Another company is in the news. Citibank has had a major breach of customer data.
Articles are pouring in from quarterback security professionals pointing out the companies mistakes and cybersecurity failures.
Personal Experience
In Minnesota, one of our largest companies had a major breach back in 2013. They were in the news, they were being talked about in all the magazines, on Wall Street, and even at our security association meetings. Heck, they even had to speak to the U.S. Senate!
During the time the company was going through the breach, I remember networking with other professionals at one of these security association chapter meetings. I was trying to meet folks I hadn’t known before. During this networking time, someone started spouting about this major breach and how ‘stupid’ they were’. What a ‘dumb’ mistake it was. I felt really uncomfortable but didn’t say anything. Once he was done spouting about all the things he would have done differently, a gentleman from our networking circle stepped forward and introduced himself as the new CISO of that company. He was calm, collected, and didn’t take offense.
That impacted me. That was the kind of person I wanted to be, and that was the company I wanted to work for.
Opportunity
One of the greatest catalysts of opportunity you cant take is going to work for a company that has recently had a cybersecurity breach.
After working for that company for a couple of years I learned how they made monumental improvements. I was able to participate in a culture of rapid change in culture and technology, and a changing of the guard from the old way of doing security to the new way. The biggest change I witnessed during my time there was:
They continually discussed threats at every level of the risk chain.
Standards Are Not Enough
Growing up in security I found my rhythm was to build a security standard for technology and then vulnerability scan it. There was a time when I believed this one-two punch was all I needed to do to secure the data, the application, and the business.
It sounds easy, but even applying that security methodology consistently in a one or two-person shop was time-consuming and difficult to manage. The biggest challenge was turning a security standard, like CIS, to be secure as it could be without disrupting production. Working with the technology director, that was willing to partner with security, we agreed on a systematic approach that slowing cranked up the security standard a couple of notches year over year. We tried to impact existing technology lightly, and hold a high-security standard on new technology that we were confident we could defend the ‘why’.
Mature Security
One of the biggest difference of a ‘mature’ security program that I witnessed was the caliber of professionals, the distributed niche security abilities, and the collaboration and sharing that happened across the teams.
This is in addition to the obvious ‘security spend’ that was invested in people and technology.
What differentiates a ‘mature’ program from a ‘basic’ program is the focus on the data risk instead of a focus on securing the technology.
When a risk approach follows the data where is ‘born’ and inspects it every place it visits until it is ‘destroyed’ or ‘dies’ is the single greatest security practice there can be.
When you first understand where the data is, how it gets there, what processes it, what hands it off, where it’s stored, who edits it, what internal and external partners get it, only then will get a full inventory of the systems and technology stack that need to be reviewed for security.
My old way of doing ‘security’ by hardening the operating system, was only a single step in what could have a been a very wide exposure of data.
Table Top Threats
One way you can move towards this ‘mature’ security methodology is by creating a security culture that collaborates to brainstorm and generate ideas and threats that could potentially take place. This is called a ‘tabletop’ exercise’.
Bring people together from security and the business. Someone who uses the system and knows what kinds of access, data, processes, and communications happen is critically important.
Pick applications that have a higher risk in your asset databases.
Kick it off by discussing the application at a high level, what systems and servers it resides on and then whiteboarding everything else you know about it.
Have some security tools available to pull up ACL’s, IP addresses, existing firewall rules. Scan what ports are open, see what other applications or data exists on the resources.
Pull up threat databases, and vulnerabilities databases and search for the application name and version.
Work with vendor contacts so check for known best practices, or historical incidents or breaches that others have had.
Spend a couple of one-hour sessions reviewing the system and creating a mess of information you collect. Assign someone at the end to try to organize the data into a document.
Determine if additional protection and security capabilities need to be addressed.
Decide the next scheduled time to meet and review the information and check for changes to the system. Often times this is six months for ‘high’ risk systems or a year for ‘medium’.
Summary
It’s really hard to think of every single threat that can happen against the data you’re trying to secure. You’ve heard it before, ‘good guys have to think of everything and the bad guys only have to think of one thing’.
One way to help you consider everything and build a mature cybersecurity program is by building a professional group of security professionals that are willing to work collaboratively and spend time table-topping security threats.
These exercises pay dividends and will give you the confidence that you’ve covered absolutely everything you can think of at every layer int the technology stack while working with the security team, the business team, and the system vendors.
Recent Comments