fbpx
People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, Technology in Cybersecurity or: How I Learned to Stop Worrying and Love the Process!

People, Process, and Technology is the cornerstone of ITIL, but can it also be used to ensure a proper cybersecurity foundation? The answer may surprise you!


Let’s just get this out of the way. You are not secure. There I said it.

Let me qualify that statement: when I say you are not secure what I mean is that regardless of the money, talent, resources, or luck your organization possesses, your organization (or any other) cannot consider itself completely impervious to outside aggressors. Just like a Major in boot camp, let me tear your assumptions down for a moment so I can build them back up.

According to Gemalto, 82 records were compromised every second in 2017. It is widely accepted that the nation-state failure rate is as near to nothing to make no difference. There are spear phishing kits available to allow anyone, even your mom, to launch a targeted attack against you. You have to be right every time; a hacker only has to be right once. A bird in the hand . . . . . I could go on, but I think you get the point.

“But,” you say “I just bought something with ‘NEXT-GEN’ in the product description. That’s got to make me secure!” No, it won’t. Nothing short of throwing all copies of your secure data into a volcano will make your data completely secure.

 

people process technology

 

What we must strive for, what we must get up every morning and make it our mission to accomplish, is the process. A far too common mistake is that once we place security controls around our data we believe the job is done. Once we buy and install that tool, outsource that task, or hire that consultant firm we are not done. Let’s look at the tried and true foundation of People, Process, Technology and see how that fits into your cybersecurity plan – we are going to switch it up and discuss process last.

According to ITIL News, using People, Process, and Technology for a successful implementation is not only good old-fashioned common sense but also like a 3-legged stool. The stool analogy is used because any leg that is too short or too long will cause an imbalance.

People, Process, Technology

People

Here’s one thing everyone in security knows: People like clicking on all the links! Hackers know this, even that rich Prince from Nigeria knows this! In Jim Collins book, Good to Great, he discusses how the leader of your organization is a like a bus driver and the employees are the bus riders.

You are a bus driver. The bus, your company, is at a standstill, and it’s your job to get it going. You have to decide where you’re going, how you’re going to get there, and who’s going with you.

Most people assume that great bus drivers (read: business leaders) immediately start the journey by announcing to the people on the bus where they’re going—by setting a new direction or by articulating a fresh corporate vision.

In fact, leaders of companies that go from good to great start not with “where” but with “who.” They start by getting the right people on the bus, the wrong people off the bus, and the right people in the right seats. And they stick with that discipline—first the people, then the direction—no matter how dire the circumstances.

While this may seem like a stretch in the cybersecurity world, the analogy holds true in the sense that everyone on board the bus must be on the same mission. We don’t want to let anyone (cybercriminals) on the bus or let any corporate secret fly out the bus windows.

Train your people and make sure policies are understood from the top down.

Technology

If that “next-gen” tool were able to keep you secure without your ability to understand and effectively use it, why isn’t everyone buying it and not the others? Because no tool by itself can effectively secure your data. You must be knowledgeable of what the tool is telling you, how to effectively deploy it, and how to customize it to your environment. If you don’t take the time to do these things you might as well have dug a hole and thrown the money in, it’s the same thing. Too many times I have seen a very expensive product simply create heat. The security product was implemented, but time was not dedicated to truly use the product. Now it’s ignored.

On the other hand, you could outsource the task of doing all that.….

Great! You’ve contracted an MSSP to watch your security for you. Job’s a good’n. Nope. I’ve trained many, many MSSPs, probably near fifty plus. I’ve been instrumental in starting two successful MSSPs. This experience has taught me several things of which one is critically important to this conversation.

It can be summed up by a question: How do you know they provide value?

Nifty charts? Awesome. Wizbang product suite? Sweet! Suites that cost more than your first car? Shiny. However, all of that is for naught if you have not educated yourself in the mechanics of what they provide. Most people outsource what they are not good at, wouldn’t a better idea be to outsource what you are good at? The more you know about the topic the less you must worry about whether that vendor is doing a good job. If you don’t stay current, educate yourself on cybersecurity and constantly engage your vendor, what value do they really bring?

Process

people process technologyIt is said wisdom is the appropriate application of knowledge. You may have learned many things about cybersecurity, but if you can’t effectively use that knowledge in everyday life what use is it? This is where everything we’ve discussed above fits into “the framework”. I’ve described what a framework is and how to pick one in other blogs.

With a framework, we can take each new product; align it with our goals, test the product, and verify our management of the product is appropriate. With each outsourced task, we can quickly and easily see if the value exists by the iterative processes inherent in frameworks. With each consultant, we can direct and manage the work and relationship using the process of satisfying the framework.

Cybersecurity is a process. It is not a rush to prepare for a single point in time audit and relaxing until the next time. By embracing that iterative steps, incremental progress is the proper way to secure your environment, you inherently become secure.

Well, at least until George clicks on that link again.

Why You Must Perform A Security Assessment

Why You Must Perform A Security Assessment

Recently, we discussed why it is important to have a SIEM (Security Information and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it. For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series. This week’s post will cover why your organization needs to perform a Security Assessment to analyze your organization’s operational risks.

One of the biggest issues facing organizations today is that security is an invisible attribute.  IT administrators will set up devices or services, configure the security parameters and rarely if ever, consider security settings again.  Organizations routinely write policies for user access and infrastructure and never update them.  Systems are tested and vulnerabilities discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it.  As Rob Joyce points out, Nation-State Hackers and Advanced Persistent Threats (APTs) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.

Everyone has blind spots which cause them to overlook important issues.  Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily.  And, often what was secure yesterday is likely not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program.  Assessments can help determine the best methods to prevent a breach, as well as protect assets and corporate reputations.

>>>>Why You Must Have a SIEM<<<<<

Why perform a periodic Security Assessment?

Organizations are increasingly bound by governmental regulations which dictate what security measures must be in place and how they are to be audited.  PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC, and GSA among others all dictate how to secure different types of data and the systems that manage them.  These regulations also require regular security posture assessments.

While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure.  A Security Assessment is the equivalent of an organization’s State of the Union.  It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company.  Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business.  To navigate to any destination you must first know where you are.

Security Benefits of Identity and Access Management (IAM)

 

What should be assessed?

To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly.  Yes, the firewall must block bad guys, and workstations are kept secure, but what about phone systems or printers?  Will your users recognize and report a phishing email attempt?  What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building?  A thorough Security Assessment will go beyond the typical IT systems assessment.  Here is a list of security domains that should be considered during a Security Assessment:

  • Access control
  • Information Governance and Risk Management
  • Infrastructure Architecture and Design
  • Cryptography
  • Operations Security
  • Network and Telecommunications Security
  • Disaster Recovery and Business Continuity plans
  • Governmental Regulations
  • Incident Management Policies and Procedures
  • Physical Security
  • IT Security Training Programs
  • Network Boundaries

What about after the Security Assessment?

It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues.  This is exactly what Rob Joyce points out in his video.  A high percentage of companies will fail to close gaps discovered during security audits.  A vulnerability of any size is important no matter where it exists.  All an APT needs is a toehold.  Once one is presented no matter how small, attackers will use it to gain access to your company’s data.

Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged.  As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported.  Joyce also says not to assume any crack in your defenses is too small or insignificant to be exploited.  These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.

Companies put a lot of effort into securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect.  Most companies have a provision in the employee handbooks that instruct employees not to discuss salary information with fellow employees.  We don’t often find this level of care and communication when it comes to IT security.  Accountants frequently audit the bank and companies for fraudulent activities.  It’s time that companies added IT security to this list of very important, very well-understood activities.  Yearly assessments should be the norm and the findings should be well communicated within the company.  IT security cannot be the sole responsibility of a few guys in the back of the building.  Every employee has to be involved because every employee is a target.

The journey to a secure organization begins with the first step.  Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead. Start here >>>>https://www.cybriant.com/security-analysis/

by Byron DeLoach

How a Cyber Security Maturity Model Protects Your Business

Types of Network Security Threats and How to Combat Them

Types of Network Security Threats and How to Combat Them

If you’re interested in the types of network security threats and how to combat them, you’re in the right spot. We’ll discuss a tried and true method to create a solid foundation for your network security. 


What’s keeping you up at night? Is it hackers, insider threats, malware, or phishing? Maybe there are a few new types of network security threats that you haven’t heard of yet? You never know!

Even the most secure organization may have pitfalls that allow something to slip through the cracks. Consider Equifax and THE most talked about the breach of 2017 that could have been prevented so easily with a proper patching policy.

The fact of the matter is that the bad guys are constantly trying to catch us. You can train your employees all you want, but there’s still a chance that an employee may not be able to identify an extremely sophisticated phishing email. Phishing email creators are getting GOOD! These guys take anything from celebrity news, worldwide sporting events like the Olympics or the World Cup, or something as personal as W-2 information around tax time to make sure you will click on their email. Even the CEO of KnowBe4 recently received a phishing attack that seemed to be from his accountant.

Related: The Financial Industry’s Biggest Threat

Types of Network Security Threats

There are typically four types of network security threats, and any particular threat may be a combination of the following:

Unstructured Threats

Unstructured threats often involve unfocused assaults on one or more network systems, often by individuals with limited or developing skills. The systems being attacked and infected are probably unknown to the perpetrator. These attacks are often the result of people with limited integrity and too much time on their hands. Malicious intent might or might not exist, but there is always indifference to the resulting damage caused to others.

Structured Threats

Structured threats are more focused on by one or more individuals with higher-level skills actively working to compromise a system. The targeted system could have been detected through some random search process, or it might have been selected specifically. The attackers are typically knowledgeable about network designs, security, access procedures, and hacking tools, and they can create scripts or applications to further their objectives. Structured attacks are more likely to be motivated by greed, politics, international terrorism, and government-sponsored attacks.

Internal Threats

Internal threats originate from individuals who have or have had authorized access to the network. This could be a disgruntled employee, an opportunistic employee, or an unhappy past employee whose access is still active. In the case of a past network employee, even if their account is gone, they could be using a compromised account or one they set up before leaving for just this purpose. Many surveys and studies show that internal attacks can be significant in both the number and the size of any losses.

External Threats

External threats are threats from individuals outside the organization with no authorized access to the systems. In trying to categorize a specific threat, the result could be a combination of two or more threats. The attack might be structured from an external source, but a serious crime might have one or more compromised employees on the inside actively furthering the endeavor.
(Source)

Top Cyber Security Websites of 2022

 

There are many different examples of each type of network security threat. According to computerweekly.com, the top 5 corporate network security threats include:

  1. Viruses
  2. Virus Back Doors
  3. Application-specific hacks
  4. Phishing
  5. Blended Attacks

You have to be prepared at all times, for anything. Trust no one, don’t click on any emails. If you want your data to be completely secure, just toss it in a volcano. Don’t forget that you are also building a successful business while protecting your network security. There MIGHT be a better way…

Calculate Your Network Security Threat Risk

types of network security threats

Is your company secure? How can you tell? It isn’t easy, but there is a way – you just need something to compare yourself to.

Back in 1901, the US Government gave us something called NIST, the National Institute of Standards and Technology.

NIST focuses on recommending standards for various industries and other government agencies in a wide variety of areas. It is a non-regulatory agency of the United States Department of Commerce. From cybersecurity to mammograms and advanced manufacturing, innumerable technologies, services, and products rely upon NIST expertise, measurement, and standards. https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology

More recently, NIST introduced the NIST Cybersecurity Framework. This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

types of network security threatsAccording to the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, The Cybersecurity Framework is designed to reduce risk by improving the management of cybersecurity risk to organizational objectives. Ideally, organizations using the Framework will be able to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. The better an organization can measure its risk, costs, and benefits of cybersecurity strategies and steps, the more rational, effective, and valuable its cybersecurity approach and investments will be.

This is awesome news! But, this is also a lot of information and a lot to understand. Never fear, we have security consulting experts that can easily walk you through the process (as well as PCI, HIPAA, or any other necessary framework). For the sake of this article, and to understand where to begin, let’s start at the beginning according to NIST:

To manage cybersecurity risks, a clear understanding of the organization’s business drivers and security considerations specific to its use of technology is required. Because each organization’s risks, priorities, and systems are unique, the tools and methods used to achieve the outcomes described by the Framework will vary.

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, and Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories – which are discrete outcomes – for each Function and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.

Related: The CEO’s Guide to Penetration Testing

Start from the Beginning: IDENTIFY

Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

The activities in the Identify Function are foundational for the effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Identify

  • Asset Management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
  • Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
  • Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
  • Risk Assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
  • Supply Chain Risk Management: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Know Where You Are

We can help you begin at the beginning. We have two services that could potentially help with most of the items on the list. Our Real-time vulnerability management service will help you identify all the assets on your network. Many companies may not know all the devices on their networks, this is very common! Our risk assessment service can help you assess where you are, identify any gaps, and even help you with ongoing compliance requirements.

Ready to get started? Let’s go! Schedule time with us today to discuss your specific needs.

 

Top Cyber Security Testing Tools

Did you know a Vulnerability Scan could help Identify Assets?

NIST Cybersecurity Framework

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) created the Cybersecurity Framework (CSF) in response to Executive Order 13636, which called for the development of a risk-based cyber security framework “to reduce cyber risks to critical infrastructure.”

The CSF provides a set of voluntary guidelines for organizations to use to assess and improve their cyber security posture. The cyber security services framework is designed to be flexible and adaptable, allowing organizations to tailor their approach based on their unique needs and capabilities.

NIST CSF technologies can be used by organizations of all sizes and across all industries. Organizations adopting the NIST CSF can improve their cyber security posture and better protect themselves against cyber threats.

What is NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) cybersecurity framework is an important cybersecurity risk management system that was developed to help organizations reduce cybersecurity risks. It provides a platform for organizations to create a cybersecurity program tailored to their specific needs by creating a set of actions to be taken in order to manage cybersecurity. The NIST cybersecurity framework helps provide guidance on how organizations can secure their systems and assets and protect any data stored on them from cyber threats. It also outlines possible indicators of potential vulnerabilities as well as best practices for managing cybersecurity risk within an organization. All these measures ensure the safety and security of any sensitive organizational data.

NIST Vulnerability Assessment

NIST Vulnerability Assessment is one of the main components of the framework. It provides a structured approach to assessing any existing cybersecurity risks and identifying potential vulnerabilities in an organization’s systems and networks. The NIST Vulnerability Assessment also helps organizations understand their own security posture, such as uncovering any weak or missing points of defense that may be present in their information systems. Furthermore, the NIST Vulnerability Assessment provides guidance on how to reduce existing threats by implementing and maintaining effective mitigation measures.

NIST Vulnerability Management

NIST Vulnerability Management is an integral part of the NIST cybersecurity framework. It includes the assessment and management of security vulnerabilities to ensure that threats are identified, managed, and mitigated in a timely manner. This helps organizations identify any potential risks before they become actual breaches or attacks on their systems. Furthermore, it helps create situational awareness about current threats and their sources, as well as provides guidance on how to respond to them.

Overall, the NIST Cybersecurity Framework provides organizations with a comprehensive approach to risk management and cybersecurity. It helps organizations identify existing risks, create plans for preventing potential breaches, and ensure that any vulnerabilities are detected and mitigated quickly.

NIST Data Loss Prevention

Data Loss Prevention (DLP) is one example of NIST CSF technology. DLP helps organizations protect their sensitive data from unauthorized access and use by ensuring that only authorized individuals can view or access the data. Additionally, it provides organizations with real-time notifications when data is transmitted outside of their networks, allowing them to take immediate action if necessary.

Framework for cybersecurity

The NIST CSF provides organizations with a comprehensive framework for implementing and maintaining cybersecurity procedures. The framework is composed of five core functions: Identity, Protect, Detect, Respond, and Recover. Each function consists of different categories and subcategories that help organizations address specific cybersecurity threats.

NIST Cybersecurity Self-Assessment Tool

Organizations can use the NIST CSF to assess their current cyber security posture and determine areas where additional measures may be needed. The NIST Cybersecurity Self-Assessment Tool (CSAT) is a web-based questionnaire that helps organizations identify potential vulnerabilities, gaps in their cybersecurity processes, and opportunities for improvement.

NIST CSF Technologies

nist csf technologies include a range of tools and services designed to help organizations improve their cyber security posture. These technologies include:

* Access control systems

* Intrusion detection and prevention systems

* Encryption and tokenization systems

* Security information and event management (SIEM) solutions

* Firewall configurations

* Endpoint protection solutions

* Network segmentation solutions

* Software and hardware asset management systems

* Identity and access management (IAM) solutions

* Mobile device management (MDM) solutions

* Data loss prevention (DLP) solutions

* Backup, replication, and disaster recovery services.

How a Cyber Security Maturity Model Protects Your Business

NIST Cybersecurity Checklist

Organizations can use the NIST CSF to create a tailored cybersecurity checklist specific to their organization. This checklist should include steps such as creating security policies and procedures, establishing user access control measures, regularly patching systems and applications, monitoring networks for malicious activity, implementing antivirus solutions, and performing regular security audits.

NIST CSF Implementation

Organizations should ensure that their NIST CSF implementation is comprehensive and up-to-date. This includes regularly reviewing the framework, updating policies and procedures to reflect changes in technology or threats, training staff on cyber security best practices, and conducting regular vulnerability assessments. Additionally, organizations need to continuously monitor their systems for potential vulnerabilities and malicious activity and take swift action whenever needed.

NIST CSF Compliance

Organizations should ensure they are up to date with their NIST CSF compliance requirements. This includes completing the self-assessment questionnaire, implementing all necessary security controls, documenting security processes and procedures, regularly testing for vulnerabilities, and reporting any incidents to the appropriate authorities. Additionally, organizations should create a cyber security incident response plan and regularly review and update it to ensure that they can respond quickly and effectively to any potential threats or incidents.

By following the NIST CSF framework and implementing the necessary technologies, organizations can protect their networks from cyber security threats while also meeting their compliance requirements. The NIST CSF is an essential resource for any organization looking to improve its cyber security posture.

NIST Cybersecurity Checklist

Organizations should use the NIST CSF to create a tailored cybersecurity checklist. This checklist should include steps such as:

* Developing and enforcing security policies and procedures

* Establishing user access control measures

* Regularly patching systems and applications

* Monitoring networks for malicious activity

* Implementing antivirus solutions

* Performing regular security audits

* Ensuring that all systems, applications, and services are up to date with the latest security patches

* Encrypting data both at rest and in transit

* Backing up data regularly to ensure business continuity.

Organizations should also create a cyber security incident response plan and regularly review and update it to ensure they can respond quickly and effectively in case of a security incident.

By following the steps outlined in the NIST CSF and implementing the needed technologies, organizations can improve their cyber security posture while meeting their compliance requirements. The NIST CSF is an invaluable resource for any organization looking to safeguard their networks from potential cyber security threats.

Improving Critical Infrastructure Cybersecurity with NIST

Critical infrastructure refers to the systems and assets essential for the functioning of a society or enterprise. This includes everything from energy and transportation to communication and healthcare. In recent years, there has been an increased focus on protecting critical infrastructure from cyberattacks. The National Institute of Standards and Technology (NIST) is a federal agency that develops standards and guidelines for information security management.

NIST 800-53 is a publication that provides guidance on security controls for information systems. This publication can be used by organizations to assess and manage cybersecurity risk. Organizations can improve their cybersecurity posture by implementing the recommended security controls and better protecting their critical infrastructure.

Organizations of all sizes need a solid security framework based on standards and best practices – a foundation to help you manage your cybersecurity-related risk.  These standards should address interoperability, usability, and privacy based on the needs of your business.

To help address current and future computer and information security challenges, Cybriant highly recommends that our customers adopt the NIST Cybersecurity Framework. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies.

Protect Your Business with Cybriant’s IT Security Best Practices Checklist

 

Get Your Free Security Analysis

An unintrusive way to get a professional assessment of the health of your security program.

7 Reasons to Consider a Cyber Security Risk Assessment

Watch Your Back: Why You Must Perform A Security Assessment

Watch Your Back: Why You Must Perform A Security Assessment

Part 2 of the Watch Your Back series:  Why you Must Perform A Security Assessment

Last week we discussed why it is important to have a SIEM (Security Incident and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it.  For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series.  This week’s post will cover why your organization needs to perform a Security Assessment to analyze your organization’s operational risks.

One of the biggest issues facing organizations today is that security is an invisible attribute.  IT administrators will set up devices or services, configure the security parameters, and rarely if ever, consider security settings again.  Organizations routinely write policies for user access and infrastructure and never update them.  Systems are tested and vulnerabilities are discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it.  As Rob Joyce points out, Nation-State Hackers and Advanced Persistent Threats (APTs) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.

that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, they

Everyone has blind spots which cause them to overlook important issues.  Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily.  And, often what was secure yesterday is likely, not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program.  Assessments can help determine the best methods to prevent a breach and protect assets and corporate reputations.

Why perform a periodic Security Assessment?

Organizations are increasingly bound by governmental regulations that dictate what security measures must be in place and how they are to be audited.  PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC, and GSA among others all dictate how to secure different types of data and the systems that manage them.  These regulations also require regular security posture assessments.

While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure.  A Security Assessment is the equivalent of an organization’s State of the Union.  It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company.  Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business.  To navigate to any destination you must first know where you are.

What should be assessed?

To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly.  Yes, it is important that the firewall blocks bad guys and workstations are kept secure, but what about phone systems or printers?  Will your users recognize and report a phishing email attempt?  What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building?  A thorough Security Assessment will go beyond the typical IT systems assessment.  Here is a list of security domains that should be considered during a Security Assessment:

Access control
Information Governance and Risk Management
Infrastructure Architecture and Design
Cryptography
Operations Security
Network and Telecommunications Security
Disaster Recovery and Business Continuity plans
Governmental Regulations
Incident Management Policies and Procedures
Physical Security
IT Security Training Programs
Network Boundaries

The Financial Industry’s Biggest Threat

What about after the Security Assessment?

It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues.  This is exactly what Rob Joyce points out in his video.  A high percentage of companies will fail to close gaps discovered during security audits.  A vulnerability of any size is important no matter where it exists.  All an APT really needs is a toe hold.  Once one is presented no matter how small, attackers will use it to gain access to your company’s data.

Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged.  As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported.  Joyce also says not to assume any crack in your defenses is too small or insignificant to be exploited.  These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.

Companies put a lot of effort into securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect.  Accountants frequently audit the bank and company for fraudulent activities.  It’s time that companies added IT security to this list of very important, very well-understood activities.  Yearly assessments should be the norm and the findings should be well communicated within companies.  IT security cannot be the sole responsibility of a few guys in the back of the building.

The journey to a secure organization begins with the first step.  Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead.  Contact Cybriant to begin your journey.

 

Top Cyber Security Testing Tools