Part 2 of the Watch Your Back series: Why you Must Perform A Security Assessment
Last week we discussed why it is important to have a SIEM (Security Incident and Event Management) system, and why it is crucial for skilled Administrators to actively use and monitor it. For a quick refresher, here is the article in Wired that sums up the presentation by Rob Joyce, Chief of NSA’s Tailored Access Operations, that inspired this series. This week’s post will cover why it’s important for your organization to perform a Security Assessment to analyze your organization’s operational risks.
One of the biggest issues facing organizations today is that security is an invisible attribute. IT administrators will setup devices or services, configure the security parameters and rarely, if ever, consider security settings again. Organizations routinely write policies for user access and infrastructure and never update them. Systems are tested and vulnerabilities discovered but left unresolved. This is the “Set it and Forget it” Syndrome and almost every organization suffers from it. As Rob Joyce points out, Nation State Hackers and Advanced Persistent Threats (APT’s) are relying on these issues, and unfortunately, we are making their jobs easy by not assessing our systems and processes regularly.
Everyone has blind spots which cause them to overlook important issues. Infrastructures constantly change which introduces new vulnerabilities while new methods of attack are discovered or invented daily. And, often what was secure yesterday is likely not secure today. Periodic assessments can help your organization identify these blind spots so your teams can design an effective security program. Assessments can help determine the best methods to prevent a breach, as well as protect assets and corporate reputations.
Why perform a periodic Security Assessment?
Organizations are increasingly bound by governmental regulations which dictate what security measures must be in place and how they are to be audited. PCI, FISMA, Sarbanes-Oxley, HIPAA, NERC and GSA among others all dictate how to secure different types of data and the systems that manage them. These regulations also require regular security posture assessments.
While regulations are often the driving factor, they aren’t the only reason why an organization should perform (or better yet, have a third party perform) periodic assessments of their infrastructure. A Security Assessment is the equivalent of an organization’s State of the Union. It is a report that looks at every aspect of security and details the severity and potential impact of risks to the company. Furthermore, it produces the fundamental information required to create a roadmap to a successfully secure business. To navigate to any destination you must first know where you are.
What should be assessed?
To begin, most organizations only focus on IT data systems or penetration tests during Security Assessments, and this is where things go wrong very quickly. Yes, it is important that the firewall blocks bad guys and workstations are kept secure, but what about phone systems or printers? Will your users recognize and report a phishing email attempt? What is the process for when an employee exits your organization? Did anyone remember to disable their key card to the building? A thorough Security Assessment will go beyond the typical IT systems assessment. Here is a list of security domains that should be considered during a Security Assessment:
Information Governance and Risk Management
Infrastructure Architecture and Design
Network and Telecommunications Security
Disaster Recovery and Business Continuity plans
Incident Management Policies and Procedures
IT Security Training Programs
What about after the Security Assessment?
It is shocking to think that most companies will pay for a third party to audit their systems, processes, facilities, and personnel; then, do nothing to resolve the discovered issues. This is exactly what Rob Joyce points out in his video. A high percentage of companies will fail to close gaps discovered during security audits. A vulnerability of any size is important no matter where it exists. All an APT really needs is a toe hold. Once one is presented no matter how small, attackers will use it to gain access to your company’s data.
Once you have received your assessment results, it is imperative to either fix discovered issues or create compensating controls to avoid these issues from being leveraged. As Rob Joyce points out in his video, most companies and organizations fail to act even after issues have been discovered, documented, and reported. Joyce also says not to assume any crack in your defenses are too small or insignificant to be exploited. These toe-holds are exactly what Advanced Persistent Threats are looking for in your environment.
Companies put a lot of effort in to securing revenue streams, banking information, and payroll information by default. These areas, they feel, are important to protect. Most companies have a provision in the employee handbooks that instruct employees not to discuss salary information with fellow employees. We don’t often find this level of care and communication when it comes to IT security. Accountants frequently audit the bank and company for fraudulent activities. It’s time that companies added IT security to this list of very important, very well understood activities. Yearly assessments should be the norm and the findings should be well communicated within the company. IT security cannot be the sole responsibility of a few guys in the back of the building. Every employee has to be involved because every employee is a target.
The journey to a secure organization begins with the first step. Your first step should be a Security Assessment to know where to place your foot, and how to find the path ahead.