As we look back on a great 2018 here at Lark Security, I have been getting questions from many of our clients and network of contacts. The most asked question of the last several weeks has been; “What should we be doing in regards to security in 2019?”. As a leader in information security, I feel that many folks are looking to us for a silver bullet. The one magic thing that will make them more secure than everyone else. Unfortunately, there isn’t such a solution and my answer has been to recite many of the basics. The advantage to being consultants is that we get to see many organizations and how they approach security.
Occasionally we find something new and innovative being done, other times we see organizations struggling to get the funding or resources to handle the basics. Most organizations have great teams doing amazing things with little budget and outdated resources. Many of the leaders I talk with are looking for ways to do more with what they have, and in that effort they are often looking at a market of new tools and vendors waiting to help. My advice has been simple to start with. Let’s talk about the basics.
- Know your environment – This sounds simple and straightforward, but I cannot tell you how many times I have been asked to assist in some sort of crisis, and my first question is “Can you provide me an asset list for everything in your environment?” More often than not, the answer is NO, followed by an explanation of how unique the environment is and that is a tough question. In today’s world, this task is definitely getting more challenging, but to keep it simple try this approach: Document all physical devices: network devices, servers, appliances and external connections. Next document all cloud providers and what instances you have. Lastly, account for all applications, SaaS providers, and anything that is hosted externally that you utilize for business. Then go and validate your results, prove that you have a complete list.
- Understand what data you have, and where it is at – Again, seems simple in nature, but can be a little more challenging for some organizations. What data do you have (payment card data, ePHI, CUI, business IP), in what form (is it encrypted?), who has access, how long do you keep it for, do you have backups?
- Now that you know all the places your data exists and systems in your environment, PATCH THEM! If you don’t have a regular cadence for deploying patches and security updates in your environment, no new tools or some dashboard you heard about at a conference is going to make your environment more secure.
- Verify that what you are doing is successful – Vulnerability scanning is an excellent path to ensuring that all your efforts are truly making your environment more secure. Do you have telnet open on the internet? You would be surprised how many times we find things in scans that organizations swear could not be in their environment. In the same thought path, test your network and applications with penetration tests. Ensure that your applications and web services are only doing what they are intended to do, and nothing else. Check for the basics, OWASP Top 10 to start.
- Accurately measure risk – Developing and honing a risk management program in an organization is the gateway to a mature security posture and building a culture of security. If done well it should highlight the actual risks your organization faces. You may not be the target of large nation-states, or organized crime, so focus your efforts where you mitigate your highest priority risks first. It can be an invaluable tool for IT\Security leaders to present a case for more budget or resources for an organization. It also is a great instrument to help engage senior leadership and executive buy-in for initiatives in your 2019 strategy.
If you feel that you have all of the above well in hand and are looking for the next level of things to look at. Here are a few more:
- Documentation – Beyond the basics of network diagrams, data flow diagrams, inventories and the like. Create or update policies and procedures to reflect your organization today. Define guidelines for secure code development, code release processes, system life cycles and the like. Develop and test business continuity and disaster recovery plans.
- Automation – This can be a great way to manage patching, configurations, and any critical functions like user provisioning and de-provisioning. Even if you are a small shop you can benefit greatly from some simple automation. If you are a mid sized to large shop it’s even more important. Most of the tools are low cost to free and can have big impact on stability as well as your security posture.
- Build your security culture – An early mentor of mine always would say, “Security is everyone’s responsibility.” Make this a part of your organization’s way of doing things. It can start simple with the mantra of “If you see something, say something.” Then give them a path to do so. Security awareness training needs to happen more than just a brief talk during the on-boarding process. Human error is always in the top of the list annually in the major breach reports. I tend to believe that it is the lack of security culture and training that makes this more likely. I have seen people at all levels of organization proud and excited once they see their efforts in security pay off by stopping the bad guys even in the smallest ways.
- Develop and implement a Vendor Management program – Create, implement, monitor, measure and manage a though vendor management program. Document all vendors within your organization. Specifically call out all vendors with access to your data. Each vendor who has access to your data should be assessed from a risk management perspective and risks scored and addressed.
Hopefully this is helpful in giving some guidance for many of you. As always, Lark Security is here to assist in any and all of these efforts. We are always happy to sit down and discuss where you are at and help you with a plan for 2019 and beyond.