10 Questions for Your CISO

10 Questions for Your CISO

Cyber security threats are increasing as quickly as businesses can implement measures against them. Because of the constant onslaught of both new and old security threats, safeguarding data assets can be overwhelming for many security teams. Simultaneously, CEOs are concerned with finding cost-effective ways to manage resources to ensure security throughout their organization and in all locations. Organizations need to not only understand current trends in security threats, but also be able to identify inherent vulnerabilities within existing systems.

Trustwave's SpiderLabs offers an analysis of compromise investigations and the top vulnerabilities that potentially expose companies to security threats in the 2010 Global Security Report. To help executives identify an information security strategy, Trustwave developed 10 questions CEOs can ask their CISOs and security teams based on the results of the 2010 report.

1. Are you documenting your relationships with third-party vendors and are third party vendors being required to incorporate security controls?
 In 81% of cases in 2009, third-party vendors and their products introduced vulnerabilities, mostly as a result of default, vendor-supplied credentials and insecure remote access implementations. Choosing a platform and vendor with a solid security history is important, but monitoring those vendors to ensure they are following the same security practices as the hiring organization is equally important. Organizations should also ensure contracts with third party vendors include security control requirements. If a vendor will not agree to security requirements, seek out a new vendor who will be responsive to the security needs of the organization.

2. Do we have an in-depth, comprehensive and relevant policies and procedures documentation to encourage company-wide buy in, support and increased awareness?
 Consistency is the key to enforcing security because one weak link can "break the chain." Many times well-meaning employees can do things that jeopardize security - they don't realize they're doing it. By clearly articulating to staff strong policies for the organization and the procedures necessary to fulfill those policies, organizations can better ensure full understanding and adherence to those policies and procedures.

3. Should a security incident occur, do we have a team in place to assist at all levels?
 Part of the difficulty in responding to a security event is the lack of a clearly defined and readily available procedure. Understanding how most incidents occur and where the breakdowns typically happen can play a role in developing a process flow and associated documentation. Equally important is forming an incident response team of trusted individuals from various operational groups within your organization, including staff from the IT department, human resources, legal and public relations, among others. These individuals can be responsible for initial triage, establishing target goals, staffing, communications and goal accomplishment. Over the past few years, the incident response industry has been flooded with inaccurate information regarding the best practices of first responders (the first people on the scene - the location of the network where the attack took place). The common theory has been to simply unplug the system, and hand it over to the forensic team. Doing this loses all of the volatile data, which is absolutely critical in incident response.

4. What security training is or should be offered for all employees?
 Insider threat is growing and not just limited to employees with malicious intent. Unsuspecting employees may break security policy or expose sensitive information. Without the appropriate security training, they can pose one of the biggest threats to an organization. Security awareness training for employees can mean earlier notification and detection of a potential incident; even an entry-level employee may notice something if trained to be security aware. Whether to meet compliance requirements or as part of a defense-in-depth strategy, organizations should look to implement a security awareness training program and make it mandatory for each and every employee, regardless of function. Repeat this training on an annual basis and make it part of new hire orientation. By educating employees, as well as suppliers, partners and customers, the chances that an organization will become a victim of data security threats is reduced, and ensures that all staff can properly handle an incident should one occur.

5. How are you protecting our organization from threats to our systems and facilities?
 One of the best (and least expensive) ways to protect an organization is through multifactor authentication. Currently single factor authentication is in widespread use; there are likely 10,000 applications that use single-factor authentication for every one using multifactor. Unfortunately, when given the choice, humans often create poor (weak) passwords. Even employees within the security industry-those that should know better-often choose weak passwords to protect their systems for one simple reason: strong passwords are harder to remember. Multifactor authentication does not work everywhere, but should be strongly considered where it is possible. The cost of implementing a multifactor solution is far less than the impact of a major breach of the corporate network and loss of critical data Other initiatives organizations should undertake are the encryption of data, investigation of all anomalies and controlling user access and privileges to control software downloads.

6. Is there a risk management group that gathers regularly to discuss physical and local security issues?
 An internal risk management group can lead the charge when it comes to assessing the organization for risk on the whole or by specific areas. A risk management team has the ability to follow best practices by establishing benchmarks for risk acceptance levels and proper procedure for identifying and managing risks. It may be appropriate for this team to also manage security awareness training, follow and implement legal and regulatory compliance requirements, and work to identify new risks as the organization changes.

7. Is there an inventory of all IT assets? Is there a schedule for the decommissioning of old systems?
 Keeping an updated list of IT assets should be a priority; this will aid in the tracking and decommissioning of older systems. In its work with clients, SpiderLabs often finds major vulnerabilities associated with older systems, but clients seem unconcerned about the vulnerabilities as these legacy systems have a planned decommission date. Coincidently, many of these same clients use SpiderLabs to re-test their environments in subsequent years. About 75% of SpiderLabs test results that included client responses of "system will be decommissioned" still have those same systems in production a year later. At a minimum, the list should include: name of device, DNS names, type of device, operating system, IP address(es), MAC Address(es), date of installation, and owner. Once an asset list is established, all adds, deletes and changes should be logged so an up-to-date list can be obtained at any time. For decommissioning, establish an internal team with cross-competency work and tackle this problem.

8. Is security built into our IT and application development lifecycles?
 Members of the SpiderLabs team often train developers on how to code their applications securely or debrief them on the results of an application penetration test. Through an analysis of this work, SpiderLabs found that the majority of organizations spend a great deal of time in the planning and implementation phases, but not a lot of time in the analysis, design and maintenance phases. Organizations quickly go from idea to code to production. This means that a single individual makes both tactical and strategic decisions on their code, without input or oversight from others internal or external to the organization. When not properly implemented, a simple module like "reset my password" could result in major consequences to the security of an application and, potentially, to the entire organization. Implementing a comprehensive development lifecycle process which, from the start includes security planning, review and testing, is crucial to successfully developing secure applications. Organizations should review their current development methodology, and make the necessary modifications to ensure that security is not simply addressed as an afterthought, but rather as an integral and indispensable part of their IT and application development process.

9. How is our wireless network structured?
 Wireless is everywhere. Early adopters of this technology placed the access points inside their network so that employees could access resources without having to be tethered to a physical network jack. Even with the latest wireless security applied to the implementation, increased ways to crack or circumvent the security controls being used are being discovered by attackers. We recommend organizations never place wireless access points within their corporate core network; instead, they should treat them as any other remote access medium. Users are able to use a wireless access point at a caf� or hotel and securely connect back to corporate resources, so they should use the exact same process when they are in the office. The wireless access points should be placed outside the network and any security controls in place should keep unwanted visitors from using a company's Wi-Fi as an open access point.

10. What security investments should we consider? Are we an early adopter or is this a widespread practice?
 Before undertaking an expensive product implementation that may not even resolve outstanding security issues, organizations should review their infrastructure and identify any underlying security issues, ultimately resolving those issues. Technology can go a long way towards fixing security issues if implemented correctly. A good, professional assessment can help identify security holes and suggest controls or technology to fix them. An assessment will also help prioritize security projects in respect to budget and the level of risk.

Conclusion
 Cybercriminals will never stop trying to obtain valuable or proprietary data. By reviewing the information security infrastructure with the CISO or security team, paying particular attention to existing vulnerabilities, the assignment of security responsibilities to specific individuals or groups, and how data flows within the organization, CEOs and other business leaders can reduce the threat and impact of a security incident. A comprehensive, defense-in-depth strategy for information security can help reduce risk, protect sensitive information and ultimately safeguard a company's reputation.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.