Security is a process. Not a product.

Background.

This cheat sheet was initially prepared as part of our participation in the international association of privacy professional’s recent event, ‘The Hacker, the Lawyer, the Client’.  

We’ve decided to share the cheat sheet with anybody who is interested. It’s primarily designed as a set of questions or topics that one would ask their CIO or IT manager in a small or medium sized enterprise to help better understand the situation you’re in.

What would a serious cyber security incident cost your company?

Is the behaviour of your staff enabling a strong security culture?

The key takeaway from this article is the importance of security awareness at all levels needs to be demonstrated, bullet points suggest methods of doing so.

Getting started

Secure Deployments – How is your organisation vetting code, applications and equipment being deployed?

• Are you peer-reviewing developer code and/or deployments?
• Are your deployments standardised?
• Are you verifying your data sovereignty? [Is your customer data being loaded into developer environments for testing without proper security measures?]
• What policies and procedures are in place to authorize development or acquisition of new technologies?

A large portion of IT purchases are made outside the IT department, consider how this impacts their ability to fill their role in ensuring your security.

Patch Management

• A strong patch management system should be the core of your security program.
  • Operating System patches
  • Third party application patches

Data Loss Prevention

• Leverage DLP technologies to prevent accidental data loss.
• Do you have the ability (and the requirement) to restrict storage of customer data to specific countries or geographic regions? I.e. Victoria in particular has some interesting requirements.
• How do you implement backup and redundancies and are they regularly tested?

Vulnerability and Threat Management –What is your process for vulnerability tracking and management of risks to your particular environment?

• Have you documented the particular risks and attack vectors unique to your business or industry and appropriate mitigations for each case with a risk analysis?
• Are your administrators receiving feeds on relevant security risks based on your network and application stack?
• What is your process for handling relevant, ‘critical’ vulnerabilities?
  • What assurances and system do you have that these are being remediated as soon as possible?

Credential Management and Tracking

• Developers, helpdesk and others commonly have accesses to various things above their job description from a one-time necessity, or given as a convenience and it is never revoked, how are you handling and logging this?

Password Management

• How is your organisation storing and managing passwords?
  • The answer should ideally be an enterprise password manager.
• What is the policy of password generation and ‘uniqueness’? How is it enforced?
  • Staff should also never use a work related password for a personal account.
• If you have client passwords and sensitive information to manage, the right encryption algorithm is key. Encryption algorithms become deprecated and must be updated or replaced where required. There is no good reason to not encrypt sensitive data.

Strong Access Control –

What is the process taken when accessing private information? Are you using a single factor of authentication?

• You should deploy 2 factor authentication support for infrastructure wherever possible. Many plugins exist for 2FA support for most popular applications.

Network Security Controls

• Are your firewalls configured to only allow required traffic?
  • Review firewall logs and rule sets regularly for old or unnecessary rules.
  • Configure rules to only allow the specific ports and IPs required.
  • Consider a third party audit of network security.
  • Are you deploying your external website on your internal network? Why? What protections have you taken and who verified it to be secure?

•  Email Security Controls
  • Misconfigured SPF [Sender Protection Frameworks] can allow attackers to spoof internal email addresses, if you use a service such as mandrill or mail chimp, how is your SPF impacted?

It is known that sometimes one can circumvent SPF by simply making a mail chimp account, for example.

Ensure that anti-spam is filtering incoming email messages for spam and malicious content.

Vendor Controls

• Is security a major deciding factor in assessment processes for engaging with providers?

  • Are they developing and testing their products in accordance to leading industry standards?
  • Are they adhering to relevant legal, statutory and regulatory compliance obligations?
  • Have they had an independent review of security vulnerabilities? [When?]
  • What assurances are they giving of appropriate support for discovered issues?

Security Awareness – Most companies with highly sophisticated access controls and well developed security measures will still fall victim to phishing attacks. Consider a Security Awareness training program coupled with an audit of what protections are in place.

• Do you have a system in place to monitor changes in the regulatory environment that you operate in?
• Penetration testing and ‘ethical hacking’ can be a great way to increase security awareness in conjunction with an education program.

Cyber Insurance’ – If your conduct business online, you need to make sure you’re covered for both ‘cyber outages’ caused by malicious attackers, and for equipment failures. You may need to expand your current level of insurance.

• Policy coverage and limitations:
  • Be wary of policies that restrict or do not cover the use of applications developed ‘in house’.

Incident Response Teams – Prepare for an incident, your IT, HR, and Legal departments should be involved at a minimum.

• Consider finding and developing a relationship with an external Incident Response consultant in advance. Not only will this expedite a positive outcome, but also
  

  the OAIC considers preparation and implementation of a data breach policy and response plan a ‘reasonable step.’

BYOD & Mobile Tech – [Bring your own device (destruction!)] is a big challenge, how are you facing it?

• Are staff putting their personal devices on the company network?
• Laptops and phones get stolen. What systems are in place for:
  • Adequate boot passwords and PINs
  • Remote wiping of data and email
• Consider a separate internet connection for guest and staff personal wireless devices.