strong md

YOUR SECURITY SOBRIETY TESTFIND OUT IF YOU PASS IN 5 QUESTIONS

Cyber security is not just an I.T. problem. It’s every executive’s problem. Hackers work every day to identify your vulnerabilities. They target your employees, infrastructure and even vendors. It only takes one mistake to compromise your entire ecosystem. Everyone must be vigilant and it’s your job to help them. Get in-volved in planning and enforcing security policies.

Security can be an intimidating topic. The jargon can easily over-whelm anyone who is not a technologist. We set out to make the topic more approachable. By asking these 5 questions, you will:

1) Get a clear understanding of their team’s security readiness.

2) Learn how to improve security from a people, process & ac-countability perspective.

Types of pen tests

Black Box assessment: No background information is shared with the testing analyst.

White-box assessment: The analyst is given most, if not all, of the information pertaining to the environments, which means more time is dedicated to testing and exploitation. Gray-box testing: The analyst is given some information to aid in their research. This is a spectrum in between the two extremes.

BEST PRACTICES

• Conduct unannounced penetration tests 1x per year

• Carry out smaller quarterly assessments and when major upgrades are made to your system

• Don’t just rely on o�-the-shelf or automated tools, scanners and methodologies. While these are great starting points, a penetration tester is going to have to adapt to what is found and, when the tools don’t work, be able to manually test.

WHEN WAS YOUR LAST PENETRATION TEST?A penetration test is designed to answer the question:

What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?

Undergoing these tests is painful and expensive, but they do more than identify critical weaknesses. They signal that management has a degree of humility and intellectual honesty. Any team who embraces penetra-tion tests is willing to admit its weaknesses and actively work to improve them.

Pose the question to your team and any vendors with access to your critical systems. If the answer is more than a year ago, you have a problem. Insist that they schedule a penetration test and share the results.

Keep in mind not all penetration tests are created equal. Review and select the type that is appropriate to your business. The more sensitive data you store, the more rigorous the penetration test should be.

VENDORS

1. http://blog.securitymetrics.com/2016/12/types-of-penetration-testing-what-why-how.html

1

HOW OFTEN DO YOU CONDUCT SECURITY TRAINING?

“The biggest mistake I see most companies make is thinking that good cyber defenses can be accomplished through technology alone. Organizations need to make a serious investment into their human assets if they truly want to be secure.”

-Joshua Crumbaugh

VENDORS

1. http://www-03.ibm.com/security/data-breach/2. https://www.wombatsecurity.com/press-releases/research-confirms-security-awareness-and-training-reduces-cyber-security-risk3. https://blog.dashlane.com/cybersecurity-awareness-training-for-employees/

Low security awareness among employees is regularly cited as one of the biggest obstacles preventing compa-nies from adequately defending themselves against cyber threats. In 2015, 19% of data breaches were caused by employee negligence.

Data security is not a static state of a�airs. Hackers are working every day to learn new tactics. Your sta� (and your vendors') need to adapt to keep up. E�ective training and increasing user awareness has shown to reduce security related risks by 45%.

BEST PRACTICES

• Quarterly training sessions that last no more than an hour. Atten-tion spans don’t last forever.

• Provide real world examples to illustrate how a small mistake can quickly spiral into a serious problem

• Conduct random tests throughout the year and publicize the results of your team. A little friendly peer pressure can be a powerful motivator to get it right the next time.

1

2

3

HOW MANY STAFF SHARE PASSWORDS?Your company handbook probably prohibits this sort of behavior (and if it doesn't, fix that now). But theory is very far from practice. 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Why is that? Because 25 percent of employees admit to sharing passwords, according to the 2016 LastPass Sharing Survey. Unless you can prove otherwise, assume that at least a few members of your team are breaking the rules.

It's your job to design access controls that prevent that possibility, and to generate an audit trail to prove when and where anyone accessed data. In technical terms, that means enforcing access controls that validate every employee and their device.

Asking who performed a task does not mean much when 15 administrators have the same password & level of access.

BEST PRACTICES

• Use a password vault to securely store and share passwords

• Provide real world examples which illustrate how a small mistake can quickly spiral into a serious problem

• Use a single sign on provider to ensure credentials are revoked when an employee leaves the company

VENDORS

1. Verizon 2017 Data Breaches Investigation Report2. https://www.sans.org/reading-room/whitepapers/analyst/privileged-password-sharing-root-evil-35195

1

2

You can’t protect your data if you don’t know who has access to it.

If your team can't answer this question in a timely fashion, you do not have su�cient monitoring in place to detect and identify the source of a breach before the damage is already done.

Keep in mind that your employees are probably not the only ones accessing your customer data. The average company’s network is accessed by 89 di�erent vendors every week.

But only 35% of companies are confident they know the exact number of vendors accessing their systems and only 56% have a system in place to track what outsiders are doing with that access.

If vendors access your critical systems or documents, remember that their sta� won’t stay forever. Insist that vendors carefully monitor their sta�’s access to your data and establish SLAs to define deadlines to revoke access for any of their sta� who leave your account (or their firm).

WHO ACCESSED CUSTOMERDATA IN THE PAST 24 HOURS?

BEST PRACTICES

• Make the o�boarding process as convenient as possible by centralizing permissions into a single sign-on provider

• Insist that your vendors maintain logs that include every time permissions were granted, revoked, or changed

• Conduct quarterly reviews of all credentials & permissions

• Continuously monitor which applications and users are access-ing your databases

89% of employees still have accessto least one account after leaving a company, and 49% actually logged into those accounts

VENDORS

1. https://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html2. https://www.csoonline.com/article/2930712/access-control/do-departed-employees-haunt-your-networks.html

strong md

2

1

WHICH COMPLIANCE CERTIFICATIONS DO YOU HAVE?

While compliance is not the same thing as security, it does signal that a team invested significantly to stan-dardize security practices and imposes a level of rigor that reduces the risk of a breach. Compliance driven organizations have the lowest average number of vulnerabilities (12 per website) and the highest remedia-tion rate (86%).

Compliance regimens like SOC2 or ISO27001 mandate that you define and enforce access controls to company data. By formalizing these processes, you reduce the risk that your team overlooks a known vulnerability.

BEST PRACTICES

• Insist both your team and your vendors complete SOC2 or ISO27001 compliance.

• If vendors fail to live up to your standards, insist they remediate the issues by a defined deadline

• Be practical when defining access control requirements to balance business disruption against the need to protect your data and systems.

VENDORS

89% of employees still have accessto least one account after leaving a company, and 49% actually logged into those accounts

"There is no security without audits. People who run businesses don't want to think about the cost of information audits, but if they just imagined that every packet of information was a hundred dollar bill, all of a sudden they would start to think about who touches that money and should they be touching that money? They would want to set up the system properly—so you only give people enough access to do theirjobs and no more." - Shiu-Kai Chin

1. https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf2. https://www.wired.com/story/how-to-stop-breaches-equifax/3. https://www.intermedia.net/assets/pdf/Do_Ex-Employees_Still_Have_Access_to_Your_Corporate_Data.pdf

1

2

3

1. When was your last penetration test?

2. How often do you conduct security training?

3. How many sta� share passwords?

4. Who accessed customer data in the past 24 hours?

5. Which compliance certifications do you have?

ASK YOUR TEAM