IT security spend is on the rise; however, damaging attacks and data breaches are more common than ever. Part of the reason for this is the imbalance of spend and mindshare – many organizations allocate higher budget to lower risk areas and ignore their biggest security threats. Additionally, and more importantly, organizations are always looking for a silver bullet solution (usually a costly piece of shiny technology) rather than identifying some easy-to-implement measures that yield a high MOI (mitigation on investment).
When evaluating your organization’s security posture at a high level, there are many things to consider. For this blog, I'd like to focus on four specific questions that can help you collect information that may lead to some easy and quick "wins."
- How well patched are your systems?
- Do you filter all email that originates from email servers that are less than two days old?
- What percentage of your software engineers have gone through security training?
- Is your compliance tail wagging the business dog?
Below is a modified excerpt from a chapter I wrote for the book, “Mighty Guides: Using Security Metrics to Drive Action” that explores each of these questions a bit.
How well patched are your systems?
The reason I start with this one metric is because about 80 percent of all successful attacks take advantage of known security vulnerabilities. By pursuing a rigorous patching policy that keeps software up-to-date and patched across all systems and devices, including mobile devices, you can exponentially reduce your attack profile and block 80 percent of potentially successful attacks right out of the gate. This metric is typically a combination of metrics that might break down across systems, such as percentage of all routers that are up-to-date, percentage of all Windows Server instances, percentage of all Linux servers, percentage of all iOS devices, and so on. I would determine the patch and update status of all of the systems. It’s not a trivial task, but it’s an important one.
Do you filter all email that originates from email servers that are less than two days old?
This is an important question because of the growing use of phishing and highly targeted spear phishing attacks. Even with effective employee education, including executives who are increasingly becoming targets of these attacks, people fall for them because the ploys they use are becoming so sophisticated.The vast majority of these attacks, however, originate from mail servers that have existed for two days or less. Attackers spin up a spam server in a public cloud, conduct carpet bombing attacks, then quickly take the mail server offline. Malicious websites that infect victims of these attacks may exist for much longer, but the mail servers are short lived. Filtering out all email from servers that are less than two days old will eliminate a large percentage of phishing attacks.
What percentage of your software engineers have gone through security training and received an acceptable assessment score?
The reason I focus on software security is because software is now running our world including hardware and firmware. 90% of successful attacks happen at the application not network layer. Vulnerabilities are the direct result of your development teams doing something wrong, not some black magic powder that hackers sprinkle on your applications to make them vulnerable. There are known best practices at every phase of development that if implemented correctly, can create a lot of frustration points for a hacker who will likely move on to a more vulnerable target. If we don’t create and deploy secure software, we are creating massive attack surfaces for ourselves. A relevant metric might be percentage of engineers who meet this standard.
Is your compliance tail wagging the business dog?
A challenge for many organizations is that they are not driven by a need to achieve a certain security posture, but rather, they’re driven by requirements to be compliant with certain mandated standards, such as PCI-DSS (Payment Card Industry Data Security Standard) or FISMA (Federal Information Security Modernization Act). These standards have “best practices” but most are woefully insufficient for creating a sustainable security posture. To further complicate the situation, if an organization fails a compliance audit, it is typically given 12 to 24 months to fix the problems. This is a long time to be living with and working on systems that have known security issues. Lastly, many of your compliance mandates (both industry and customer ones) require the same types of activities to be conducted. If you organize these requirements and rollout a more unified and robust security program, you can achieve compliance along the way; but it doesn’t work in reverse.
Read more from other CEO's and application security experts in the full Using Security Metrics to Drive Action ebook.