Last year was filled with security wake-up calls. This year is a good opportunity to get started on the right foot. For organizations who may have been doing the bare minimum, getting started means setting priorities for security efforts and budget. So where to begin?
Of course security priorities are individual to each company, enterprise, or organization, so each must be evaluated on its own merits. But 2015 definitely left us all with some food for thought on what is important, and where security teams should be putting their efforts.
Here’s a not exhaustive list of priorities, in no particular order, that can help your team set focus for the year.
The time of shared passwords on a sticky note is long over. If your org is not using two-factor authentication, password management, and a single sign-on solution for critical systems like Github, AWS, and AD, it’s time to start. Long past time.
This on its own is an entirely complex project, but considering its importance, paired with the rapid adoption of cloud services and the expansion of mobile devices in the workplace, it’s priority should be at the top of the list.
Yes, it’s here. Connected devices are going to continue the march onto corporate networks for the next decade and beyond. It’s time to have a plan for it. Mainly, being able to monitor for when devices are present on the network, and apply enforcement for the ones that are vulnerable.
Last year brought copious examples of what can go wrong with Internet enabled devices. And IoT dominated the spotlight at CES in January. FTC Chairwoman Edith Ramirez said in an interview at the event that she has started using an analog pedometer to replace connected fitness devices like Fitbit over data privacy concerns. “How that data is being used or shared, and the potential for unintended uses, is a concern,” she said. “The industry needs to address these concerns and be more transparent about how they handle personal data.”
In other words, the “industry” has not addressed it. Security is often an afterthought for companies that make connected devices, because they need to be as cheap as possible to compete, and security is hard.
Security and network teams will need to find ways to monitor for these devices and assess whether they are safe to have around the office.
Phishing and Extortion Game Plan
This is the new bread and butter for hackers. Online criminals (it would be insulting to call them hackers, as it no longer takes talent of any kind) are consistently gaining entry through phishing or an exploit kit, then applying ransomware or some sort of as-a-service crimeware. The unfortunate truth is attacks of this nature are lucrative enough to make them worthwhile, and are cheaper and easier than ever to execute.
For enterprises, the key will be having a gameplan in place. For phishing, the company workforce itself—through education—can be one of the best defenses. It may therefore be time to implement a training for employees on phishing, how it works, and how to spot it. This has been on the to-do list since at least 2012, so it’s time to make it a reality.
Fighting ransomware is another matter altogether. Preventing ransomware is possible, but with its rapidly changing methodology and the widely varying strains available, prevention will not be surefire. In terms of remediation, there are a ton of solutions and claims of solutions. But any tip list will include having reliable backups as one of the most important steps. Rather than paying a ransom to restore files, IT would be able to instead wipe infected machines and restore files from a backup.
Boards and Budget
The executive board is becoming more involved in security decisions and measuring risk, which is making it increasingly important that everyone come to consensus on the risks facing the enterprise, how to address them, where the money will be spent, and who owns security in the company. Last year Blackhat conducted a survey among its attendees to find out where the industry’s priorities were, and found — among other things — that priorities and spending are not in line.
In an interview with Network World, Charlie Benway, executive director of the Advanced Cyber Security Center (ACSC), put the scope of the issue into frame. “Executive management and boards of directors are now recognizing that cybersecurity is not just a tech problem, it’s a business problem,” he said. “We’re starting to see more executive-level emphasis on cybersecurity, more resources coming into cybersecurity, across all industry sectors. That has definitely increased the demand for cybersecurity folks.”
Third-Party Risks and Patching
The largest breaches in recent years, namely Target and OPM, were initiated through vulnerabilities in third-party vendors. More and more IT and security operations are being outsourced, as handling them in-house is just not feasible. But the convenience also comes with more risk. And it’s not going away any time soon. Companies should plan accordingly.
Have a plan. No security measure can prevent negligence on the part of a third-party consultant, but the relationship is two-sided, and the company controls the initial level of access and the ability to restrict access if necessary. PWC has a program with suggestions for managing third-party risk. While its intended audience is financial firms, the same principles easily apply to any company that has relationships with third-parties.
It’s important also to keep aware of the news and alerts about vulnerabilities and keep systems patched. Last year saw quite a few vulnerability disclosures from the very companies who are supposed to protect us, illustrating the need to keep on top of updates.
Dev environments and tools should be regularly audited for access rights and security flaws, as they are “ripe” for attack. The majority of all organizations with an engineering team use Github, and an estimated 70 percent are using or evaluating using Docker. This makes these tools high-value targets for hackers. They should be given special attention to make sure they are secure.
Bug Bounty Programs
If your company obtains and stores customer data, financial data, or personally identifiable information (PII), it’s time to seriously consider running a bug bounty program. The most talented engineering team in the world cannot compete with the crowdsourced firepower that a bug bounty program can provide, and companies like HackerOne and BugCrowd make it incredibly easy.
While on the subject of bug bounties, if it’s not feasible or company leadership is not comfortable offering a program, it’s important to establish an open-door policy with researchers. While it can take a ton of time to field reports of bugs, added with issues of false-positives and duplicate reports, not doing so can have harmful or even embarrassing results. Many companies — eBay just recently — have been in the news in the last couple years, not for having a bug in their sites or code, but because of the way they handled responding to disclosures.