If you have any interest in information security, you’ll know that the last year or so has been nothing short of incredible. Following Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.
Chains picture from Shutterstock
We had the retail hack at the end of the last year with Target and Neiman Marcus admitting to the theft of customer data from their systems. Those sophisticated attacks reportedly scraped customer data from RAM at point of sale terminals during the extremely short time the data is unencrypted between when it was read from a credit card until it was securely written to central systems.
One of the overwhelming themes emerging at this year’s RSA Conference in San Francisco was the importance of threat intelligence. Given that the bad guys (and who really knows what that means? Is it your own government or criminals?) are getting far smarter in how they attack, it’s time for your business to blow the dust from its security policy and check whether it still stacks up.
When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. We’re big fans of the good old SWOT analysis: Strengths, Weaknesses, Opportunities and Threats.
Rather than try to write a generic policy that you can adapt, we’re going to highlight a few of the things that might be worth considering as you update your policies and strategies. We’ll fit those into the four SWOT categories to give you a start.
Look within your organisation. There are bound to be some really good things happening when it comes to infosec. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.
It’s important to acknowledge those things and recognise what you do well.
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?
Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?
Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.
If that’s the case in your business, look for ways to alter that culture.
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your infosec right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery.
It’s also a great way to further the professional development of your staff.
If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.
Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.
Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?
These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.
So, when was the last time you reviewed your security policy? Does it take into account new security mitigation techniques? Have you adjusted the skills in your business to manage changing attack methods? Is security a once-a-year audit activity? Those are the questions you need to address.
Disclosure: Anthony Caruana visit San Francisco as a guest of RSA.