Do you use any data loss prevention products as part of your compliance/security program?

The Driver Behind This

Regulated and sensitive information can leave your environment quicker than you realize. Data loss prevention (DLP) systems can prevent this information from leaving your control in unauthorized manners. Whether that’s from an employee copying the information to take it so they can work from home or an adversary that has managed to infiltrate and embed in your environment – we’re talking about the insider threat.  The ability to identify this information leaving your environment is crucial.  This is being driven from a variety of regulatory and contractual requirements and you are on the hook to ensure the information you’ve been entrusted with is protected. It doesn’t matter if you’re talking about the information that has been provided by your customers, shared by your business partners or your own intellectual property – you must protect it.  Being able to detect and respond plays a major role in supporting your claims of conforming with the relevant regulatory drivers, but also in the midst of responding to an incident where you have to know and get to ground truth on what data that you’re accountable for, left your organization.

Continue reading “Do you use any data loss prevention products as part of your compliance/security program?”

What are you doing regarding threat intelligence?

Another Question to Consider: How do you get your actionable cyber threat intelligence?

The Driver Behind This

Understanding the threats you face is the first step (identification) of a Risk Management program and ultimately how the organization manages risks.  The organization’s ability to collect, process and analyze cyber threats goes a long way in protecting the organization and reducing its risk.  

Continue reading “What are you doing regarding threat intelligence?”

What are you doing regarding Identity and Access Management?

Another Question to Consider: What is the central authority that governs your active directory domains?

The Driver Behind This

Identity (and by extension access) is at the center of not only security, but compliance as well.  The way your organization manages users is critical, now more than ever.   The way your organization protects authorized identities, ensures policy compliance, and provisions access to sensitive/regulated data all drives toward the overall organizational risk posture.  

Continue reading “What are you doing regarding Identity and Access Management?”

Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?

The Driver Behind This

Full Packet Captures (FPCs) and NetFlow are probably the most important data you will need during an incident.  FPCs contain all of the data, think of them like a DVR.  FPCs record all communications over a network.  FPCs allow you to reconstruct network activity between systems, allowing you to “re-play the conversation between two systems”, which you will need (note need, not want) when an incident occurs.

Continue reading “Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?”

How do you define and manage your perimeter?

The Driver Behind This

Just like the first step of avoiding a trap is knowing of its existence; the first step in protecting against something is knowing it’s there.  Knowing the variety of ways in and out of your organization’s network environment is equally important.  Those points of entry and exit NEED TO BE MANAGED AND PROTECTED TOO. While your firewall is normally the first line of defense when employing a Defense in Depth model, it should not be your only line of defense.  You should be including not only your perimeter firewall, but also applications that allow data exchanges (including APIs), X-as-a-Service providers, Wireless Access Points, mobile devices, as well as Shadow IT (i.e., Gramarly, OneDrive, DropBox).  When networks are poorly designed and architected, they will degrade other security capabilities.   Make sure the perimeter is documented (inventoried, if you will) and that it is centrally managed.  Ensure you know what data is flowing where, how it’s being exchanged, what the classification is (e.g., public, private, secret), when it’s being shared and how it gets from point A to point B. 

Continue reading “How do you define and manage your perimeter?”

How do you manage remote access?

The Driver Behind This

Single factor authentication is like locking a screen door.  Sure, you’ll keep out the small pests, but the neighbor’s German shepherd is going to get in. When an adversary gets into a network (or gets credentials from any number of data dumps), they’re going to capture credentials via any number of relatively easy methods (passive monitoring is second only to reviewing freely accessible anonymous file share).  This allows an adversary the ability to move, largely undetected, throughout the network.  If an organization is using single-factor authentication on their VPN or email, it’s not difficult to find weak passwords through password spraying.  When done properly, you’ll never see it coming. Once the adversary finds those credentials, they’re now the insider – same permissions, levels of access, read/writes on shares, databases, etc. Because compromised credentials look like, well valid credentials.

Continue reading “How do you manage remote access?”

How do you manage network traffic to and from your network?

Another question to consider: Do you allow anything in your network to talk directly to the Internet?

The Driver Behind This

Systems that can communicate directly to the Internet in 2020 are just asking for problems.  This means that those systems can bypass all the safeguards and countermeasures (you know, the controls management has invested in to prevent attacks?) that would otherwise provide and enforce proper monitoring in addition to the ability to effectively identify and respond should a system be compromised.  This also opens the organization with additional liability if they fail to screen out harassing content.  So, in addition to the added liability, what else? Well, as it turns out adversaries LOVE this type of setup.  It’s like finding that $100 bill in your winter coat that you forgot about or finding that scratch off ticket you thought was for a $100 really was really for $10K.   Why do they like it you ask?  Well remember when we said, “this means that those systems can bypass all the safeguards and countermeasures”?  We’ll wait for you to finish processing that thought, because while you’re thinking about all those systems that may be able to connect directly to the Internet, just keep in mind the adversary isn’t having to deal with all those pesky defenses.

Continue reading “How do you manage network traffic to and from your network?”

How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?

Another question to consider: Is there a clear plan for response, including incident and crisis communication?

The Driver Behind This

Incidents are going to happen, it’s not a matter of if but when.  Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged.  Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready.  Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place.   Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).

Continue reading “How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?”

Who has access to our systems?

Other questions to consider: How do we identify who has access? After third parties have access, how quickly can we sever access to our systems and data?

The Driver Behind This

This expands on the previous question from the last post, adding additional granularity to the matter.  Specifically, which third parties have access to regulated/sensitive data your organization has been entrusted with?  This includes everything from cloud applications to service providers (e.g., HRIS, ERP, CRM systems).  It doesn’t matter if the system is onsite managed by a third party (i.e., HVAC system) or hosted offsite (i.e., Amazon Web Services), you need to know who has access to your data (and why?). Accept that an adversary will consider all available attack vectors, to include your providers, business partners and vendors. These are common attack vectors used to gain access to systems as they advance on their objectives.

Continue reading “Who has access to our systems?”