When most people think of a security breach they think of some pimply faced teenaged genius sitting in a dark basement furiously hacking away at their infrastructure trying to gain access. Often, they will turn to a security vendor to test for this very scenario, this test is known as a penetration test.
I cannot tell you how many professionals consider this as the de facto (and sometimes only) test of their security. Unfortunately, when taken alone they’re testing the wrong thing. In the recent Cyber Security Intelligence Index, IBM found that 60% of breaches occur from insider threats. That means that 60% of the time your data isn’t stolen by someone breaking into your network, you gave them the keys.
Don’t get me wrong, a penetration test absolutely has its place in a holistic security program but a security program it is not. The insider threats statistic mentioned earlier doesn’t necessarily mean your organization is full of individuals waiting for the right time to sell your intellectual property to your biggest competitor; it means that the breaches that occurred were a result of insider action. The difference is fairly nuanced so let me give you a few examples:
- A system administrator’s phone downloaded malicious software that allowed access to the organization’s databases
- An accounting clerk receives an email that appears to be from the CFO requesting a wire transfer to an overseas bank account
- The CEO clicks on a link from his daughter containing malicious software
- The HR director uses his personally owned computer, which is infected with remote control software, to connect to sensitive HR documents over the organization’s VPN.
These scenarios happen far more than you think. How many of the above examples would be identified via a penetration test? Nada. Unfortunately, the biggest threat to corporate security is corporate employees – whether malicious or not. To counteract this threat, you need a comprehensive security program.
What is a comprehensive security program?
I’m glad you asked. A security program is a set of actions and documents which outline what and how the organization is securing sensitive information. The end goal of a security program is to establish clear and concise metrics and goals which will allow the ever-changing organization to adapt to new threats and identify weaknesses.
The first step of a security program is to define the program itself in what is called a security plan. The security plan is simply the identification of what is going to be secured, responsibilities, and direction. We’re going to be speaking with stakeholders (leadership, data owners, users, etc.) to identify what sensitive information exists and where.
When speaking of responsibilities, we’re not speaking of who is responsible for securing what data but, rather who is responsible to establish, test, and maintain the program. There needs to be leadership buy-in for the security program to be successful as the inevitable change that will occur is rarely comfortable. The ship is doomed to failure is there is not an end goal in mind. “Total security by December” is not an end goal. Direction is more the ‘how’ than the ‘what’. How is your plan going to be tested, implemented, designed? What are you going to compare your security against? What are the goals of implementing the security program? These are questions that should be answered by the security plan.
Next, we have the documentation that defines how we take the security plan from a concept to action. This step includes items such as: policies, which define what should be done; procedures, which define how what should be done is done; and checklists, which ensure that what should be done is done correctly. This will honestly take the most time as it will require a change in corporate, user, and system behavior.
Finally, we establish metrics to test that what we have in place is effective in its effort to secure the environment. This is where a penetration test comes into play. However, a penetration test by itself isn’t giving you the whole story as we saw above. What should be implemented before a penetration test, and quite frankly before the entire process is started, is the security assessment.
This process will provide feedback on how effective your training program is, what holes you have in your administration processes, how enacted policies may not cover potential use cases and many more areas for improvement. Taken together with a comprehensive suite of assessments a penetration test will provide a complementary data set informing you of how well you are securing your organization’s data.
Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.
About the author
Jason Hill – Director of Strategic Services, Cybriant
Jason has 16 years of experience in the areas of IT Security, Infrastructure and Managed Services. As Cybriant’s Director of Strategic Services he is responsible for overseeing the delivery of its consulting and educational services.
As relates to his role at Cybriant, Jason is an accomplished security consultant and security trainer. He has personally completed over 30 risk assessments utilizing the NIST-CSF and ISO 27001 frameworks. He is a leading certified instructor for AlienVault having delivered over 50 classes to end-users and MSSPS around the globe and across all industry verticals. And as a certified AlienVault engineer, he has also personally performed over 100 professional service engagements assisting companies in the implementation of AlienVault technology.
Prior to Cybriant, Jason held a succession of IT administrative, engineering, training, and consulting roles. He has a top-secret security clearance with the federal government and his personal certifications include PCI QSA, CISA and CISSP.