Friday, March 11, 2016

Is your organization addicted to insecurity?

Many organizations today are addicted to insecurity and feel trapped, dare I say helpless to break away from their insecure practices.  At Rendition Infosec, we see this often and have put together a helpful 12 step program to help organizations break away from their addiction to insecure practices.

12 Step program for recovering from information insecurity addiction
  1. Admit that information security is cost center for the organization, not a profit center.  Understand that in order for information security initiatives to gain traction, we will need to engineer secure practices that align with business operations.
  2. Come to believe that you can and must have endpoint visibility to succeed in network defense.  Recognize that asset management software does not offer true endpoint visibility for security threats.  Understand that capital investment will be needed to detect today’s threats on our endpoints.
  3. Make a decision to turn over all of our logs to a central repository (SIEM) for aggregation and analysis. Because we can’t analyze what we don’t log, we will enable detailed process tracking on Windows and process accounting on Linux for we know this frustrates attackers.
  4. Create and maintain inventories for all physical network devices and the software loaded on them.  We cannot protect and scan that which we do not know about.
    Admit to our executives that mistakes were made in architecting the network as it exists today. 
  5. Commit to architecting our networks in a way that provides for segmentation. Where possible, we will use layer 3 access control lists, port security, and private VLANs to minimize lateral movement.
  6. Admit that continuing to do things “because that’s the way they’ve always been done” is harming the organization.  We must limit privileged group memberships, remove local administrator rights, set account lockout thresholds, and minimum password length of greater than 8 characters.
  7. Humbly ask users to report information security failures without fear of reprisal.  Similarly, we will ask our systems administrators to tell us where the proverbial bodies are buried so we may begin to undo the many sins of the past.  Our system administrators shall not fear reprisal for their old insecure ways, for they did not know better and acted at a time when our organization was in the grips of an information insecurity addiction.
  8. Make a list of systems and processes that are fundamentally insecure as they exist today (audit your network and perform continuous vulnerability assessment). Prioritize this list for remediation using a risk based assessment methodology.  Agree with the executives on a timeline for remediation and ensure that budget and manpower are allocated. 
  9. Continue to find new risks and insert these into the risk based remediation model created earlier.  Recognize that without a change management process, we will have limited visibility into network changes and will always be in reactive rather than proactive in our activities.
  10. Accept that we will fail in some of our information security activities.  We will always have some risk in our organization.  Recognize that for our executives to understand the risk we must communicate in a language they understand, not techno jargon (which might as well be Klingon).
  11. Seek through a comprehensive patch management process to ensure that all commercial/FOSS software is patched against known vulnerabilities.  For that software which we have developed in house, we will aggressively test to ensure that trivial vulnerabilities do not exist as they would be horribly damaging to our business.
  12. Having had a spiritual awakening, hunt aggressively through the network for attackers that have already penetrated our defenses so that we may share with them the good news of our incident response process.  We know that we cannot rely on third party notification and cannot afford the brand damage and lost productivity of a failed attack remediation.
You may note that these were closely written to model the 12 step programs for breaking other addictions.  This is not a coincidence, nor is it designed to make light of those programs.  Based on my experiences, I sincerely believe that many organizations are truly addicted to insecurity.  Just like many addicts want to break their addiction, so do members of these organizations.  However, for varying reasons, they find they cannot.  Sometimes this is because they lack organizational support.  Sometimes it is just a matter of getting executive engagement.  In every case, transitioning from insecure practices to their secure counterparts requires a plan.  Hopefully this provides you that plan, or at the very least a good starting discussion point.

1 comment:

Note: Only a member of this blog may post a comment.