Historically, aside from the enabling tools (like mobile VPN access), security spending is essentially insurance with no visible return. This is starting to change as more businesses insure against breach and loss. While many of the costs of a breach are not directly financial, there are plenty of references available to attributed financial loss. And there is more data available to make a better risk assessment of potential loss.
In December 2015, the EU reached agreement on GDPR which proposed a maximum fine of up to 4% of annual worldwide turnover. As more companies look at insuring against loss, there is a direct and immediate link between the insurance premium, maximum indemnity and the security posture of an organisation.
Hardware.com adopts a ‘top down approach’ to network security to help demonstrate that an improved security posture can deliver a return on investment.
From The Top
Ultimately, the CEO is responsible for network security, and the information security posture of a company sits on the risk register with all the other high level considerations such as physical theft, service availability and staffing etc. Given the standard metrics of likelihood vs impact, Hardware.com increase the accuracy of the assessment by providing improved visibility of threats and a better understanding of the potential costs of a breach. When dealing with the likelihood of a breach, Hardware.com encourages customers to consider:
- What are the threats facing the business?
- How comprehensive is the security strategy in dealing with and preventing these risks?
The immediate technical / physical impact of a breach can easily be determined as hard fact but the knowledge that customer data has been exfiltrated has greater implications. In terms of the wider business impact, there is more information available today on possible fines, and daily operational turnover should be simple to calculate. The eventual cost of reputational damage and customer shift are far more subjective, but the certain pain of those factors should be clear enough to ask:
- What are the potential immediate financial costs of a breach?
- What are the long term financial costs from information and reputation losses?
The responses to these questions only provide an answer in summary to a more detailed assessment of an organisations’ security posture. They should however, be sufficient to justify the expense and effort of a comprehensive security plan designed to mitigate the risks to an appropriate level. In reality, there are far too many individual threats and vulnerabilities to list on the global risk register which need to be investigated as part of the security plan.
The Security Risk Management Framework
There are several options for companies looking to adopt a formal risk management approach and many organisations use the ISO/IEC 27001:2013 standard both as a framework for risk management and a formal accreditation.
Hardware.com assists with the key requirements to investigate and fully understand the ‘Big 3’. What are the:
- Key assets?
Once we have answered those questions, we can begin to define a security strategy making the best use of the resources to hand.
1. Key Asset Evaluation
Each asset can be mapped against the relevant vulnerabilities to determine likelihood of a successful breach and the resulting technical / physical impact. Common assets and their respective threats might include, but not be limited to any of the following:
- Intellectual property – stolen design plans, software, music
- Customer Data – personal details, financial or medical records
- Computer power and internet connection – for use in staging botnet attacks
- Cash – taken from duped transfer scams, unauthorised payments
- Physical property – taken from transfer scam, fraudulent transactions
- Service availability – website taken offline from DDOS attack
- System availability and data – ransomware locking machines for ransom
2. Vulnerabilities Evaluation
Vulnerabilities are harder to quantify. Since, at any time, there can be many unknown issues which later surface as zero day exploits in common software. Initially we need to look at the attack surface – the interfaces at which an attacker can launch an attack. This includes both machine and human elements such as web servers exposed to the internet and staff that receive inbound phone calls. The term vulnerability in this sense does not imply a poor security posture. But identifies any element on the attack surface where a valued asset might be subject to a threat that requires risk mitigation.
Some examples include:
- Unpatched server and user systems – Common Vulnerabilities and Exposures – CVE-2010-333
- Poor exploitable website code – CSRF, Injection
- Weak password policies – easy to guess or brute force
- Open external access allowing reconnaissance and probing
- Open internal access allowing network traversal
- Loose firewall policies allowing non-essential outbound traffic
- Evasive traffic bypassing legacy security infrastructure
- Ineffective URL filtering allowing access to malware infected sites
- Ineffective blocking of phishing email
- User awareness of risk to malware, scams and social engineering or MITM
- Physical breach and direct access to systems
- In band access to critical infrastructure
- Loose device management – old SSH keys, shared login, high privileges
- Inability to cope with DDOS, session count or low bandwidth starvation
- Open access to hidden website pages
- Open access to public folders on cloud storage – open box.com shares
- Loose change management – admin staff able to create backdoor access
- Infrastructure sprawl – servers provisioned outside security design
- Poor user behaviour – password noting and sharing accounts
- Poor process and policy which fails to protect users from mistakes or scams
- Ineffective logging and visibility of systems and network activity
- Poor third party external device separation
3. Threat Evaluation
The threats to an organisation are the factors, human or otherwise, that can inflict a negative impact on its resources. These would include power outages and other physical risks. But, for the purpose of the security risk assessment, would normally include some of the following:
- Opportunist hacker looking for open systems on the internet
- Hacker scanning public servers with specific version for known issues
- Hacker looking to exploit poor code on public server
- DDOS attacker from botnet designed to take a site offline
- Advanced persistent threat determined to attack an enterprise
- Phishing emails targeting known users
- Advanced social engineers looking to exploit staff for access
- Physical threats to access systems from intruders
- Knowledgeable insider misusing systems
- Malicious insider with systems access
- Malicious outsider with personal grudge (fired employee)
- Advanced scams designed to dupe users into theft or systems access
At this point you may have a relatively comprehensive list of your valued assets. Those actors that would impact those assets and a good idea of the targets that may get hit. This forms the basis of an in-depth analysis of the impact / likelihood risk assessment where all known threats to each vulnerability are considered. With an honest appraisal of an organisation’s staff and systems, some elements may be relatively secure.
The Security Strategy
Hardware.com aim to understand the customer’s security strategy. This should identify business priorities, the intended security posture the organisation wishes to achieve at a given point. And the way in which that should be achieved. This might include a strategic decision to outsource operations to cloud providers or focus effort on key risk areas. This should be a periodic exercise rather than a one-time only task. As the strategic direction changes, new risks may be introduced which must be identified and assessed. Moving services to the cloud removes some risks but introduces others, such as lack of visibility of access.
Hardware.com delivers a comprehensive risk assessment which should identify the overall security posture of the organisation. Plus identify the greatest areas of concern. A distilled version of the report summarising the threats and local impact, can be presented to C-level staff to determine the wider impact on the risk register for each of the major asset groups. At this point, the top down strategy can begin with direction from C-level on the budget, scope and priorities for the organisation’s security strategy.
The Security Plan
Hardware.com helps the customer to build a robust security plan. The goal of which, is to achieve the aims of the security strategy. Also provide the most effective risk mitigation with the given resources. With as many as possible of the risks identified and prioritised, the security plan defines how each risk is mitigated. Against each asset and the relevant vulnerabilities, control measures and mitigation techniques are planned for implementation and periodic review. The security plan is not necessarily a technical document but should identify the steps taken to mitigate risk.
Hardware.com can address 7 out of the 10 key areas outlined by the National Cyber Security Centre.
- Risk Management Regime
- Secure Configuration✔
- Network Security✔
- Privilege Management✔
- Incident Management✔
- User Training & Awareness
- Removable Media Controls
- Home & Mobile Networking✔
- Malware Prevention✔
In order to maximise the effectiveness of the budget and resources, Hardware.com advise a ‘top down approach’ when looking at technology solutions for enterprise security. By identifying assets, vulnerabilities and threats, we can assess overall priorities. And apply the appropriate level of resource to each area.
When evaluating a range of technology options, it is simpler to match the value of a particular product, feature or solution against the requirements of the security plan.
Hardware.com are strategic partners with security vendors offering solutions consistently recognised by Gartner as market leading.