Strong Security - Technology Isn't Everything
By Michael Meyer, CRO and CSO, MRS BPO, LLC
How many times have you heard—buy this technology and all of our (and your) worries and problems go away? Maybe it sounded like this instead—this is the latest and greatest technology; we need it to solve every security issue. So, will any, one technology completely secure a business? How can I break this gently to you - NO! To completely secure a business (if that is even possible), requires multiple layers of defenses using different tools, techniques, and technologies. These layers need to be woven and interlocked together to create a true “defense in depth.” The goal of “defense in depth” is to reduce the overall surface areas to attack and minimize the weaknesses for attackers to discover and penetrate. To strengthen your security, follow the ‘Ten P’s of Protection.
The best way to protect your company is to prevent attacks in the first place with a defined plan. Coordinating everything together into a cohesive whole is the role of management. Management’s importance to strong security is often overlooked and lost in the noise of having to buy things. Management of security is critical and rarely mentioned as a cause or even a contributing cause of a breach, even when it should have been called out. Security is no different from other essential roles in an organization. The best way to manage this function is to dedicate management and staff to it. If you cannot do that due to cost or company size, then work with an outsourcer to help mitigate this management risk. Most larger companies have already split out or are planning to split out dedicated senior management roles and responsibilities.
"The best way to protect your company is to prevent attacks in the first place with a defined plan"
We all know that people are the most important assets that we have. So, do you push your security staff to learn more? I mean do you really encourage and expect that your staff will learn and know more a year from now? Do you expect them to earn a certification? Do you set the example for them? We know security people are hard to find and getting harder to afford, so do you try to grow your staff to fill any vacant roles? Knowledge is available everywhere now via channels such as YouTube, iTunes, Udemy, Coursera, and many others, encourage your staff to use them. Once you encourage your security staff to grow and learn—your company will be more secure as a result.
Policy and Procedures
Policies and procedures for security are something that a lot of companies don’t have or could get a lot better at. Some have a one or two-page document for the entire company and some say why worry about creating and updating documentation— because it changes so often. These are valid points only if you have a very small company. For most of us, this lack of documentation creates a gap in our security. So, what do you really need to have documented at a minimum? Probably the most important technical pieces of security documentation are the physical and logical network maps along with all of the controls that you have to protect your physical offices and data. Normally, this information should be about 5-10 pages minimum. Then you need to document what happens in case you suspect a hacker got in (called incident response) and what you will do if an actual breach occurs. These two things are about another five pages minimum.
Practice and Play
Too often, the only time most security staff get to actually work on equipment and configurations is during a production issue. Some companies have a test environment for developers but few have a duplicate test environment for security, even one with older equipment. So, this is a challenge to overcome, because the best way to learn about security is through practice and playing with the configurations to see what happens. The value of this can’t be underestimated because when an issue occurs in real life (and they will), the person who has practiced and played around will usually solve the issue much faster than a person who hasn’t had this hands-on experience. Said another way, increased experience directly translates into increased confidence and capability, which results in reduced downtime and loss of revenue.
There are a lot of simple process controls that can be implemented to stop hackers in their tracks—without spending a dollar. Some financial examples are: requiring dual authorization for all international wires over a certain amount, requiring senior management approval before a new international vendor is added to the accounts payable system, and giving Finance staff the ‘ok’ to question all emails involving money or banking information from C-staff or senior management (even when they are marked urgent or emergency). Another great example is that most of the people reading this article can still send an email or a data file using their company’s systems to any number of hostile or hacker friendly countries without it being blocked. Also, most companies still allow these same rogue countries to email your corporate users because they are not being blocked. So, is it any wonder that hackers can get into companies and get the information out so easily? If your business is still allowing any type of unrestricted data transfers to these countries, it is way past time to put some blocks in place. As an added security measure, you should block every country that youare not doing business with or need for tech support. This stuffis not rocket science, but common sense.
Penetration and Vulnerability Testing
No matter how good you think your outer (or external) defenses are, you need to test them to make sure they are working and can withstand an attack. Penetration testing not only looks for holes, gaps or weaknesses in your defenses (like an open window or door)butactually tries to go in that opening (penetrate) and see what else it can do—just like a hacker would. It will go as far into your defenses as possible to see what the full extent of the damage would be without harming anything. This test is usually run once a year due to its expense, the time it takes and the potential impact to systems. When this type of extensive testing is not being done due to cost or potential impacts, another easier non-intrusive test called vulnerability scanning (or testing) can be used instead. This test is quite effective at finding surface holes, gaps or weaknesses as well. It should be run quarterly at a minimum. It is a great low-cost and low-impact option, whereas penetration testing can be very expensive. Quarterly scanning may seem excessive to some, but hackers are getting better, so you want to find the issues before the hackers—so you can fix them.
If you have any technology device – even a smart phone, you must keep it up to date with patches (aka updates) and the newest versions. Why? Software always has weaknesses, and over time, even more weaknesses will be found.
Just in case you do join the unfortunate ranks of those that are hacked, you need to make sure your insurance coverage covers breaches and their associated costs. Why? Many policies do not cover breaches directly, so it is best to ask in advance of something happening, to be prepared.
Even if you have everything mentioned here in place, there needs to be a quality or audit process checking the security processes and their monitoring. Instead of a team, this monitoring could also be performed by a person who is very detail conscious. As a recent example of why this is security monitoring is necessary, some individuals and companies are constantly searching for unsecured Amazon S3 servers. When they find them, they publish the weakness in the press so everyone can see it, harming the company with the weakness (even though the data was notbreached or taken). They do this under the guise of a public service, but they are often selling a security monitoring services for cloud-based data. Since your company is in their crosshairs, your defenses must be perfect and work every time whereas these individuals or hackers only have to find a problem once with your defenses.
Continually improving all of the above areas will help stay ahead of the hackers because they are always getting better. If you choose not to constantly improve, then the hackers will eventually find and make you—their prey.
Welcome to the new era of cyber warfare. Get smart or get hacked…the choice is yours.