Stop focusing your information security efforts on the wrong things!
There once was a time not all that long ago when security teams could plead ignorant to IT security risks, with minimal possible consequence in terms of any significant damage coming to the company. Those days are long gone. We’ve reached an era where the "I see nothing" perspective no longer works for network security. In today’s era of advanced cyberattacks, information security is too important an element of business success to dismiss.
In fact, ignorance of information security matters is prohibitively costly, as regulators can use it to justify the imposition of fines. Take GDPR’s penalty scheme, for example. Is ignorance of digital security worth €20 million or 4 percent of an organization’s global annual revenue? That’s just one data protection standard -- others such as Australia’s Notifiable Data Breaches (NDB) scheme and the NY Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Institutions come with their own fines and penalties. Given that we’re also in the era of insufficient resources, the challenge for security teams is how to deploy limited resources to have the greatest impact. As the title of this post makes clear, the obvious answer is to stop spending time on the wrong things.
Start with the Golden Triangle of People, Process, and Technology
Organizations know they need to do something for information security. However, not all of them know exactly what to do. Part of the problem could be that they haven’t prioritized the right projects or properly aligned their security program with their business processes. These misalignments may, in turn, breed security distractions with their people, process, and technology:
- People: Without proper direction, security professionals may underestimate certain threats and overestimate others. They might also lack the necessary infosec knowledge and experience to protect the organizations against a variety of exploit vectors that threaten the business every day.
- Process: Organizations might not integrate effective IT metrics into their processes, or out of confusion for what processes are important, they might fund lots of different projects that limit the possibility of all of them being completed correctly. Companies might also focus on compliance and not security. Through compliance, organizations can fulfill requirements specified by PCI, HIPAA and other regulations, but compliance alone doesn’t ensure that organizations can maintain these same levels of security over time or implement sufficient security controls based on the needs of the business.
- Technology: Not all solutions are equipped to handle today’s digital security challenges. Some are well suited to defend only against old threats or are tuned only to a specific type of attack. Such shortcomings can produce deep holes in an organization’s network visibility.
The security distractions discussed above are all indicators of a misdirected security policy. As related by the SANS Institute, the overarching point of a security policy is to identify an organization’s goal for security. This policy should be sufficiently flexible to account for new threats, with every remediation effort acting in the service of the greater security goal. It also needs to discuss auditing processes for security as well as account for the interest of employees, third-party companies, and the business goals of the organization. There is no room for tangents or side-projects. Risk assessments, employee education, and what do to in response to security violations must take center stage.
With a well-crafted security policy, organizations can focus on the right things. These priorities vary from business to business based on their goals. But certain common denominators stand out, as described below.
Insiders As the Most Common Source of Data Breaches
Reality doesn’t always match organizations' expectations about digital risk. For instance, companies are prone to think that the greatest risk comes from external attackers. That’s not true.
Netwrix found in its third annual IT risks survey that insiders are far more dangerous than hackers, with physical damage most commonly resulting from malicious internal activity or honest mistakes, instances of negligence, or sheer bad luck involving employees. Half of the breaches analyzed resulted from errors caused by regular business users, which matches up to the Netwrix’s finding that nearly half (44 percent) of respondents either did not know or were unsure how their employees generally interact with sensitive files. This oversight made it possible for simple mistakes committed by regular business users, IT team members, and mid-level managers to become the leading cause of data loss (50 percent), data breaches (29 percent), and property theft (22 percent). Human errors were also the second greatest cause of system disruptions.
The results of Netwrix’s survey reveal that many companies don’t know what’s going on in their IT environment, especially when it comes to how insiders are interacting with critical systems and data. It doesn’t have to be this way. Organizations can respond by monitoring employee behavior, investing in ongoing security awareness training and implementing access controls. These measures don’t just stem the tide of human errors; they also help grow the organization’s security culture with trained employees as the first line of defense.
Organizations Need To Take Information Security Basics Seriously
Business values play a significant part in shaping an organization’s information security program, meaning the framework at one company will likely differ from one at another. Despite these differences, the same security controls tend to make up the heart of any robust information security program. This means that organizations would do well to take the basics seriously if they want to mitigate their own digital risk.
There are many different fundamentals on which organizations can focus their information security efforts. Three, in particular, stand out:
- Unapproved IT Systems: Companies can’t adequately protect their assets if they don’t know they’re there. That’s why organizations need to keep an up-to-date inventory of all authorized hardware and software connected to the network. They could place themselves in an even better position by establishing a secure baseline configuration for all of these assets and monitoring for changes, both approved and unapproved.
- Patching: No organization has the ability to apply every software patch quickly. Companies should, therefore, consider developing a vulnerability management program that in part analyzes security flaws and prioritizes them based on their assessed threat level. Businesses can then use that ranking to develop a patching schedule. Towards that end, organizations might want to run tests for a patch and verify it won’t adversely affect the network.
- Vulnerability Management: Organizations can make their digital presence more secure by launching a bug bounty program through programs such as HackerOne or Bugcrowd. These frameworks help companies work with the larger information security community to plug holes they otherwise might not discover on their own. Companies should also look into security-by-design and DevSecOps if they maintain applications and/or containers.
Even with those security measures, organizations can still suffer a security incident. Companies, therefore, need to make sure they protect themselves against advanced threats with AI-powered network security technology. These solutions provide high fidelity insights into the entire breach chain and thereby help security teams prioritize their incident response efforts.
Companies can go a long way towards improving security effectiveness by having a clear security policy in place, aligning people, process, and technology to that policy and minimizing distractions, know what’s connected to your network, taking care of the basics, and adopting emerging technology designed to detect today’s ever-changing advanced threats.
Jeff Michael is a seasoned security professional with nearly 20 years in penetration testing, security assessments, malware reverse-engineering, and forensics investigations. Jeff is considered a Subject Matter Expert in computer forensics and investigations, is a regular presenter at security conferences, and has develop security training courseware including "Hacking Exposed" and "Forensic Analysis 101."As a subject matter expert he has assisted in numerous international and criminal investigations.He is currently working as a Senior Solutions Architect for Lastline. Prior to joining Lastline he was a Senior System Engineer at Hexis Cyber Solutionsand has been a consultant for FireEye, NetWitness, NetForensics, Verisign, ISS, and other security firms.Mr. Michael graduated from Purdue University obtaining a bachelor's degree in Electrical Engineering.He holds the following certifications: CISSP, CCSI, CCSE+, CCSE, CCSA, NSA, NCSE, NCSA, ICE.