As a Cybersecurity Consultant, I am often asked to describe what type of cybersecurity threats companies are facing, and what my top security concerns are today. I get the luxury of working with many different cybersecurity stances as I visit companies in the Los Angeles and Orange County regions. With that premise in mind, below are my top three cybersecurity concerns for 2019.
My first largest concern is Incident Response. This is the most frequent topic I am tasked out in the field, and it certainly should be. For some time now we have been informed that attackers are lurking out there, always checking our perimeter, looking for holes, testing out the waters, and waiting for an opportunity to break through the veil of the perimeter firewall to get a better understanding of what lies behind. In the cybersecurity world, we must remain constantly aware of the ongoing breach of threats.
In addition, I am often asked if we have an incident response policy that a customer can use or a program that we can recommend due to noticing a sharp incline in the number of concerns being wrapped around the idea of this very topic. Obviously, there are steps to take when enacting your incident response program. These steps entail the following:
- You should have a valuable policy that spreads the news about how your program operates. This is an excellent tool that will favor your corporate team and other professionals, such as auditors, management, and consultants, and will lay out the foundation of expectations to all parties involved.
- Develop a flowchart. Yes – take out that old version of Microsoft Visio and dust that bad boy off! I build diagrams merely to test and break down when helpdesk’s job is over, and when the CIO’s job starts. Likewise, I like to flowchart when the CIO should bring up an incident to management and begin the discussion of a breach.
- Lastly, you need to test it all. Tabletop testing is one of the most useful ways you can spend with the IT team and Executives. That being said, everyone testing needs to be on the same page when an incident turns into a breach. Helping Executives understand their roles and what they can expect during a crisis situation is of greatest importance to your success.
We must now shift our attention to the next 2019 cybersecurity concern, Penetration Testing. This is an old reliable topic, but one I get asked about often. Every year there are more companies using a penetration test as a checkbox on a Partner/Customer Cybersecurity Questionnaire.
Question: Do you perform penetration tests? Answer: YES!
In many cases I see a lack of maturity in testing; for example, I was recently inquired to scan to see if I could get past a firewall. If I could not, the customer would have informed their management team that everything was fine. I bring this example to your attention because passing a scan for a firewall is not an example of proper security testing methodology. More steps must be taken to execute a complete security plan.
In another example, a company asked me to scan five systems. They would then take the results of those five systems, fix them, and then study the next five. This is also another prime example of not fully understanding your risk landscape. My advice on penetration testing is that you should be moving up in maturity each year. Here is how I try to help the companies grow their maturity levels each year:
- Level 1 – Perform an external and internal penetration test and let the pen-tester run free. Do not tell him/her to only work on X subnet or on Y devices. The idea here is to let them go and get a clear understanding of the risk that exists in the environment. Once you understand that the pen-tester was able to get access to confidential data, compromise systems, and gain access to domain credentials, you will be able to articulate to management that more needs to be done in cybersecurity. It will be wise to run these tests for a couple of years as a yearly exercise, but after give up on this and move up in maturity.
- Level 2 – After you have completed Level 1 above, then you can go to the next level of maturity. In this maturity phase, also include phishing and physical security with your internal/external penetration tests. This will give you the full scope of penetration testing. Now you have identified both your cybersecurity, physical and social engineering risk at your company. After executing a couple years of testing, it is time to move up in the stages of maturity.
- Level 3 – Perform all the steps of Level 2 but it is important to not tell anyone during this process; keep IT and all your vendors in the dark. They do not need to know that you are testing for one incredibly important reason. That is to closely observe how well they respond to incidents. Testing vendors will help everyone keep on their toes, and give you a real indicator of how well your team manages risk. Likewise, we see more and more that vendors have a real role to perform in an incident. Some vendors manage the incident, and others do nothing during the incident. By moving to this next maturity step, you flesh out the various vendors that will/will not help during a real incident.
- Level 4 – Perform all the steps of Level 3, but keep everyone out of the loop. Only management needs to know the test is being performed, and at this level, you should add new options.
- The penetration test engagement should be done “sometime” in the year at the discretion of the pen-testing company.
- Allow the pen testers to drop some level of command and control by violating physical access; meaning the pen-testing company hand delivers an Intel Next Unit of Computing (NUC) onsite, and violates physical access keeping access over time for as long as they are undiscovered.
- The pen-test company gains access at their deaccession and usually in a “low and slow” method. This means your team will never see a big scan event happen. No bandwidth observations will clue in the IT team that something abnormal is happening.
- The pen-test company gains access to other systems by social engineering as secondary access in case the onsite tool is discovered.
- The end game result is either the pen-testing company gets access to data, or in hopes, the IT team prevents a breach.
Exercising these four levels of maturity will allow you to constantly move forward in your training. Many companies believe a pen-test is merely a verification that patching is being done well – this is incorrect. Let the company know it is not just about patching, but also test incident response, physical access control, network segmentation security, phishing control, and many other security objectives.
Finally, I am fielding a lot of conversations about cybersecurity questionnaires. These are the questionnaires we receive from our vendors, customers, and audit companies attempting to discover how well your company is performing cybersecurity. Some say they want to “audit” your security, and others say they want you to put a specific device on your network. Other questionnaires will ask you 100 questions and simply file the document in their vendor management folder.
These questionnaires are time-consuming and unnerving as you attempt to answer them carefully and honestly. Personally, I tend to advise my clients to take the last 10 surveys they have received and make a “Security Statement” document to hand out in place of answering the 100 questions. Directly write a document outlining your security best practices that answer the most common questions. You will look more mature as you have a quick answer to the common issues presented. If the security statement is done effectively, it will fulfill the need of the customer, vendor, and/or auditor. I write these often for my customers, and they are successful.
As a Cybersecurity Consultant, I hope this information about Incident Response, Penetration Testing, and Cybersecurity Questionnaires favor you in the future, so in turn, it may increase your success rate out in the field.
Senior Security Consultant & CISO