There have been many publicized victims of breaches recently. There can often be a lot of conjecture as to what happened, how it happened, and why it happened.
Did they have security controls in place? Are they getting accurate information? Is the information they are getting actionable? Is anyone actually actioning this actionable information?
These are all questions that we, as security practitioners, should be asking ourselves on a daily basis. All of which are proof that security and compliance cannot just be a check box item anymore.
For example, within my organization, my security team and I may have acquired and filled in all the audit requirements of reporting on vulnerabilities, reporting on changes in my environment, and logging all my events of interest. However, what is happening with that information?
Are they just being filed away so that when the audit team rolls around they can give me my customary passing check mark or are the findings actually being remediated?
What systems am I covering in my organization? Am I only covering the 10% of my systems that are within scope of my audit? What if an attacker leverages an out-of-scope system within my organization as a stepping stone towards my more critical assets? Do I even know what systems are on my network? Do I know what software is installed on those systems? Is that software patched and secured?
As a security practitioner in your organization, I encourage you to take a minute and answer these questions to yourself. Answering these questions is a great first step towards building a deeper understanding of the surface area of risk within your organization.
Let’s take a minute to look at this from the keyboard of an attacker. If I was to target your organization I’m looking for the low hanging fruit:
- What systems has this organization forgotten about?
- What vulnerabilities are on these systems?
Chances are if they have been forgotten about, there are some vulnerabilities I can exploit with great ease!
Is this organization monitoring for changes on their network? If not, I can turn off logging and create my own back doors without anyone noticing!
What We Need to do as Defenders:
As defenders of our organization, we need to ensure that we are establishing an appropriate secure technology culture within our organizations. As more and more breaches are being publicized, business owners are becoming more aware of the risk associated with poor security practices.
Now is a great time to leverage a framework such as the Top 20 Critical Security Controls to get the support of key executives.
For more information, check out this post on Demonstrating Enterprise Commitment to Best Practice and Using the Top 20 Critical Security Controls to get Your CFO’s Attention.
If we treat information security as more than just a checkbox, we can make this world more secure one network at a time!
- Information Security Post-Snowden
- Privacy, National Security and Mass Surveillance: The Role of Crypto
- Defensive Cyberspace Operations and Intelligence
- The Cyber Security Forum Initiative
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock