Tuesday, May 31, 2022

Trust but Verify

The landscape of technology has changed drastically over the past two decades. Companies trying to do it all themselves is a thing of the past. SaaS, PaaS and IaaS are all the rage and organizations are adopting solutions to run many aspects of their businesses. With this evolution comes risk. Even as companies look to lessen their burden of onsite data and regulatory obligations by pushing them off to third party vendors, security remains a major concern. 

Today, organizations must enter into relationships with trust, but not trust alone. Contracts are a must and verification of security practices is too. All too often, companies look past the security concerns assuming that if the software they are going to use is out in the marketplace, that it must be secure. 

Unfortunately, there are many software companies that go to market without a clear security plan, and without the proper controls in place. It is imperative that organizations take the time to ask about security practices and obtain attestation letters stating the solution has been penetration tested appropriately. Also important is to receive concrete assurances that security protocols are being followed, delivering upon the regulatory needs of the company, and aligning to the risk appetite of the organization. 

Be sure to look at new third party vendors and ask security questions ahead of signing the contract. Before a signature, the vendor is more likely to share information quickly as it is holding up the contract from being executed. Additionally, you can make decisions about moving forward without the legal trouble of undoing a contract if this information is requested early enough in the process.

If you decide to move forward despite security gaps, track the risk and follow up with the company periodically to see if the risks have been remediated. And if your third-party software vendor doesn’t have penetration test results feel free to send them our way.

Thursday, March 31, 2022

Human Firewalls Need Updates Too

Many organizations have rolled out multi-factor authentication (a must) and other controls to protect their networks. Email threat detection is deployed and URL rewriting in place. Investments are made in antivirus, EDR, and threat detection solutions; vulnerability scanners are used to scan for known risks. Even with all the layers, technologies cannot protect your organization fully. Your Human Firewall is critically important.

Your Human Firewall = your users. Education of users is usually considered, even implemented to a point. Once is not enough though! Even annually does not cut it anymore.  Ongoing security education within emails, newsletters, team presentations, training, phishing simulations, and individual follow-ups are all part of a comprehensive program. Reinforcing the tools available for data protection, detailing social engineering scenarios and things to look for, and reiterating acceptable use policies should all be included. 

Let's be honest, your users are busy. They are looking at emails quickly on cell phones and are not paying as close attention to security threats as you would like. Security it not always top-of-mind and needs to be reinforced as a regular part of everyone's role - NOT just annually when completing compliance training.

There are certainly lots of tools available for security awareness and phishing if you have the budget. If you don't, maybe consider allocating budget next year. But keep in mind that education can happen via tools you already own - emails, newsletters, PowerPoint slides, hand-outs, team meetings, etc. However you do it, just make sure you do it. You will be glad you did.

Monday, February 28, 2022

The Vulnerabilities Will Keep Coming

Recently there have been vulnerabilities out in the wild that have had security teams racing to patch systems and gather an inventory of their assets. We believe in being proactive. As with working out – It is easier to stay in shape and form good habits to keep you there then to get in shape. The same can be said for the health and hygiene of your network. Keeping the inventory up-to-date, and running ongoing vulnerability scans proactively, will save you time and stress when a new time-sensitive vulnerability pops up.

What are the steps you need to follow to make running after vulnerabilities less stress-inducing? Here are a few things to consider: 

1) Catalogue your inventory, including what applications are exposed externally and what services your assets are running. 

2) Understand what vulnerabilities exist in your network by running ongoing vulnerability scans or hiring a company to do it. 

3) Know what domains and assets are managed by your company or by a third party and how to get in touch with the owners if needed.

4) Investigate what security controls are in place or can easily be put in place to protect your network while updating configurations or patching systems.

When a new vulnerability that promises to bypass your controls and infiltrate your network comes again (and they will come again!) you'll have a plan and can take steps forward in a logical and orderly way.

Monday, January 10, 2022

Map your Moves

Our troops do not go into battle without the proper training, knowledge, or practice under their belts. They learn their roles. They practice as a unit. They learn about their opponents.  They perform test runs. They plan for all feasible scenarios. 

The landscape of security today requires a similar tactic. Not only do security teams need to know their specific roles daily and how to perform during an actual event, but they also need to understand the threats they face, plan for them and perform test simulations. Running through this process during a tabletop exercise helps to avoid delays, gaps, and confusion in the event of an actual incident. Tabletop exercises are not new, but they offer organizations a way to playout a situation and identify any areas missing coverage before an incident occurs. 

Here are six tips to get you started with your next Tabletop Exercise: 

1.  Make it a game with a time limit. Brainstorm, be creative, don't expect to be perfect but box it in. 90-120 minutes is likely long enough.
2.  Come up with plausible scenarios. There are no points on the board for coming up with a farfetched, unlikely scenario. Start with the realistic threats and go from there. 
3. Get it on the calendar - today! Don't get stuck in the 'we should do it' stage. Schedule it or it won't happen. 
4. Get the right people in the room. In small organizations it may be all leaders in the organization. In large organizations it may need to be groups focused into several smaller teams/meetings.
5. Divide and conquer. In a real scenario, tasks would be split up, small groups would work to tackle the incident from various angles. Allow member of the exercise to split up and brainstorm for part of the exercise.
6. Create an after-action plan. What worked? What didn't? What gaps did you identify that you need to work to fill? Write it down and communicate it to the team. 

If you need support, we are here to help!