Cyber Security Plan: I know I need one, but where do I start?
Hackers, Ransomware, Regulations, and Compliance.
Executives across the US find these terms creeping into their daily reading. Question is, when will they have real impact for you and your business? You know you need to start taking cyber security seriously, but it feels like one more money pit for IT. Worst yet, none of your staff can tell you exactly what it is, what it means, how much it will cost, or how good or bad your corporate cyber security is right now.
Penetration Tests (Pen Tests)
“We need a pen test, I’ve heard that’s what you do when you get serious about security.” Yes, but not right now. A Penetration Test (or Pen Test) is just that, someone testing to see if they can penetrate your network defenses.
You haven’t studied for your test
Would you take a college final without studying? Well, you shouldn’t. Why take a test if you haven’t studied? Knowing your current cyber security stance is equivalent to studying for this test. Paying for a pen test before you have assessed your network and systems is just throwing money away and you’ll need that money for a pen test later!
A Pen test only shows one way to get in, not all of your vulnerabilities
Pen Tests are typically very focused. Break in, get Domain Admin access, take a document, success! Break in, change something on the website, success! Then the pen testers write a report on how the did it. Great. Now you know one way and a few issues. Trying to find all of your security issues via pen testing is a really great way to spend all of your cyber security budget without obtaining sufficient results.
Even if the Pen Testers don’t find a way into your network, it doesn’t mean others won’t.
By now, it sounds like I am completely against penetration testing. I’m not. I think people get pen tests done WAY too early, and then don’t utilize the results properly. Just because one group of pen testers wasn’t able to access your network in the limited 1 to 2 week engagement you gave them doesn’t mean that a dedicated hacker won’t. Hackers have nothing better to do than try time and time again until they get in. Pen Testers only have the time you have paid them for.
So, where do I start?
I am so glad you asked.
Assess where you are now
Dealing with your cyber security is a life cycle, like everything else in your business. First, you need an organized approach to go through how your corporate network is setup and compare it to a framework, like NIST 800.53 or 800.171.
Security Assessment
Perform a Security Assessment and see how your systems stack up against industry standards. This first piece is largely an interview and paperwork exercise. You need to interview your IT staff, look at your configurations, make sure your network maps are up-to-date and go through how your network and systems are set up now. This doesn’t have to be a long process, but you do need to be methodical.
You need to ask specific questions
For example:
“Do the admins share passwords or do each of you have a unique account?”
“How often do we review firewall rules to see if we still need them?”
“What is our process of removing someone’s access after they leave the company?”
It’s amazing how much you can accomplish while spending a fraction of the money you would spend on a single pen test.
Scan for vulnerabilities
A vulnerability scan connects to devices and servers across your network looking for software that is vulnerable to hackers and malware. It gives you a report of how vulnerable your systems are to known issues. Vulnerability scans are fast and yield a wealth of information. They answer questions such as, “Are we really as up-to-date on patches as we think we are?”
Monitor your network
Intrusion Detection Systems (IDS) watch every bit of traffic on your network. When set up properly, IDS are updated every day and inform you about everything from ransomware to out of date Java on company workstations. These Intrusion Detection Systems are required in some industries by their regulatory authorities. Roka Security HIGHLY recommends having an IDS and monitoring it regularly. When set up properly IDS will most likely be your first indicator that a hacker has infiltrated your network.
Already have an IDS?Roka Com has found that most in house Intrusion Detection Systems:
Roka Com has found that most in house Intrusion Detection Systems:
Are not setup and configured properly
Have not been updated since the day they were installed
Have no one checking the logs daily
Notice we haven’t gotten to pen tests yet. Well, we’re only near midterms in our college analogy.
Fix the glitch
Ok, at this point, we have our security assessment, comprised of how things are set up (or how your staff thinks they are set up), results from your scan and data from watching the traffic on the network. Your finalized Security Assessment report will help you make an action plan to fix your cyber security issues. Work with IT to prioritize and work through each issue.
Security Assessment reports are also a great budget justification tool!
Re-Assess and Re-Scan
This doesn’t have to be crazy or super formal, but go back over everything after you fix your initial issues. Run another vulnerability scan to make sure you didn’t miss anything. Once you have fixed your issues and the vulnerability scan shows no open issues it’s time to test.
Yep, now get a Penetration Test
You’ve implemented your cyber security plan, you scan for issues monthly, you’ve even locked down user workstations. Now its time to have someone try to break in! Why now? Well, you’ve studied for your test. You found all the issues you could find with the previous process and fixed them. The Pen Test is now a great option. A good Pen Test is designed to replicate a determined adversary or accidental malware that gains access and moves through your network.
If the pen testers find a way in and present you with every admin password in the network, well better they found it and not the bad guys. However, if the Pen Testers fail and can’t get in, even better. Never look at Pen Testers who couldn’t get in as wasted money.
About Patrick Stump
The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.
Connect with Patrick on LinkedIn 