Many organizations think that they have a solid picture of their overall information security posture, yet there are a variety of factors that are often overlooked, and these factors can have a substantial impact on a company's true security posture. For instance, it's not uncommon for companies to overlook the human element in information security, such as the possibility that employees may leak data (either intentionally or unintentionally), causing a major data breach.
Other factors that are often overlooked include the time and resources it can take to recover from a data breach, the potential loss in uptime and other elements, the sensitive data that can be accessed via employees' email accounts, and more. In some cases, companies overlook process-oriented factors, such as how to manage and respond to alerts.
To uncover some of the most common and significant oversights of internal security audits, we asked a panel of information security professionals to answer the following question:
"What are the most overlooked factors in evaluating a company's overall information security posture?"
Meet Our Panel of Information Security Professionals:
Mike Meikle
Mike Meikle is a Partner at SecureHIM, a security consulting and education company. SecureHIM provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Meikle has worked within the Information Technology and Security fields for over fifteen years. He speaks nationally on Risk Management, Governance, and Security topics. Meikle has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times, and Chicago Tribune. He holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP), and Six Sigma Green Belt.
"There are quite a few areas that are generally overlooked in the overall enterprise information security posture, including..."
1. Physical security. Are there access controls (locks, guards, monitors, etc.) for your server room, network closets, and sensitive areas? The most egregious issue I have seen is a research department with dozens of external hard drives scattered around. Each contained valuable data, but none were locked up in the evening, fully accessible to the cleaning crew.
2. Printer and copier configuration. Modern printer/copier devices have internal hard drives that store data for print jobs. If not configured correctly, these devices can be hacked easily due to default credentials being known. Sensitive data could then be accessed on these internal drives over a compromised network connection.
3. Fax machines. Companies and especially government entities still use these once ubiquitous devices. Sensitive information can be faxed and then left unattended for days. This is a target for casual data theft.
4. DVD burners on laptop and desktops. If a company does not have basic device protection or data protection solution in place, employees and malicious actors can transfer vast amounts of data to a DVD and carry it offsite without a trace. Alternatively, unknowing users can send sensitive data in the mail via a DVD that can be lost or purposely stolen.
5. Security education. In the enterprise, cybersecurity education is either overlooked or given maybe once a year via a short webinar that users can rapidly click through. Effective end user security education can dramatically reduce social engineering and phishing attempts on an enterprise.
6. Consumer cloud solutions. Employees can easily spin up consumer cloud platforms (Dropbox, Box, Google Drive, Gmail, etc.) and store sensitive information there. The consumer versions of this software were never intended to store PHI or IP data securely.
7. Mobile devices. Smartphones and tablets still elude information security in the enterprise. These computing platforms pack all the capability of a laptop and more. With mobile internet connectivity, sensitive information can be stored and shared without much difficulty unless the enterprise has a role in controlling data and device access.
8. Paper records. The enterprise still uses paper and sensitive data still gets printed for a variety of reasons. Ensure sensitive data is not left lying around in conference rooms or on desks. Effectively shred documents or have locked shredding bins.
Michael Zweiback
Michael Zweiback is a partner in Arent Fox LLP’s Complex Litigation, White Collar & Investigations groups and co-practice group leader of the Cybersecurity and Data Protection group. His broad range of experience includes defense (across California and federal courts throughout the United States including the Southern and Eastern Districts of New York, the District of Columbia and the District of Massachusetts) of government investigations on behalf of individuals and corporations in areas which include but are not limited to: Health care – providers and hospitals – financial services; antitrust; environmental; anti-corruption, including the Foreign Corrupt Practices Act; and defense of enforcement actions brought by governmental agencies such as the Securities and Exchange Commission, Health and Human Services, Federal Trade Commission and the Federal Communications Commission, States Attorney’s General for violations of various provisions of federal and state data security laws.
"Here are eight of the most overlooked factors in evaluating a company's overall information security posture..."
1. Data Inventory: Inventory of the type of data that is collected, how it is used, for how long it is stored, and with whom it is shared. Your company should highlight any collected data that is more sensitive and highly regulated. This type of information is the most high risk form of data stored which can lead to liability to regulators and consumers.
2. Governance: Companies must create and scrutinize rules of access based upon the type of data stored. If it is sensitive data you must ask who can access it and why access is needed. This needs to evolve and change over time as your workforce shifts. Failure to examine access rules can be the death knell of security if all of your employees have rights to most of the information in the system.
3. Network security: Are you maintaining proper network control? What logging is done and why? How is your firewall configured? Is the information stored and transmitted in an encrypted environment? If an event were to occur, could you find digital fingerprints and tracks to determine what happened and who potentially was the culprit?
4. Contracts: All contracts should ensure that vendors and third parties have adequate responsibility for data that they receive, including compliance with any applicable privacy policy. Requiring vendors to take reasonable precautions with data is also a legal requirement.
5. Privacy Audits/Vulnerability Testing: Businesses should periodically audit all data collection portals and systems to determine where there are weaknesses in a data security program. Vendors are available to assist with "stress testing" virtual security systems and with providing systems for remote erasure of laptops and mobile devices.
6. Breach Plan: Companies should develop a plan for data breaches. The plan should include a step-by-step guide detailing who (role/position vs. named individual) is responsible for what steps and should detail the steps to be taken in the event of the unauthorized access to or release of personal information or other information deemed confidential within the company.
7. Retention Policies: Consumer information should be maintained only for as long as it is needed for the purpose for which it was collected and no longer than indicated to the consumer. You need a timeline for maintaining such data and for adequately destroying it.
8. Develop Policies: Train your employees. All individuals within your organization should be aware of the policies and procedures. You must consider what technologies — including mobile, desktop, cloud, and other technologies — are at use within your company and ensure the internal policy and public-facing notice address these platforms.
Jennifer Gill
Jennifer Gill is the Director of Global Product Marketing at Zerto, a company that provides enterprise-class disaster recovery and business continuity software specifically for virtualized data centers and cloud environments.
"One of the biggest factors that gets overlooked when evaluating a company's cybersecurity strategy is..."
When organizations are evaluating their cybersecurity strategies, they often focus on avoiding attacks, blocking hackers from gaining access and working to minimize damage when a hacker does indeed get in. Often, however, they give less consideration to how to recover their IT systems after an attack. Depending on the severity of the breach, systems may be knocked offline or critical applications could be altered or deleted completely. An entire datacenter site could remain compromised or inoperable, even after the attack is over. Any one of these scenarios puts important workloads (meaning applications and their associated data) at significant risk, which could have a direct impact on employees and customers.
The most critical and often overlooked element is the time and effort required to restore systems and resume operations with minimal impact on the business. As with any data loss or disaster, recovering from a cybersecurity attack requires two considerations: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to the acceptable length of time for getting critical systems operational to avoid a break in business continuity. RPO is the period of time in which data might be lost following a loss, disaster or cyberattack. Disaster recovery strategies with aggressively short RTOs and RPOs (think minutes and seconds) will help bring systems and even secondary sites back online, minimize data loss and disruption to workloads.
Another layer of security that can be offered as part of a strong disaster recovery plan is continuous data protection. Many disaster recovery tools only store the last point for recovery. A disaster recovery solution offers the option to store the changes of the application over time. This enables an application to be "rolled back" after an attack. For example, if the Cryptolocker virus were to strike at 2:00 pm, continuous data protection could reset the application to 1:59:55 pm to "undo" the virus attack. It is imperative to have the ability to reset the application to various points in time. To minimize lost productivity, these points in time should be seconds apart.
Additionally, a comprehensive disaster recovery protocol can take place even as the IT team and security personnel work to determine the cause of an attack and the damage it created. By working concurrently with other cybersecurity processes, the disaster recovery strategy will help ensure that an investigation won't hamper business operations and hopefully, will not further impact those who rely on the IT infrastructure.
When a cyberattack occurs, the natural inclination of a security team is to determine how it happened and what information was compromised. The team must not forget, however, to have a plan in place for continuing operations afterwards. In our experience, the most effective disaster recovery and prevention plans are those that are developed, reviewed and implemented prior to an attack of any kind.
Greg Edwards
Greg Edwards is the CEO of WatchPoint Data, driven to build a superior, global cybersecurity firm to defend businesses from the cybercriminals lurking in the shadows of the Internet.
"The most overlooked factor in evaluating a company's overall information security posture is..."
How to manage and respond to alerts. There are some really great tools available now to collect and alert to security anomalies, but they can generate a huge amount of false positives along with valid alerts. The infosec team has to be able to dial in the alerting system for their environment and properly respond to threats in real-time. Threats need to be contained within a matter of seconds before they do damage.
Tim Erlin
Tim Erlin is Director of IT Security and Risk Strategy at Tripwire and has over 10 years' experience in addressing cybersecurity issues in organizations of all types. Tim is a member of the Information Systems Security Association (ISSA) and frequently advises corporations and government agencies on cloud security management.
"One factor companies frequently overlook in evaluating their overall security posture is..."
Every organization has exceptions to their basic security practices. There's always that printer that can't be upgraded or that legacy application that can't be scanned. While an organization may believe it's implemented the security basics, these exceptions can grow and increase risk to the organization. It's not enough to implement configuration monitoring, security policies, vulnerability scanning and patching; organizations have to measure the outliers and exceptions as well.
Paul Turner
Paul Turner, Principal of SkyView Consulting, has spent over 20 years in Corporate Performance Management, Business Intelligence and ERP, and over 10 years at cloud computing industry leaders. Paul has BSc in Computer Science from Lancaster University, England.
"The biggest overlooked item in evaluating a company's overall security posture is..."
Cloud applications that have been self-deployed within departments, without any knowledge by the IT team. For example, collaboration apps, file sharing apps, and marketing tools can all contain sensitive information, whether it is customer information, sensitive documents, etc. The thing is that while most of these applications can be integrated into a company's centralized user management infrastructure, they often aren't – so for example, they may have weaker password controls, or if the employee leaves, they may still retain their account. Because cloud enables departments to self-deploy, it's incredibly important for organizations to have an application deployment policy around cloud apps, mandatory controls, and integration with company security, as well having minimum security requirements for cloud providers.
Shlomi Avivi
Shlomi Avivi is the CISO of WalkMe.
"There are three factors I believe are most often overlooked in evaluating a company's overall information security posture. At WalkMe we make sure all following factors are sealed shut..."
1. The Enemy Within: Administrative Access - Most companies focus on ensuring the customer facing security level is of the highest standard and that they are secured properly. This can cause the back office administrative access to take a back seat, and as a consequence it is less secured. Also, in order to provide agility for the R&D department, controls are not placed. For example, it's very clear that every end user has his/her own account, but sometimes the entire R&D team uses the same shared account that everyone has access to, which should be avoided. To solve this problem, it is important to include back office and R&D department processes when planning the risk mitigation.
2. The Friendly Enemy: Third Party vendors - It is very common for companies to use third party service providers, such as hosting providers, niche service providers, etc., so that they have more time to focus on developing their products. In many of these cases, the third parties are not included in the risk assessment of the company. They aren’t checked properly, or aren't required to fulfill any basic security standards. To solve this problem, you should be very focused on your security standards in their entire scope and not leave out what may seem to be minor details that are in fact critical.
3. Change - Security threats creep up on you. It's important to execute periodic reviews on your entire security configuration, especially with employee access rights to ensure that there are no redundant or obsolete access permissions. For example, it’s critical to keep track of former employees that no longer work at the company, but still maintain access permissions to the office and networks, so that those permissions are immediately revoked.
Lee Aber
Lee Aber serves as Vice President of Security and Risk Management at ID.me, a digital identity verification network near Washington, D.C. A security executive with 20 years of experience, Lee has established, maintained, and led global-reaching information security and risk management programs. At ID.me, Lee provides leadership for every aspect of the company’s security initiatives, including overseeing all security governance issues, data privacy concerns, risk and vulnerability management, and incident response planning.
"The most overlooked factors in evaluating a company's overall security posture are..."
History has taught us that one of the most overlooked factors in evaluating your security posture is the risk posed from trusted third parties — your contractors, vendors and partners. These third parties typically have some level of access to your infrastructure (be it network or data) and tend to fly under the security radar during security evaluations. So what you have is a group of individuals, with some possibly in a different country than your company, with access and credentials to your assets, yet who typically are not monitored or audited as closely as your employees or customers. This is why third parties are the second leading cause of breaches as per the Identity Theft Resource Center (ITRC) 2014 report — with hacking incidents being the primary. Remember Target's breach? It was traced to stolen vendor credentials.
Paul Kubler
Paul Kubler, CISSP, CCNA, Sec+, ACE, EnCE, is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
He holds a B.A. Summa cum Laude in Computer Science, with minors in Networking and Cybersecurity, from St. John's University in New York. He belongs to several industry groups, including the High Technology Crime Investigation Association (HTCIA) and the Long Island Association of Information Technology Professionals (LI-AITP). He is a Certified Information Systems Security Professional, Certified Cisco Network Associate (CCNA), AccessData Certified Examiner (ACE) and a Kaspersky Labs Certified Sales Engineer. He also holds a Security+ certification from CompTIA.
"From my experience, the most overlooked factor in evaluating a company's overall security posture is..."
The internal vulnerabilities. I've often tested networks externally and the client thinks I am done, but this is only stage one. This sort of attack against a firewall is only something a typical attacker will try.
A more advanced threat, or one that was allowed inside is also a concern. This sort of attack relies on an employee accidentally or maliciously opening up a hole from the inside or launching an attack themselves.
The reason this is overlooked is that most people fear the hackers in non-extradition countries but not in their own ranks. Plus doing an internal scan can reveal not only security problems, but ones in configuration, so this way it can reduce problems in work flow.
I do believe that the human factor, culture, and mindset often get overlooked. Ideally, it should also be empirically tested and assessed - it would give the company an insight into where it's heading in the near future. (A simple 20-page questionnaire to stakeholders or all employees could do the trick.)
Evan Blair
Evan Blair is Co-Founder and Chief Business Officer at ZeroFOX. Prior to ZeroFOX, Evan was a member of the Accuvant leadership team where he led the multi-million-dollar Partner Solutions practice. In 2008, Evan joined Foster at Baltimore-based cyber start-up Ciphent, where he was responsible for executing the marketing and sales strategy for the organization. He began his career as a financial analyst with Dresdner Kleinwort in Manhattan, NY and holds a BA in Economics from Wake Forest University.
"The most overlooked factor in evaluating a company's overall security posture is..."
The global use of social media and the risks it introduces to the enterprise is the most overlooked factor in any information security team’s overall security posture. It’s understandable why it’s overlooked: security teams lack visibility and control over social. However, that doesn’t mean it isn’t exposing their business, employees and customers to major cyber risk. Every single social media account associated with your employees – the average working age American boasts on average three different accounts – is a vulnerability of the most dangerous kind. Good luck finding a patch to fix it. This is the new soft underbelly of the organization; this is the new most critical attack surface. Including social media risk exposure when evaluating their security posture is a necessity in this ever connected era.
Organizations invest immense resources into social media, which is quickly becoming the primary communication method for both individuals and businesses. But intertwined in the snaps, pins and tweets are a multitude of information security and business risks, spanning targeted phishing, social engineering, account takeover, piracy, fraud and more. As social media continues to dominate business communications, security teams must understand and address the risks posed by social media. It needs to become a fundamental consideration in any team’s security posture. After all, it is the largest unsecured IT network on earth.
Maksym Shapoval
Maksym Shapoval, ITIL and Microsoft certified Security Expert, is a member of ISACA and Information Security Manager at Ciklum.
"When it comes to the most frequently overlooked factors in evaluating a company's overall security posture..."
Imagine that your manager brought an infected hard drive to the office to show photos of his cat to colleagues, your secretary sent a confidential email to the wrong person, or HR copied confidential information about salaries on a USB drive and lost it. Oops! What does it all prove? It proves that most companies invest a lot to avoid external (cyber) threats and give up such obvious internal threats like people, security audits, and internal breaches.
1. People or human factor - It is not enough to teach your employees about important security ethics. Implement a control system to monitor how your staff follows security policies and procedures.
2. Security audits - If a breach is not found, it doesn't mean it never happened! As the company infrastructure is changing constantly, you have to reorganize the security requirements and change security settings with the help of recurrent audits. To investigate the incident, find the breakers and take measures against it, use a strong log analysis system with any possible tools, including surveillance cameras and tracking access history. To react timely on breaches, you have to track and detect any anomalies and immediately notify your security managers about a possible breach or incident.
3. Even with external cyber threat protection (good firewall, etc.) you are still at risk of falling victim to an internal security breach. Unintended, but still dangerous threats include lost hard drives with confidential information, wrongly sent emails, etc. Intentional inside breaches are too obvious to mention here. Therefore, give your employees limited rights (tech security measures are a must) sufficient for work. And again see point #1 – teach and monitor how your employees follow the security rules.
Greg Scott
Greg Scott is a veteran of the tumultuous IT industry. Currently, he is a Senior Technical Account Manager for a software company named Red Hat. Prior to joining Red Hat, he worked as an independent IT consultant with a specialty in security. His book, Bullseye Breach, is an educational book, but disguised as an international thriller about an ad-hoc team that comes up with a way to fight back against a group of Russian criminals who steal 40 million credit card numbers from a Minneapolis retailer named Bullseye Stores. It's the only book I know of where a bank fraud analyst is a hero of the story. It's a story with realistic characters dealing with a realistic scenario.
"The most overlooked factor in evaluating a company's overall security posture is..."
Attitude at the top. Much of what we read about are the latest sensational breaches, followed by vendor pitches for more sophisticated and expensive tools. Top execs look at the price tag and go into sticker shock. Which leads to a downward spiral in attitudes about security and IT in general. So IT is looked on as a necessary evil and an expense, not an asset to be protected.
I would love to see a survey of Boards of Directors and CEOs about how much importance they put on IT and IT security. How much status does the CIO and CISO have in the organization versus, say, the Chief Marketing Officer or Chief Financial Officer? And what are the backgrounds of the top IT and top security people? Were they promoted from Marketing or Finance to oversee the techies, or did they come up through the IT ranks delivering valuable service to the business? What's the attitude at the top?
Until we change attitudes at the top, the scourge of sensational data breaches and CEOs who tell us they care about our privacy will continue.
Kevin Lancaster
As chief executive officer, Kevin Lancaster leads Winvale's corporate growth strategies in both the commercial and government markets. He develops and drives solutions to meet Winvale's business goals while enabling an operating model to help staff identify and respond to emerging trends that affect both Winvale and their clients.
"We feel that the most overlooked factor in evaluating a company's overall information security posture is..."
Obtaining access to sensitive data through employee's personal email accounts.
From CIA Director John Brennan to Hillary Clinton, using personal email accounts is nothing new, however malicious actors are starting to better understand the value of obtaining credentials to these accounts. If you review the contents of your personal emails, you will probably find your social security number, taxes and financial data, health information and other sensitive data. Through doxing and other social engineering techniques, hackers can quickly assume your identity and exploit it for personal gain.
Most cyber criminals understand that it's difficult to hack into a corporate network as organizations are spending a lot of money on the latest technology and the best cyber monitoring services available. The walls to their castles are high and seemingly well-fortified. However, it's becoming more obvious that the keys to those castles are held by individual employees. Today more than ever, organizations need to take steps to protect the personal identities of their employees to prevent their confidential data from being exposed.
Through our work monitoring the Dark Web, we've obtained the top 10 personal email providers that have been compromised. The top three alone cumulatively accounted for more than 160 million breaches. Do you see your email domain? I do.
PERSONAL EMAIL ACCOUNTS
| Rank | Email Domain | Compromised Accounts |
| 1 | @hotmail.com | 68,149,508 |
| 2 | @gmail.com | 60,573,512 |
| 3 | @yahoo.com | 47,496,633 |
| 4 | @aol.com | 10,126,340 |
| 5 | @live.com | 3,527,338 |
| 6 | @msn.com | 2,873,670 |
| 7 | @comcast.net | 2,001,597 |
| 8 | @sbcglobal.net | 1,180,597 |
| 9 | @ymail.com | 1,146,381 |
| 10 | @outlook.com | 839,876 |
*As of November 6, 2015
This number of breached accounts will only continue to increase as cybercriminals break into more websites and steal personal and account information. Hackers don't just need to target C-Level management to make a major impact. While most news stories focus on only high value targets like CEOs, many employees within an organization have access to proprietary information. To boot, simple searches through Google and LinkedIn have made finding these people even easier.
What type of information does your Human Resources department or Administrative staff have access to? Do they know when their personal email account has been hacked? Do you? Since email is a high usage form of communication in this day and age, having the right identity protection program is vital to any organization's operations.
You need to be able to receive real-time alerts when your employee is hacked and proactively mitigate those risks. It will also help correct user behavior both on- and off-network, enforce corporate policy and help you better understand your organization's potential vulnerabilities to third-party data breaches. Without identity protection for all employees, this costly blind spot can have devastating consequences.
Robert Munnelly
Robert Munnelly is a shareholder at Davis, Malm & D'Agostine, P.C. in the firm's Regulatory & Administrative Law Practice. He has extensive experience with legal, regulatory, and local taxation issues faced by energy, cable television, and telecommunications companies in New England and nationally. His data security and information privacy practice focuses on advising and working with companies to develop written plans, improve security-related polices, support compliance training, and respond to potential security breaches. Rob also has substantial experience working with companies in other regulated industries and in appellate practice in state and federal courts.
"The most overlooked factor in evaluating a company's overall information security posture is..."
Vendor Management. Companies remain responsible when third party vendors holding their sensitive personal information suffer security breaches involving the companies' information, and failures to select, train and/or manage third party vendors are cited in in a large number of state or federal data security enforcement decisions. Due to the potential importance of vendors as a security soft spot, the Massachusetts data security rules (201 CMR 17.00) required that the extent of security protections be codified by contract in each company's business arrangements with a vendor. Nevertheless, disappointingly few companies maintain a robust program for (i) undertaking vendor due diligence either before or during the contract term or (ii) incorporating appropriate contractual security protections to mitigate risks associated with use of a particular vendor. We recommend that such program be adopted as soon as practicable with questionnaires and follow up calls to pin down extent the vendor maintains sound written security plans and policies, has implemented appropriate technology protections such as email and laptop encryption, has experienced security breaches, or makes use of sub-vendors who should also be reviewed. Appropriate contract provisions (including requiring certain security upgrades, key reporting obligations, adoption of minimum cyber or general liability insurance coverages and breach indemnification clauses) should be added to address foreseeable risks for key vendors.
Lina Danilchik
Lina Danilchik has been working in the sphere of information security for three years. She is the head of the PR department for Falcongaze Company, an information security and work processes optimization software vendor.
"When evaluating an overall information security posture, companies sometimes miss one important point..."
When developing a strong strategy to resist external threats, some organizations forget that they can be stabbed in the back when they do not expect it. The most pervasive threats today are insider threats. When all the necessary measures to provide corporate information security seem to be taken: firewalls are installed, there is access rights differentiation and two-step authentication, then it is time to think about how to protect your information resources from inadvertent or deliberate actions of your employees. Insiders can cause much more serious harm than external attacks because they have many more opportunities to gain unauthorized access to sensitive data. Moreover, sometimes employees who are privileged to access valuable corporate information abuse the trust placed in them. According to the annual Verizon 2015 Data Breach Investigations Report, the reason for 55% of incidents was so-called privilege abuse. To avoid the loss of confidential data with a chain of painful consequences including economic losses, reputation damage, and loss of customer confidence, businesses should keep their eyes open and estimate not only external but also internal threats.
Larry Zulch
Larry Zulch, president, oversees sales, marketing, and product development functions at Savvius. His industry experience includes chief strategy and development officer at SQLstream, a big data streaming analytics company, vice president and officer at EMC Corporation, and co-founder and CEO of Dantz Development Corporation, acquired by EMC. Married and a father of three girls, Larry received a BA in Economics from the University of California, Davis.
"The most overlooked factor when it comes to evaluating an organization's overall information security posture is..."
Companies tend to focus so much of their attention on preventing and detecting attacks that they neglect to prepare for undetected breaches that come to light weeks or months after an intrusion takes place. Yet it is these undetected breaches that cause the most havoc; almost by definition, the malware has had time to compromise confidential information. Expecting the unexpected isn’t an oxymoron: a small amount of preparation can dramatically reduce the time it takes to go from the chaos of intrusion discovery to the assurance that the incident is contained and understood.
In order to prepare for an unexpected breach, companies need security analytics tools that can conduct effective investigations; processing server and router metadata and, importantly, network traffic. The original malware is less likely to be obscured when examining network traffic than it would be when it is installed on the host system. All of this log and network information must be collected at the time of the breach and stored until needed for an investigation, which may be months later. Collecting months of metadata is relatively straightforward, but collecting months of network traffic without knowing if it will be useful requires either storing everything, which is expensive, or reducing network traffic to what is most likely to be useful. That reduction may include filtering by type or address, manually determining likely future value, or, the most advanced approach, integrating with IDS / IPS detection systems to store network traffic (packet data) associated with hundreds of alerts per day. In evaluating a company’s security posture, it is important to consider how prepared it is to intelligently and selectively identify and store network traffic for future forensic investigation.
Brian Smith
Brian is the VP of Advisory Services and Information Security Officer for InfoSight, Inc. Brian brings more than thirty years of information technology experience, with his last thirteen years focused on information security and advisory services. Brian has successfully managed the implementation of security programs, risk management and audit programs, policies and procedures, and security awareness programs in the financial and healthcare industries. Brian has provided Information Security Officer Management services to numerous financial institutions, and holds numerous industry certifications including CRISC, CISA, CISM.
"Information security postures have been evolving over the years and have taken a positive step in the right direction due to all the recent news related to cybersecurity. In the past, many organizations had concerns with security, but it ended up as a secondary thought to business. There are three most overlooked factors..."
Ongoing employee education, risk assessments, and executive management and board level support. Many organizations perform information security education as a need, rather than a business requirement. Employees are one of the biggest risks to the information security posture of any organization. Without ongoing and evolving education at all levels of the organization including executive management and the board of directors, the information security posture of the organization will be weak because the employees won't be kept up to date with the latest security trends and risks.
Outside of the heavily regulated space such as financial services and healthcare, the risk assessment approaches in the other industries and small to medium size businesses are either weak or missing. Many organizations don't perform risk assessments to understand the potential risks and what needs to be done to protect the organization from these risks.
Executive Management and Board level support is not always there. In many organizations, executive management and the Board looks at the costs to implement a strong security posture as a cost that doesn't help the overall objectives of the business. They fail to remember or think about the costs associated with downtime and reputation loss.
Chris Camejo
Chris Camejo, director of threat and vulnerability for NTT Com Security (formerly Integralis), comes from a technical assessment background, having personally coordinated and conducted numerous large-scale, multi-discipline penetration tests spanning multiple countries for global clients. As part of NTT Com Security’s threat intelligence capabilities, he follows the latest tactics and techniques of attackers and has conducted presentations on this topic at Computerworld Security Summit and with the United States Secret Service San Francisco Electronic Crimes Task Force; he has also assisted in research for a presentation at Black Hat Briefings. Chris has been working with NTT Com Security since 2001.
"Companies spend lots of time worrying about how to keep attackers out of their networks, but frequently overlook..."
How to detect and stop them once they get in. This is an enormous blind spot because it is essentially impossible to keep a determined attacker out of a network. Sooner or later some user will fall for a phishing email and give out their password, or a piece of malware will exploit a new vulnerability that nobody knows about yet. There should be much more focus on what happens after an attacker gets his foot in the door.
The obvious focus area for companies is network monitoring. Every server, workstation, security device, and piece of network infrastructure generates logs and alerts that can be useful for identifying attackers, except that in most cases no one is paying attention. Security event management tools can make the job of collecting logs and alerts easier, but these tools still require constant tuning and somebody to actually investigate the alerts they generate. We saw this with the Target breach where their FireEye solution reportedly detected the malware, but the alert was ignored as a false positive by the team responsible for reacting to it.
The less obvious focus area is on the design of the network itself. Many companies have what we call a "flat network" where almost all of the security infrastructure is deployed at the network’s perimeter to protect from attacks coming in from the Internet. If an attacker breaches this perimeter, for example by phishing an employee with malware or exploiting a VPN connection to another partner company, there is nothing to prevent him from moving around inside the network and attacking other systems at will. The compromise of an old, forgotten, and unimportant system in such a network can rapidly escalate to a compromise of the company’s most important systems and data. Segmenting networks so that sensitive data is firewalled off and protected from other unrelated systems within the same company can slow an attacker down and provide more opportunity to detect and respond to an attack. Many companies spend so much time worrying about how to protect the network that they already have that they don’t stop to think about how they can change the network to make it easier to protect.
Joan Pepin
A recognized expert in security policy, lifecycle management and compliance, Joan is the inventor of SecureWorks’ Anomaly Detection Engine and Event Linking technologies. She brings over 17 years of experience to her role at Sumo Logic from a wide variety of industries such as healthcare, manufacturing, defense, ISPs and MSSPs. Prior to Sumo Logic, Joan spent nine years with the Guardent/ Verisign/ Secureworks organization where she helped establish key initiatives around policy management, security metrics and incident response. She holds a patent for developing methodology to assess whether a communication contains an attack. She holds an undergraduate degree from the University of Massachusetts, Amherst.
"One of the most overlooked factors – and the first line of defense to keeping a company safe – is..."
User engagement in the security process. Employees must be first and foremost invested in the company’s security by proactively monitoring and flagging suspicious activity. To make this work culturally, employees must be happy with their work. Having engaged employees who are watching out for the company’s best interests and those who know, for example, what to do if they get a strange phone call, will make all the difference.
Second, frontline responders need the right tools and authority to analyze and address any incoming threats. This requires that each responder has authority to ask questions, shut things off, lock people out, or pull people away from their desks if it means stopping the threat.
Lastly, in evaluating the information security posture, organizations must clearly understand how security is seen within the company, and if it is treated as a serious issue. It’s critical to have a dedicated security team that has the right budget, authority and political capital within the organization to be taken seriously enough to prevent threats from becoming attacks. With today’s resource shortage (more than 300,000 open info security positions within the U.S.), companies cannot afford to lose good talent, and this is a number one key to retention. In fact, one of the main reasons security professionals leave their jobs right now is because they are serious about what they do and so many others in the company don’t feel responsible for taking part in preventing a breach to their organization.
Justin Farmer
Justin Farmer is the creator of ‘Neo’ the affordable and automatic plug-and-play ethical hacking device that tells you where your security weaknesses are everyday through the eyes of a hacker so you can fix the security issues before they’re used against you.
"Everyone is so concerned with who may be attacking them from the outside since we hear about China, N. Korea, etc. doing it every day. Rightfully so, but what most don’t give a second thought about is..."
What’s happening on the inside of the network? Because of this lack of focus, insider threats are usually lost in the shuffle, yet these types of attacks are among the most prevalent and successful attacks that we don’t hear about often. Recent history is peppered with hacking taking place on the inside of the network since security is usually an afterthought. Simple questions to answer and create safeguards for should be along the lines of: Should this person have access to this? Do they need to be able to modify that? Is this internal system vulnerable to an attack from the inside? Time and time again, these questions get answered when the employee is let go and decides to go ‘postal’ on the things they have access to that they shouldn’t have had access to in the first place. Sadly, most network administrators don’t keep a close enough eye on the traffic traversing their network internally since it’s assumed the person is allowed to be there. Maybe it’s the server holding critical customer information or the un-patched HRM system with all employees' identifiable information, in which case the essentials are there for an attack from the inside. The security landscape changes hourly. The best course of action is to know exactly where the weaknesses are every day before they’re used against you, either from the inside or outside.
Asaf Cidon
Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information.
"While companies are making strides to improve their security posture in light of recent data breaches, one of the things businesses continue to overlook is..."
Security on mobile devices. More and more work is being stored in the cloud and subsequently synced to devices, which allows employees to be more productive, work from anywhere, and collaborate with ease. Here's the problem: Most cloud providers, like Dropbox and Google Drive, provide fine encryption and protection on their servers and in transit, but this protection is lost once a file is synced to a mobile device, because it's not protecting the data itself. Therefore, if a smartphone or tablet gets lost or stolen – which happens all the time – any sensitive corporate or client data stored on that device are an open book for malicious actors. Such data breaches are preventable, but the first step to stopping them is understanding how information gets exposed – especially on the increasingly popular cloud – and how it can be stopped. There's no need to stop using mobile devices or disable sync – which many businesses think are the answers – but adding a layer of encryption that protects the files themselves before they reach the cloud is key. That way, the files will stay encrypted wherever they're synced, allowing businesses to relax, stay safe, and continue allowing their employees to use the cloud and mobile devices to boost the bottom line.
Jen Martinson
Jen Martinson is an internet security expert working on behalf of Secure Thoughts, a website devoted to bringing internet security information to the masses. She also loves to travel and takes great interest in new technology.
"Above all else, one factor that is consistently overlooked in evaluating a company's overall information security posture is..."
Company procedures involving employee training and employee access to information are overlooked when considering a company’s information security posture. Human error has been shown to be responsible for the vast majority of breaches in cybersecurity over the years, and businesses are only beginning to pay attention. What good are the best passwords and encryption keys when an inattentive employee leaves them out in the open to intercept or steal with the most simple of programs? Companies need to realize that their least secure employee is their largest weak spot.
On a closely related note, how often companies review their security policies and practices is an important factor as well when determining the cybersecurity level of a particular company. There are new threats constantly on the rise, and the attention given to the IT security specialist (which every large company should have at this point) is a good indicator. There should be a review or meeting at least every couple of months to address these issues, and a company unaware is a company that is vulnerable. Management should attend, as well as any relevant employees. Materials and guides should always be made available for review.
This relates to the culture of the company regarding internet security. It can be confusing, and employees need to know that they can ask questions at any time without risk to their reputation or their pride. A single mistake can ruin a company, so those mistakes must be prevented from every possible angle. A company should have someone on staff to consult on these matters, and they should be great at communicating the basics of using technology safely and efficiently.
Another important factor is how a company embraces technology in its corporate culture. Does it view it as a necessary evil or a conduit for innovation and efficiency? Companies that embrace and accept technology will be open to new methods of security and will naturally be more aware of new dangers and defenses on the horizon. Looking to the future is the best thing a company can do when considering its IT security options.
Torsten George
Torsten George is Vice President of Global Marketing and Products at pro-active cyber risk management software vendor RiskSense. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskVision (formerly Agiliance), ActivIdentity (now part of HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (now part of Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree, which is comparable to an MBA.
"The most overlooked factors in evaluating a company's information security posture include..."
Information security executives change jobs every two years on average, giving rise to the ongoing need for these executives to perform fresh evaluations of a company’s information security posture. There’s a lot to consider here, given an organization’s physical and digital footprint, its specific business assets and processes and the vast array of servers, workstations and mobile assets under management. On average, businesses tend to be 4 or 5 years behind implementing industry best practices.
As such, the most overlooked factors in an organization’s security posture tend to be embedded systems, such as multifunction printers and VOIP phone systems, which include very functional computing platforms and significant vulnerabilities. Security professionals will often seek to exclude these from assessments in order to reduce the scope and cost, resulting in huge risk to the organization. Web applications are also still under-assessed, often because of a lack of understanding or will to budget. Yet apps represent 40-80% of the major breaches and are one of the more complex areas to secure because they involve custom code and a true long-term lifecycle approach.
Andrew von Ramin Mapp
Andrew von Ramin Mapp is the CEO of Data Analyzers. Data Analyzers is a data recovery and computer forensics firm.
"One of the most overlooked factors in evaluating a company's information security posture is..."
Employee security. Many times, an employee is at the root of a data loss or data breach incident. Also, the increased use of BYOD policies at organizations opens up more opportunities for data to be lost or stolen. Personally, I would not advise BYOD policies as human error is too great. Also, when employees leave a company or are fired they may try to retaliate and leak data to the wrong people. Recently, the social media editor of the LA Times leaked login information to hackers. A company should have a policy in place for when an employee leaves the company. Monitor who leaves the company and remain alert for any suspicious activity on company networks and websites after an employee departure. Also, always change the login passwords.
Ronnie Deaver
Ronnie is the Marketing Manager for ICT Asset Recovery. He loves swing dancing, wine, responsible recycling and adventuring around the world. A recent transplant from Texas, he's been soaking in the Boston scene and diligently working with ICT to promote the message of responsible e-waste recycling.
"One of the most over-looked security factors, by all but the largest firms, is..."
Data on retired IT assets: equipment that's either old and replaced or no longer necessary. Many companies fail to have proper security procedures in place to protect the extremely vulnerable data on the unwanted equipment and typically store them in storerooms or warehouses with minimal to no security. However, the risk doesn't stop there. Few firms realize the danger of a breach from retired assets and rarely are willing to pay for proper IT asset disposal; often times opting to use cheap and non-certified local recyclers that may or may not properly destroy data. These recyclers then go on to sell the unwanted equipment on eBay, often times with residual data still on it. A study by MIT showed that of 158 hard drives purchased on eBay, only 12 were properly sanitized. They found over 5,000 credit card numbers, detailed medical records, private pictures/emails, and loads of business financial records. Ironically, it's doubtful these companies had any idea how much they put themselves at risk by having little to no security policy on retired assets and by using non-certified/free recycling options.
Václav Muchna
Y Soft provides enterprise office solutions that help build a smarter business by improving office productivity and enabling employees to be more productive and creative.
Václav Muchna co-founded Y Soft in 2000 in Brno, Czech Republic, with the vision of creating a global organization that operates without borders. In his mid-teens, Václav started the path toward his professional career by exploring software development, network administration and learning the value of a customer-centric approach to business. During his early professional years, Václav and a small group of partners embarked on many projects ultimately finding success with what is today YSoft SafeQ. Václav has led Y Soft's international growth by establishing subsidiaries in Japan, Singapore, USA, Israel, Emirates and many more. Václav has also established Y Soft Ventures, the venture arm of Y Soft, providing promising startups in Central Europe the capital, resources and expertise needed to accelerate their path to global markets. While focused on growing the business and exceeding customer's needs, Václav also invests in technology, people and cultivating an active company culture.
"With hacking and exposure of credit cards or other personal information in the news, it is natural and necessary for companies to bolster security around customers' personal information and company information. However, companies often neglect..."
The security of digital and printed information within their own walls.
Companies scan, copy, and print (yes they still print a lot) with no audit trail of who is doing so and what documents are being used. Further, many employees print sensitive information which is then left in the printer tray where anyone – other employees, cleaning staff, guests may have access to it before they get around to picking it up. In short, companies are protecting themselves from external attacks but neglect to protect themselves from ...well, themselves.
Improving security within your own walls is achieved through a print management solution. Print management solutions provide an audit trail of who is using multifunction devices and what is being copied, scanned, or printed. They do this by requiring users to login to the printer in order to receive a print job, to scan or make copies, and by storing document metadata and a copy of the document itself for analysis should an audit be required in the case of a security breach.
In litigation cases where an employer accuses a former employee of taking confidential material to a competitor, most companies do not have proof to substantiate claims. Print management provides that protection and proof.
Print management offers a host of other benefits; document security is increasingly becoming a top reason for implementing a print management solution.
Sarah McMullin
Sarah McMullin is a graduate of the University of Houston Law Center and currently works as the business development executive for Camino Information Services, a HIPAA compliant IT services and software development company in Houston, TX.
"In the business of evaluating HIPAA compliance in medical offices, I see a lot of systems that are not as secure as they think. Easily the most overlooked factor in security is..."
Employee compliance with protocols. Telling an employee you must log off when you walk away from your station is great, but if the employee does not actually log off the protocol is useless. An auditor may see properly trained information security officers, a well written protocol, properly maintained licenses, etc., and a perfectly compliant business on paper, but employee compliance can undo all of the best planning in one instance of surfing unapproved websites on a work computer. Individual personal compliance is the most overlooked because it is the hardest to track and the hardest to correct.
Terry Kurzynski
Terry Kurzynski, CISSP, CISA, QSA, ISO 27001 Auditor, is Founder & Sr. Partner of HALOCK Security Labs. Terry founded HALOCK Security Labs in 1996. With over 20 years of experience in InfoSec consulting, Terry specializes in risk management, network security, application development, audit, project management, and consulting.
"Too many times, organizations are conducting gap assessments or controls reviews but what they're overlooking is..."
The organization's maturity with security management and risk management. For example, ISO 27001 certification does not certify that an organization is secure, but rather that the organization has the right kind of management structure in place. Having a solid risk management structure is in place should assure continuous management of risk and security.
J. Colin Petersen
J. Colin Petersen is President and CEO of J - I.T. Outsource, a managed service provider for business networks. He has been in the computer industry for 20 years, serving tens of thousands of clients before realigning his business to serve small to medium business networks.
"The most overlooked factor in evaluating a company's information security posture is..."
It's the human trust factor. Most companies I evaluate, especially those who focus on culture or family as a core value, place little value on proper controls. I'm talking about companies that have the same login and password for every user and no real organizational units controlling user access. They don't know who logged in where or what they accessed, because there's no audit trail. It creates a situation tantamount to leaving your windows and doors unlocked all the time. When that's happening with HR information and payroll, you have a serious problem.
Michael Fimin
Michael Fimin is an accomplished expert in information security, CEO and co-founder of Netwrix, the IT auditing company providing software that maximizes visibility of IT infrastructure changes and data access. Netwrix is based in Irvine, CA.
"The most overlooked factors in evaluating a company's information security posture include..."
Not surprisingly, understanding IT security risks is vital, and if a company has decided to proceed with overall security assessment, it will have to invest quite a bit in IT security mechanisms and implement some efforts to improve its IT security policies. When conducting a security assessment, we take it as a part of risk management that can't be limited to specific IT areas and by its definition requires us to check every corner and shake every tree. The results, as always, depend on the experience and diligence of the executors, but there is one factor which could negate all the efforts: human nature. Even if you have implemented advanced technologies and processes, developed a well-documented security policy, and conducted trainings for employees in attempt to improve behaviors, there will be a rotten apple that won't even notice your claims and pleas. Tell users not to click on every link in every email and not to write a password on a sticky note, and they do that anyway because they believe that IT security is not their concern. When building a really strong security posture, imagine that your users are more like the kids in the kitchen, rather than mature professionals. If you don't want bad things to happen, better hide all the knives and always keep an eye on what they are doing.
