[BreachExchange] Your “Top Ten” Cybersecurity Vulnerabilities

[Audrey McNeil]

https://www.natlawreview.com/article/your-top-ten-
cybersecurity-vulnerabilities

Cybersecurity has never been more important, or challenging, to address.
For many employers, even figuring out where to start may seem like an
overwhelming challenge. The first step—and one that should be done at least
annually—is to focus on the adequacy of your organization’s cybersecurity
planning processes, if any, in place. To jump-start your year-end
cybersecurity planning, here are our “top ten” vulnerabilities to put on
your list.

Vulnerability No. 1. No, or inadequate, security program in place. It is
essential that your organization have a written, formalized cybersecurity
program that assigns and enforces individual job responsibilities. The
absence of a written plan documenting your cybersecurity program is a
significant gap that leaves you more vulnerable to a cyberattack. If your
organization already has adopted a written security plan, review and, if
necessary, update it periodically (no less than annually) to determine how
your organization will comply with the plan to protect your systems and
staff. Cybersecurity is everyone’s responsibility.

Vulnerability No. 2. No recently conducted vulnerability and risk
assessments. A comprehensive, well-documented vulnerability assessment will
identify gaps in your workforce management and information technology
security policies, procedures, and technical controls. A formalized risk
assessment will address the risks of cyberthreats exploiting the gaps
revealed by the vulnerability assessment. Vulnerability and risk
assessments, which may be conducted with the assistance of cybersecurity
counsel under the protection of the attorney-client privilege, are
fundamental building blocks for reducing cybersecurity vulnerabilities.

Vulnerability No 3. No evaluation of weaknesses or gaps in your controls in
light of statutory requirements and potential common law claims. This
highlights your compliance gap and legal exposure arising from poor
technical and administrative controls (e.g., inadequate or nonexistent
policies), particularly in financial services, health care, or where your
location and business lines subject you to requirements of state data
privacy and breach laws. The absence of particular controls may constitute
statutory violations or be cited in litigation as evidence of red flags.

Vulnerability No. 4. No formalized patching process or inadequate
enforcement of the current process to ensure its systematic implementation.
Failure to expeditiously address known vulnerabilities carries potential
liability. A formalized, well-documented and enforced patching process may
avoid gaps in failing to timely patch a known vulnerability and help reduce
exposure.

Vulnerability No. 5. No insider threat program. Most data breaches are
caused by insiders—either employees or trusted third parties (or their
employees). Not having in place an insider threat program (that includes an
insider threat vulnerability assessment) increases your vulnerability to
insider threats.

Vulnerability No. 6. Lack of connection to the cybersecurity community. Did
you know that the leading wireless (WiFi) encryption protocol (WPA2) has
recently been cracked by a new method called “KRACK” (short for Key
Reinstallation AttaCK)? Did you know that the National Institute of
Standards and Technology (known as “NIST”) has recently proposed
significant new guidance in password administration? The new guidelines
recommend, for example, increasing usability, including a blacklist of poor
choice passwords and allowing passwords of at least 64 characters in length
to support the use of pass phrases. These are just examples of the
ever-changing cybersecurity landscape. Your organization should establish
contact with the cybersecurity community, including cybersecurity counsel,
to facilitate training and education within your organization and to
maintain current on best practices and technologies.

Vulnerability No. 7. Lack of stringent configuration management. If your
organization does not use a baseline of secure configurations for each of
its information and communications systems and related hardware before each
goes live or before any implemented changes, then you are vulnerable. The
vulnerability from permitting the live implementation of default
configurations (e.g., default passwords), for example, is an ever-present
and frequently overlooked vulnerability that requires rigorous oversight.

Vulnerability No. 8. Lack of stringent remote access management. If your
organization permits remote access by its personnel, your potential attack
surface is expanded. Granting remote access requires a combination of
stringent best practices, such as rigorous human resources and technical
controls (including monitoring remote access usage).

Vulnerability No. 9. Failing to consider available cybersecurity data. If
you are not looking at the available cybersecurity data for your particular
industry, you are likely not making the most informed decisions. Don’t fly
blind—there is data out there for all industries that you can use to inform
your vulnerability analysis.

Vulnerability No. 10. No incident response plan in place. No matter the
level of stringent controls you put in place, you have to be prepared for
the eventuality of a data incident or breach. Being reactive because you do
not have a plan in place tested through training, including table-top
training exercises, leaves you vulnerable.

The foregoing list is non-exhaustive. Your list may be different.
Hopefully, our recommendations get you thinking about your cyber
protections for the coming year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171229/8faf7dcd/attachment.html>