How CSC can help build your InfoSec framework

Critical Security Controls is a set of best practices devised by the Center for Internet Security, a nonprofit dedicated to improving cybersecurity in the public and private sectors.

 

Cyberattacks are costing businesses between $400 billion and $500 billion per year, depending on which analysts you listen to. Cybersecurity has never been a hotter topic. The market is expected to grow from $106 billion this year to more than $170 billion by 2020, according to Markets and Markets. The average cost of a data breach, by the time you factor in remediation, non-compliance fines, and brand damage, is tough to accurately calculate, but it’s high, and it’s rising.

The Heartbleed vulnerability was 2014’s catastrophic security bug, and it had a wide-reaching impact. But even as companies pour more money into security services and platforms, the exploit still remains on many servers. As the IoT threatens new avenues of risk, the response in the enterprise is mixed, and good practices in some areas are being severely undermined by a casual approach in others.

 

Building a solid foundation

Just as a house built on sand is not going to last, an InfoSec strategy that lacks a solid foundation is going to fail, no matter how much money you throw at it. We hear plenty about the growth in software vulnerabilities, the rise of malware and ransomware, and the risk of ignoring threats, but what should you be doing?

A great place to start creating your InfoSec framework is with the CIS (Center for Internet Security) Critical Security Controls. This is a recommended set of best practices, put together by government and law enforcement agencies, that focuses on actionable ways to bolster your cyber defenses. You’ll find a full explanation at theSANS institute.

Taking any of the 20 actions on the list will have a positive impact on your security status, but the smart move is to work towards fulfilling the full range.

 

A step in the right direction

These are simple common-sense rules, but you’d be amazed at how often they’re overlooked. We don’t have time to cover everything in this article, but if we just take a brief look at the first couple of entries on the list, you’ll get an idea of the practical advice within.

Critical Control 1 – Inventory of Authorized and Unauthorized Devices

Building a good security foundation is about asking the right questions and identifying gaps in your knowledge. This first control is absolutely fundamental to security, but many organizations will struggle to answer questions like:

  • How many servers do you have in total?
  • How many devices are connected to your network?
  • What about firewalls, switches, and routers?
  • Can you control what joins your network?

There’s no way you can have a complete map, or flag potential vulnerabilities, without knowing exactly what hardware you have. An up-to-date, comprehensive hardware inventory is essential.

Critical Control 2 – Inventory of Authorized and Unauthorized Software

You should take this together with the first control and devise a list of authorized software that covers every system and device you’re using. You’ll need to be able to monitor your software in real-time to validate versions and ensure that unapproved apps are blocked or, at least, flagged.

To ensure vulnerabilities and exploits are dealt with in a timely fashion, you also need to know what operating systems and versions of software are in use, and have a system to flag necessary updates based on new threats as they emerge.

 

It takes time

As you can see, simply creating an accurate inventory of your hardware and software can be a big undertaking. Rome wasn’t built in a day, and you’ll find it takes time and resources to build a good InfoSec framework, too. What’s important is to formulate a plan that takes a holistic view. Start working through the steps outlined in the Critical Security Controls, and your defense will be strengthened with every step you take.

Whether you’re training up a team, hiring a new CISO, or engaging the services of a security consultancy, this list arms you with a solid framework to measure your efforts against. It’s invaluable actionable guidance, and it has the potential, not just to improve individual security, but to boost our collective security online. Every business should consider making it a starting point for building that solid security foundation.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

 

This article was recently published in Network World.

Image courtesy ofVictor Cruz.

The evil that lurks inside mobile apps

The Enterprise is at risk from malware and vulnerabilities hiding within mobile apps. You have to test your mobile apps to preserve your security.

 

Mobile apps are ubiquitous now, and they offer a range of business benefits, but they also represent one of the most serious security risks ever to face the enterprise. The mixing of devices and software for work and leisure opens up many potential avenues for attack, but even purpose-built enterprise apps are shipping with woefully inadequate security protections.

 

Defects and vulnerabilities commonplace

Did you know that mobile apps typically ship with between one and ten bugs in them?

According to research by Evans Data, only five percent of developers claim to ship apps with zero defects, while 20% ship with between 11 and 50 bugs. Even when testing is conducted, it’s on a limited subset of devices and platform versions.

Many software developers simply don’t have the resources to conduct proper testing before release, especially with the pressure to reach the market faster than everyone else. It’s accepted that many defects will be discovered by customers and fixed later through updates, in fact 80% of developers push out updates at least monthly.

The chance of security vulnerabilities slipping through is very high. But that’s for an average mobile app developer, surely the enterprise takes security more seriously, right?

You may assume that mobile app security testing is a lot more stringent in the business world, but it’s a dangerous assumption to make. Enterprise app developers are subject to the same pressures, and they’re just as likely to forgo security in the rush to market.

 

Lack of security testing in the enterprise

Many organizations are still taking it on trust that the mobile apps they use are secure. We’ve looked at the importance of assessing third-party vendors before. Almost 40% of large companies, even in the Fortune 500, don’t take the necessary precautions to secure the apps they build for customers, according to research by IBM and the Ponemon Institute.

In fact, one-third of companies never test their apps at all, and 50% of the companies surveyed admitted they devote absolutely no budget to mobile security.

Consider that more than half of businesses are planning to deploy 10 or more enterprise mobile apps in the next two years alone, according to 451 Research. The potential risk here is enormous. More data breaches are inevitable. What’s worse is that many will go unnoticed for long periods of time. The impact on some businesses will be devastating, as security threats too often go ignored. To bury your head in the sand, is to expose your business to potential catastrophe.

 

Build in security and educate

If you’re only thinking about security at the end of app development, then you’ve already left it too late. You need to build in secure features and adopt stringent testing from day one. That means consulting or hiring security experts during the design phase, and empowering them to influence developers. Focus on data encryption, user authentication, and regulatory requirements.

Monitoring and reporting should be built in to your mobile apps. That way there’s an audit trail to maintain security. Reports can also produce all sorts of useful analytics that help guide future development in the right direction. It’s not just for security, it’s also an important part of ensuring ROI for mobile apps.

It’s worth noting that mobile security at a platform level is improving, but few developers are taking full advantage of the new features designed specifically to secure apps for the enterprise. There has to be some education here. Without input from InfoSec talent, and the right training for developers, there’s no doubt that insecure mobile apps will continue to flood the market.

 

There’s no substitute for testing

At the end of the day, you will never know if your mobile apps are truly secure unless you test them. Proper mobile security penetration testing is essential. External testers with no vested interest and the right blend of expertise, are best placed to provide the insight you need to uncover dangerous vulnerabilities, and help you mitigate them.

If development continues after release, as your mobile apps are updated with new features and defect fixes, make sure that you consider the security implications and test each new release properly – it’s the only way you can really be sure that your mobile apps are secure.

 

This article was recently published in Network World.

Imagery credit: cutcaster