10 Critical Cybersecurity Questions to Ask of Your Organization
This week I’m speaking at the ACSC conference in Canberra, Australia. As one of the event sponsors, we’re handing out Nuix-branded water bottles. While our primary goal is to help conference attendees stay hydrated, we’re also aiming to get them thinking about their cybersecurity defenses. So each bottle also has a question, and here are the answers.
Even if you’re not at the conference, these are extremely valuable questions to ask. I’ve divided them into the three phases our Advanced Threat and Countermeasures team uses to conduct real-world testing of our customers’ security environments: attack, fortify, and educate.
1. Do you test your internal and external systems using known attacker tools and methodologies?
I’ve said many times that checklists and compliance regimes will never be enough to protect your organization from cybercriminals. The only way to truly assess your ability to deflect real-world attacks is to perform testing that mimics those attacks as closely as possible.
2. Do you conduct client-side attack simulations such as spear phishing and social engineering?
Some of the most common attack vectors cybercriminals use are perpetrated against human beings. By our very nature, we are inquisitive, trusting, and often quick to be helpful. Attackers know this, and take full advantage of it in order to circumvent organizations’ security controls.
3. Do you test, test, test, and test again?
This is the new “cost of doing business.” Security tests can only ever be a point-in-time assessment. While testing in this manner may satisfy legal or governance, risk, and compliance (GRC) obligations, it does not accurately represent the dynamic threat landscape.
Most organizations are in a constant state of change. They commission and decommission systems regularly and modify content daily. This creates the logical need to perform security testing at intervals or whenever significant changes are made to the environment. Hackers are not like Santa Claus … they don’t come once a year.
4. How do you secure the perimeter: web application firewalls, intrusion detection, and prevention systems, etc.?
Defenders need to protect against every potential threat vector, all the time. Attackers only need to identify a single vulnerability and exploit it. This tips the odds significantly in their favor. Nothing is “hacker proof,” and history has shown that the most we can expect from perimeter defenses is that they will slow down intruders. Assume your perimeter will be breached and implement and test your organization’s ability to detect when it happens.
5. Do you use information governance to know where your critical value data resides?
All GRC régimes are limited by the sections of the network that store, process, or transmit critical value data. To that end, you can drastically limit the scope of which systems are impacted by a data breach by using information governance to collate that data into the proper locations. This will allow you to gain a deeper understanding of your data footprint and make compliance easier and potentially less expensive.
6. Do you segregate assets that contain critical value data and enforce a concentric ring of protection?
A single product or solution alone cannot provide adequate protection from a determined attacker; it would be like trying to chain a fence closed with only a single link. Effective protections and countermeasures require a concentric ring around the critical value data; this is also frequently referred to as “defense in depth.”
By deploying multiple solutions as part of a sound defensive strategy, you add layer upon layer of protection mechanisms; multiple links now form a much stronger chain. Doing so will not make you unhackable, but it will certainly increase the time it takes an attacker to successfully carry out an attack. You can use this time to identify their attempts, and give yourself a better chance to stop them before they break through.
7. Do you monitor, monitor, monitor?
Even the most robust defenses are at risk of being compromised by a determined attacker; and let’s not forget insider threat actors are already behind the perimeter, rendering those defenses useless.
If the first phase (deflect attacks) of your security posture fails, your ability to quickly detect nefarious activity can literally be the difference between “just another day at the office” and becoming the next data breach news story. It’s absolutely critical for your organization to identify suspect activity, connect the alerts to actual human activity, and take action on those events.
8. Do you train your teams so they know what an attack looks like?
Security vendors have been selling their wares for the past 15 years, boasting each one will protect your organization better than the last. But organizations have completely ignored that it is human beings who are looking at computer monitors filled with alerts. They need to know how to connect what they see on the screen to real-world human activity.
Realistic penetration testing and proactive incident response training will bolster your defenses to the point that you can actualize the financial investment you’ve made in your monitoring capability.
9. Have you developed, tested, and trained using an incident response plan?
It’s bad enough to suffer a data breach; the only thing that will make it worse is not being prepared.
Having a comprehensive incident response plan is not only a really good idea, it’s also a requirement under many GRC régimes. Additionally, as post breach litigation has become more commonplace; your incident response plan now becomes part of your “defensible position of reasonableness.”
A well-written incident response plan will dramatically shorten the time it takes from detecting a breach to responding. It will set in motion a clear, coordinated response effort.
10. Have you established an organization-wide awareness campaign to educate all employees on common attack vectors?
One of the most common attack vectors that cybercriminals take advantage of is human beings. These are commonly referred to as “client-side” attacks; they include spear phishing, browser-based attacks, and social engineering.
In these instances, human decision-making becomes your most effective line of defense. Training your employees how to identify, take action, document, and report client-side attacks can significantly reduce your organization’s potential attack surface. This will also create a company-wide culture of security-minded employees who all realize they are not only part of the fight, but more importantly, part of the solution.