It used to be that organizations’ information (either its own, or data that was entrusted to the organization) was relatively safe. In the days before computers and the popularity of the Internet, someone could physically remove information. For that part, even that could happen today. But let’s face it, in today’s information-crazed economy, data is ubiquitous and information is golden. Gaining access to it and stealing it is no longer a rare event, either. Nor is it isolated to larger companies or companies that have “sexy” data (yes, I did just use those two words in the same sentence). If you don’t believe that your organization is a target, then you must read my article “Protect Your Data”, in this month’s Smart Business Magazine
In fact, it is not a question of “If”, but rather a question of “when” your organization will be faced with a data breach. Your job, therefore, is to get that risk as low as possible and to make the impact of a data breach as low as possible when it does occur.
Fortunately, there are some fantastic strategies and pre-breach assessments for accomplishing this. Unfortunately, no usable system can be 100% risk-free. Security is a delicate balance between convenience and security. The more secure you make something, the less convenient it is to use. Take a situation that most readers are probably familiar with – passwords. You’ve heard it, read it and been harped on by IT and outside experts about how important “complex” passwords are for maintaining security. You’ve been told to not use the same passwords for multiple accounts. Your IT department makes you change them on a frequent (read “too frequent for you, not frequent enough for them”) basis and you’re up to your eyeballs with the inconvenience that all of this introduces to what was just a simple computing task. I’d argue that we’ve not yet reached the level of inconvenience that really needs to be endured to raise security to the next level, but where does it end? The more secure we make something the less convenient it is.
I know…Grim news. But there is some silver lining in it. First, at the present day the vast majority of breaches occur because there’s a lot of low-hanging fruit out there and the bad guys are focusing on those targets. Like the popular joke about getting caught in the woods with a bear and a group of your friends – you don’t need to be the fastest runner in the group, you just need to be faster than the slowest one in the group. If you can handle addressing the low-hanging fruit then move onto an additional level or two of hardening, you will have far outpaced the vast majority of organizations out there. Will this remove all of your risk? Absolutely not! But it helps to reduce it, as the bad guys will likely move on to easier targets. Of course, vigilance is the name of this game–since new vulnerabilities are discovered every single day. Further, as more organizations get their security in order, you still need to stay ahead of the curve; so constant attention to this is a must.
So, how do you get started? That is precisely where a Pre-Breach Security Assessment comes in. In any assessment, are we looking to remove 100% of the risk?bWell sure…we’re looking to, but is it realistic? Not at all. Therefore, the goal of such an assessment is to understand the lay-of-the-land, determine the risks that exist, discover the current state of the controls that are in-place and then report on the gaps between those controls and the ideal state. The results provide a roadmap that can be used to then start addressing the deficiencies and shore up your security.
What is reviewed during a pre-breach assessment? The short answer is security best practices for the various systems, environments and technologies in-place within the organization and how well your current state compares to those best practices. There is not a one-size fits all answer in this realm. The actual risks that are present as a result of the choices made surrounding technology and implementation of that technology, very much play into what is in-scope and reviewed. This differs from organization to organization, and may even differ within different divisions of the same organization or within the same organization at different times throughout the course of a year, two years or more. Technology changes, environments change; needless to say any assessment needs to adequately adapt as well.
Actual Threat Environment
Vestige refers to this scope as an organization’s Actual Threat Environment. Sounds simple, but the reality is it takes work, cooperation and vigilance on the part of the individuals performing the assessment to adequately identify and document an organization’s Actual Threat Environment (ATE).
Once the Actual Threat Environment is accurately identified and documented, critical decisions can be made about prioritization of the systems contained therein. Identification also leads to understanding the kinds of risks that are present and at work within an organization. Those risks can range from the mundane, run-of-the-mill IT risks through regulatory and compliance issues such as: HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley (SOX), Payment Cardholder Industry (PCI), Family Educational Rights and Privacy Act (FERPA), Federal Information Security Management Act (FISMA) or any other number of alphabet-soup regulatory/compliance acts.
The Problem with Assessing to Compliance
Most audits and assessments start with a known (i.e. “our organization needs to be compliant with HIPAA”) and the assessment carried out with little consideration for things outside the scope of that known. In fact, it is often the case that organizations work, prior to the assessment, to remove as much as they can from the scope of the assessment – falsely believing that they are doing the organization a favor by lowering the amount of work that needs to be done in the assessment leading to a lower cost for the assessment or they do so to remove potentially worrisome environments so that the organization “passes” the assessment.
The issue, of course, is that just because something falls outside of the scope of the assessment (perhaps legitimately, perhaps artificially), doesn’t mean that it no longer exists in the environment. And now, the worst scenario exists – you have something in your environment that is a risk, but it’s been removed from the scope and has not been tested. So, at the conclusion of that assessment everyone walks away with a false sense of security that because the organization passed, you must be secure. You might be…but ask yourself, just how many times this scenario has played out and in the back of your mind (maybe not even consciously), you breathed a sigh of relieve when the assessment didn’t uncover that potential problem that you know is there, but just aren’t quite ready to face.
The Steps of an Assessment
Every organization’s pre-breach assessment process may differ slightly, but here is the formula we have found that works to our clients’ benefit.
- Actual Threat Environment Identification
- Risk Assessment (tied directly to the Actual Threat Environment)
- Prioritization (collaborative approach)
- Scoping (using the results of the Risk Assessment)
- Is this just a Review?
- Will this be a comprehensive Audit/Assessment?
- Presentation of Findings
- Agreement on Remediation Prioritization
- On-going Review
- Review of outstanding findings to ensure they’re being completed
- Establish that remediation hasn’t introduced new issues or exacerbated existing issues,
- Review the Actual Threat Environment to ensure that it hasn’t changed and that the results are still valid.
- Rinse & Repeat…
Type of Assessment – Review vs Audit
As it relates to these assessments, there are typically two approaches and each factors into the amount of effort required to assess—therefore price and turnaround.
Review – A review consists of assessing the controls in-place within the environment and through interviews, questionnaires and perhaps general observation, come to an understanding surrounding the policies, procedures and controls in-place with the explicit goal of assessing the validity of the controls. In essence, the primary goal of a review is to assume that the controls are in-place and working correctly, but to assess whether the controls are adequate to ensure that the organization’s Actual Threat Environment is sufficiently handled.
Audit – The audit is much more in-depth, intense and meaningful. While similar in nature to the review, from the sense of establishing whether the existing controls are meaningful and would result in a more secure environment, the audit differs in the scrutiny that the controls undergo. Instead of asking “how is the control supposed to work” and assuming that it is working accordingly, the audit asks that question, but then goes on to determine (through testing) whether that control is actually in-place and working.
The Nature of Controls
Controls can come in a variety of flavors, including automated controls, periodic controls, on-going controls, etc. In addition, controls may be preventative and controls may be detective. It is important to understand what the purpose of each control set is and through the conducting of the assessment, come to understand whether the control set is functioning as designed, is partially functioning, or is functioning in a way that is bringing excess risk to the organization (i.e. a deficiency – either in design or in performance).
Future blog entries will cover the individual topics within this outline of steps (i.e. Identifying the Actual Threat Environment, Risk Assessments, Prioritization, etc.), so make sure to check back for specific details.
The End Result
At the tail end of the day, regardless of whether you’re conducting a Review or a full-blown Audit, the purpose of the Assessment is to accurately understand what isn’t working the way that it should be. It is with this information in-hand that a prioritized game plan is put together that, when followed, will bring your organization’s security to that new level that we all need to strive for – being (significantly) better than the “low-hanging fruit” that attackers are ready to pounce on.
What’s In It for Me?
There are many reasons why a pre-breach assessment may be conducted by an organization. Sometimes it’s altruistic – the organization just wants to perform the best that it can. For most organizations, however, resources are limited and the motivation comes from external factors – perhaps it’s the cost of responding to a breach and the reputational hit that the organization will likely face, or it’s the heavy fines that may be levied against the organization for allowing their data to be reached.
Since the cost factor is typically what drives these decisions, let’s look at the advantages of being prepared versus not.
Lowering of Risk
As has been previously mentioned, 100% secure is not practical (and may not even be possible, depending on your specific needs). However, reduction in the risk to the organization necessarily reduces the average costs of doing business since that preparation might just save countless hours and thousands, tens of thousands or even millions in remediating a successful data breach.
Lowered Investigative Fees
Since the end result of an assessment is to identify and put the controls in place, one major area of controls is what happens when there is a breach. It is too late to put an effective breach response when you’ve discovered the breach. This often leads to increased time, effort and fees in responding and ensures that things aren’t missed along the way. Wouldn’t it be great, now knowing that it’s a matter of “when” (and not if), that you have a game plan in-place and ready to go the moment there’s notice of a breach. Oh, and by the way, all those wonderful controls that have been put in place since having the assessment will alert you to the breach much earlier so that the organization can take steps to stop it.