Real security insights that can mature your Cyber posture
In an era of rapid digital transformation and increasing amounts of data, cyber security is becoming an even greater priority for organisations of all sizes and industries. Effective cyber security starts with awareness at all levels and the realisation that at some point you and your organisation may be attacked. It is imperative that your organisation understands its threat landscape and identifies the key assets, vulnerabilities and threat actors that put them at risk.
In our digital, information-driven world, cyber threat management is a business and strategic imperative. Indeed, the stakes are higher than ever. Cybercrime is more than just fraud and theft. It is now the domain of vast criminal networks, foreign government-sponsored hackers and cyber terrorists. Tangible costs from cybercrime range from stolen funds and damaged systems to regulatory fines, legal damages and financial compensation for the affected parties. Intangible costs can include loss of competitive advantage due to stolen intellectual property, loss of customer or business partners trust and overall damage to an organisation’s reputation and brand. The sheer scope of cyber-attacks now has the potential to cause mass-scale infrastructure outages and potentially affect the reliability of key systems and the wellbeing of economies.
At Deloitte Ireland we want to assist you to shed some light on the common pitfalls organisations make when deploying their IT assets. We conduct penetration tests (Black, Grey and Crystal box), vulnerability assessments, code review and also provide support for our Audit teams. We have, over the last number of years tracked vulnerabilities and misconfigurations identified during our penetration tests and vulnerability assessments. By analysing the results of over 500 different security assessment and penetration tests, we were able to identify patterns in both the web application, mobile, device and network security verticals. In short, Deloitte have created a cyber security team with the experience, knowledge and proven track record that is unmatched when it comes to attack mitigation. What we know? Over 51% of the discovered vulnerabilities are medium to high risk. This means the confidentiality, integrity and availability of critical systems and sensitive information may be vulnerable. We have also identified that over 65% of the discovered
vulnerabilities are due to misconfigurations. These kinds of vulnerabilities are often related to default configurations, unused or unnecessary features, error handling and unprotected files. Our testing approach combines the use of automated scanning tools and manual techniques. This assists with the identification of physical and logical security vulnerabilities, patching deficiencies and mis-configurations, in order to make mitigation recommendations. Manual techniques are utilised as automated tools expect specific behaviour and when used against complex applications/
network infrastructure, they can miss vulnerabilities (False negatives) and identify incorrect vulnerabilities (False positives). By incorporating a combined approach, scanning tools can aid in identifying easy to find vulnerabilities which can allow the tester to spend more time to manually test.
Where to begin?
- Based on your IT reliance, establish a senior IT Risk Committee that is separate from but connected to the Audit Committee and assign it responsibility for enterprise risks including cyber security. Ensure that senior management are familiar with security and IT governance and have some level of cyber risk expertise.
- Review existing top-level policies to create a culture of vigilance and resilience.
- Require regular reports to senior management on privacy and security risks
- Conduct annual independent reviews of security and privacy programs
What about your IT department?
- Follow but do not limit your implementations to standards and good practice guidelines.
- Harden servers before going live, as well as implementing a patch management process to ensure servers and software in general are patched in a timely manner.
- Include security in your Software Development Lifecycle (SDLC), security should be embraced and not act as an inhibitor.
- We recommend performing regular penetration tests as new vulnerabilities can either be introduced as part of a code change or identified in vulnerable components utilised by the application. Penetration tests should be carried out at a minimum bi-annually or after every major code change. Monthly vulnerability assessments should be carried out against the underlying infrastructure to identify vulnerabilities identified by researchers to further strengthen the security posture of the application and its infrastructure. Remediation of high and medium risk vulnerabilities should be carried out as a matter of priority with lower risk items as part of the next major release.
- Implement, but do not solely rely on perimeter solutions such as Web Application Firewalls (WAF), Intrusion Detection Systems (IDS)/ Intrusion Prevention Systems (IPS), Data Loss Prevention (DLP), Antivirus Systems and so on. In conclusion, it is imperative that an organisation understands its current threat landscape and the threat actors, vulnerabilities and vectors that could potentially be used to affect its information assets. Deloitte’s diverse experience in managing cyber risk and compliance demonstrates that clients implementing cybersecurity models that anticipate threats deal more effectively with problems when they arise.
This article was first published for ISACA Ireland