most would consider “mainstream media”.
Stuxnet is the most recent example of a named malware attack that made the prime time news, and it joins the ranks of Code Red, Nimda, and (to a lesser degree) Zeus in the public lexicon of big attacks. However, the ones that never make it to the front page show both an increasing technical sophistication, and a more focused set of attack goals.