[BreachExchange] Stay Out of the Headlines: Maintain a Healthy Security Posture

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 4 19:40:46 EDT 2018


http://www.datacenterjournal.com/stay-out-of-the-headlines-
maintain-a-healthy-security-posture/


Constant attack attempts, newly discovered vulnerabilities and growing
methods for gaining unauthorized access: this is the world we live in.
Massive breaches and compromised data have become common among news
headlines as cybercriminals become more clever and brazen.

We’re clearly operating in a heavily risk-laden environment. Accurately
evaluating security posture is intimidating for any organization given this
ever-shifting threatscape, but the good news is that there are definitive
ways to ensure your organization is prepared, starting with knowing how and
why you may be a target.

Reasons Why You Could Be Compromised

Let’s start with the burning question of any business that has suffered a
breach: “Why us?” There are many reasons behind attacks. Here are the types
we see most commonly:

- Opportunistic attacks. Multitudes of unethical agencies out there are
looking for holes in systems, gathering data or serving as the middleman in
a larger scheme. Hacking can be akin to a kind of sport or achievement in
the “because we can” bucket for some malicious actors. It earns them
Internet street cred.
- Targeted attacks. Motivations vary, but sometimes an attack is the result
of a deliberate effort to target a specific organization. Again, the lure
might be simply to gain notoriety, or it could be to obtain valuable
personal data. It sometimes aligns with an organization’s activism, or
conversely, the cyber attacker’s leanings. But it’s not just large,
well-known enterprises that are at risk—no organization is immune to
targeted attacks. Have you ever had a disgruntled employee? Or do you think
your competitors are above playing dirty? Targeted attacks occur more often
than you think.
- Absent controls. Controls, or safeguards, are necessary to prevent and
detect an attack, as well as to minimize damage. Security is built in
layers; you can’t just have one single control. Organizations leave
themselves open to a breach if one or more controls fail, or if they’re
insufficient. Controls are why it’s important to have a strong team, either
on the payroll or on retainer, working closely to maintain security
practices across your organization and thereby protect the confidentiality,
integrity and availability of your information.
- Bad luck. Sometimes an attack is the result of zero-day vulnerabilities:
“bad luck,” for lack of a better term. Of course, no one can predict when
these types of incidents will occur. You can, however, take steps to
minimize the damage of these attacks and restore operations quickly.

Keeping Your Security Posture Healthy

Understanding the reasons why your organization might be at risk is
important. But security isn’t about a tool, a person or a product. None of
these things will solve the problem or reduce worry without an in-depth,
internal conversation. Security is about educating and performing due
diligence. Only then can you defend, protect, respond and investigate.

Maintaining a healthy security posture means being active from both a human
and technology standpoint—it’s not one or the other. The technologies to
protect critical IT assets are constantly evolving, but so are the threats.
Achieving a healthy security posture requires a dual effort shared by both
people and technology.

Six People Controls: What Your Organization Can Do

To provide greater assurance and protection against data loss, both from
inside and outside sources, companies must invest in people as well as
technologies and processes.

- Understand your risk profile. Knowing your risk profile is critical. You
must understand the risks specific to your industry, business and assets.
To start, you can begin a simple information-gathering process on the
Internet. Look up your company name and see what kind of information is
available. If possible, engage with a provider that performs penetration
testing. Also, be aware of your unique exposure and visibility. For
example, if it’s obvious on your website that you service credit-card
companies, you have higher risk.
- Know your assets. You can’t protect what you don’t know you have. The
cornerstone of a healthy security posture is knowing your assets and
exactly what you’re trying to protect. This knowledge allows you to ensure
all the right controls are in place, so you should have a complete
inventory. Next comes protecting against the threats that accompany your
specific assets. If you have old firewalls or a vulnerable application,
select the right tools for proper protection.
- Have a solid risk-management program. Do you have a risk-management
program? By default, you should be carrying out annual risk-management
reviews, complete with scoring and a repeatable process. Doing so assists
leadership in determining overall risk and potential costs to the business
in the event of compromise or breach, thereby enabling appropriate
allocation of funds to reduce or mitigate business-specific risks.
- Keep your information-security program up to date. As you make your way
through the above steps, you will likely find that it’s time to update your
information-security program once again, including your
information-security policies. Maintaining one primary information-security
program and updating it every six months to one year as a formal, recurring
process is recommended. This way, you can match your procedures and
standards with the program, allowing you to train your company through
awareness.
- Make sure leadership is involved. Leadership must be involved in decision
making. Without deliberate planning, security often happens in silos, which
hurts your company’s culture. If you fail to promote awareness and bring
leadership into the conversation, increasing the budget or communicating
risk to users can be difficult.
- Put together a security board. Create a board of security ambassadors.
Each department should have a security ambassador working as the liaison
between the security team and other departments and business units,
allowing for healthy two-way communication.

Five Technical and Logical Controls to Increase Your Defense

We’ve covered human controls, but what about controls that are technical
and logical? These are the measures to configure in your systems, and to
apply and rely on to collectively reduce risk. Ultimately, you want to
ensure that you mitigate vulnerabilities quickly to lessen your
organization’s threat profile.

It’s worth noting that although the risk landscape is much greater today
than five years ago, we’re in a much better position with regard to
automation tooling and capabilities, whether for deployment, maintenance or
monitoring of controls. In the past, assessment of technical controls was a
more stressful, time-based exercise.

Today, we have the ability to monitor and more easily observe how controls
are performing, as well as where there may be room to improve.

- Patching. Patching is an essential security control. Patching your
operating system is important, but don’t neglect other areas of your
environment that run code. They include infrastructure devices and
applications that run on top of your operating systems.
- Life-cycle management. Keep pace with life-cycle management related to
all layers of your stacks: physical devices, infrastructure devices,
operating systems, applications, database services and systems. They all
require a strategy to manage their life cycle.
- Robust firewalls. Avoid using overly permissive firewall rules and
consider using web-application firewalls. In addition, regular
firewall-rule reviews are critical to ensuring your web applications are
secure.
- Best practices for passwords. Make sure everyone in your organization
uses strong, complex passwords as well as multifactor authentication.
- Network-access controls. Ensure your IT teams always monitor unusual
network activity.

Businesses are highly concerned—and even panicking—given the threats they
face. Thankfully, there are proven approaches for minimizing the fear and
risk. In many cases, the universal struggle is cost versus security.
Businesses often can’t foot the full cost of maintaining security in house.
In other cases, knowing where to start is a challenge.

Only you know the type of data your company handles and the associated
security risks. If you lack a robust, proven security team that covers
every aspect of your security posture, consider a professional services
team or even a partnership with a provider that offers robust security
controls and expertise. Remember to ask comprehensive questions regarding
the security controls they provide, and confirm that they support auditing
and compliance, regardless of whether your intention is to self-manage or
outsource. Either way, you should consider all of the human and technical
controls mentioned above if you want to ensure your organization isn’t the
next big headline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180604/ada301cf/attachment.html>


More information about the BreachExchange mailing list