If IBM X-Force were running the IT department
IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read.
One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy
1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.
2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.
3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.
4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!
5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.
6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.
7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.
8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.
9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.
10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.
There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions