The Forgotten Fundamentals Of Information Security
Prateek Mishra
CISO, IDBI Federal Life Insurance
IDBI Federal Life Insurance is a joint-venture between IDBI Bank, Federal Bank and Ageas, a multinational insurance giant. The company has robust network of more than 3,000 branches across India and has touched the lives of 8,00,000+ customers, with over 8.23 lakh policies.
Few days back I was reading an article which was published by a very popular News& Content sharing website way back in Feb’ 2001. The main theme of the article was around Cyber Insurance and provided details about a General Insurance company’s foray into the Cyber insurance space. The article was quite skeptical about the Cyber threat scenarios and went ahead and stated that “Cyber extortion and law suits against companies for services rendered are rare. Incidents of hacking have been largely limited to pranks played by a few over-enthusiastic youngsters”! I dearly hope this statement could have been relevant even today. But, alas, the Security professionals are in the middle of a Cyber war now. And calling it a ‘Cyber war’ is no exaggeration.
This urgent need to protect our organization’s information and information assets from Cyber-attacks have lead the security professionals to venture into heterogeneous domains of the likes of OSINT, Dark/Surface Web & Shadow-IT monitoring, UEBA etc. But somewhere along this journey, we must make sure that the basic framework of Information Security remains intact and keeps getting enhanced continuously. In my opinion, the ‘basic framework’ must contain at least the following domains:
1. Inventory Management
Consider the case of a hospital. If the hospital authority could not keep a track of all the patients who are admitted in the hospital, there are major chances that a left alone patient may end up infecting the others with a contagious disease and the authority will keep on searching for the source. Now relate it with the scenario of a lateral attack from an infected system which is not listed in your inventory. As a security professional, see if you could really identify and are confident about all the systems that are hosted in / on-behalf of the organization.
2. Baseline management
Ask yourself a simple question: Is there a uniform baseline established across the organization’s
systems? From head-office to a small branch office in the remotest part of the world, are the systems configured with a uniform baseline? Prepare a metric for this use case and check the compliance every month. This is a major area of risk for organizations and the non-compliance ratio might be higher for larger organizations.
"Security Professionals Are In The Middle Of A Cyber War Now. And Calling It A ‘Cyber War’ Is No Exaggeration"
3. Patch Management
Majority of the successful attacks are the result of an exploitation of a missing patch in some or the other system. If you have conducted a Red team exercise, you might be aware that the Red teamers typically exploit a missing patch in the system for initiating attacks and thus gain administrator access on the system. Patch Management is indeed a critical domain but often finds itself entangled in a tussle between the security practitioners and business owners..
Have a strict policy for periodic Patch Management and stick to it. Measure the result every month and do check whether a robust process has been implemented to make all the relevant stakeholders aware of any latest advisory on vulnerabilities and it’s associated patches.
4. Awareness Campaigns
One of the best tools often overlooked though extremely important. Be innovative in your awareness sessions. The employees get bored of typical certificate programs and plain security mailers etc. Many employees attend the internal security-certification programs just because they are ‘mandatory’. We must add value to our awareness programs by making the end users aware about the Cyber risks that can affect their Personal digital life. In this manner, the end users could understand the importance of following safe Cyber practices and this would in-turn help the organization. Conduct simulated phishing campaigns to test the effectiveness of these awareness programs and send appreciation mails to the compliant employees. Turn your employees into Cyber soldiers.
5. Breach readiness assessment
We might end up investing millions in new age security product and practices, but how can we ascertain that the security implementations are up to the mark? Conduct Breach readiness assessment periodically. Ask the Read teamers to initiate new age attacks and check whether the same is pro-actively detected by the established controls such as Security Operations Center (SOC). This exercise will not only help you in identifying the Blind spots in your organization, but would also enhance the existing controls.
6. Measure the effectiveness
Prepare metrics. Identify suitable metrics as per your organization’s risk posture and get it vetted by the relevant stakeholders. The stakeholder buy-in is utmost necessary as they would be the one who would provide data for the metrics. And without the right data, metrics would be misleading. Provide criticality rating to the metrics and check the status every quarter to start with. Metrics will help you in gaining confidence and visibility about the performance of the existing security practices.
7. Become the 'CEO of Cyber Security' in your organization
The heading sounds more of a wishful thinking, but I find it important to put it that way. CISO’s are typically considered as someone who keeps the IT systems secure. But now they are lot more than that. CISO and their team members help the organization to achieve the business objective by leveraging IT and the associated technology in a secure manner. This helps in providing confidence to external as well as internal stakeholders and helps in accommodating various digital initiatives of the organization by putting safe boundaries around it. This is indeed a herculean task taking into consideration the constant attacks that the organization’s system faces from both internal as well as external threats. As a CISO, we must stay firm about our security objectives and align it with the business objectives.
The article presents some basic but often overlooked fundamentals of Information & Cyber Security and must be read in conjunction with multiple other practices which associates itself with the security domain.