Article written by:
Jerod Brennen, CISSP
GBQ IT Services analyzed the recent surge of disclosed security breaches. The recent big brand announcements from firms such as Deloitte, Equifax, Accenture and others contributed to a record setting year for cybersecurity failures.
We have identified the following as common issues with these events:
- Most of the firms recently announcing breaches were operating in a fashion compliant with the security and privacy regulations they were obligated to follow as well as customer expectations for their information security program. For instance, Equifax had routine audits from both regulators and customers as well as internal testing, yet was still compromised because of a failure to perform a simple patching activity.
- Being compliant does not equate to being secure.
- Testing to meet compliance requirements may not be adequate for security purposes.
- Most of the firms recently announcing breaches were well-staffed in both the IT and InfoSec function; the firms have deep pockets with access to top talent in these markets. The failures have been characterized as employee performance failures when we believe a look at the publically available evidence suggests management, audit and governance failures.
- A management culture must be in place that promotes a customer and employee friendly security culture where protecting information is a non-negotiable must.
- In many cases, particularly with Equifax, firms were slow to respond to the breach event and when they did it was in a fashion that made the situation worse. Equifax, for instance, poorly deployed a help web site for those affected. Equifax will also suffer for the stock sales by senior-level executives days before the announcement, which at best, the sales presents bad optics and at worst, insider-trading.
- Security events are inevitable.
- Investments must be made in order to develop company resiliency in the event of a successful attack. It is no longer good enough to focus on “keeping them out” but we must now focus on quickly being able to return to operations with as little loss as possible.
Given our findings, we recommend that as you conduct end of year tests or budget for testing in 2018, you consider three things:
- Measure program maturity and excellence not just technology, compliance. Assess governance effectiveness, management competence and security program excellence by augmenting technical testing with an assessment of program maturity. A maturity assessment answers the question, “Is security excellence routine?
- Conduct routine aggressive adversarial penetration testing. Testing for compliance only is much less aggressive than the efforts an attacker will take. We recommend adversarial simulation penetration tests where the test mimics a targeted attack. Hackers have an objective and will make efforts to reach the goal or complete the scenario regardless of the path they take. Compliance-only penetration testing generally does not include all potential attack vectors.
- Test incident response capabilities often. The cost of the recent breaches have been magnified because of failures in the response that would easily and without much cost have been discovered through tests of the company’s plan to respond to incidents. If you don’t have a plan, develop a plan! Once you do have a plan conduct two tests: a table top exercise to test the business and technical management functions in the event of a breach and an incident response test with a focus on launching attacks against yourself and measuring whether the investments in detection and response technologies work as expected.