Open Mobile Menu

Blog

If you meet the following criteria:

  • You are involved with IT or Information Security, and;
  • have an email account

Then you are already aware that every single product and solution provider on the planet somehow got your email address, and they would very much like to sell you a <thing/service that is guaranteed to make your data/network safe>. Don’t get me wrong, there are some brilliant services and technologies that can greatly improve an organization’s security posture; however, we see a lot of companies take the bait and end up with “shelfware” products that don’t fit their needs, are impossible to manage, or just don’t work as advertised. 

I was having a conversation with one of my dear friends about this the other day, and we started talking about how good business processes often trump “get-secure-or-triple-your-money-back” technologies; this got us talking about low tech security, and we started thinking about some of the cool things that we have seen clients do that don’t involve writing a check (if you are involved in IT or InfoSec, you probably don’t spend your day trying to figure out what to do with all of your free time and unlimited budget). 

This turned into a top 17 list, which I trimmed down to the following 5 recommendations (you’re welcome!).  Here are a few suggestions that are low/no cost/low effort that you may want to add to your security utility belt: 

1. Mix it up when testing your defenses:

Depending on your tools and processes, I’m guessing your security team sees the same types of alerts come in day after day; it’s easy to fall asleep at the switch and miss a real event, or rely on one set of tools to get you all your security data. Test your response capabilities and security program by running periodic scenarios based on situations that your employees may not frequently encounter or predict. Watch the data room door while it’s propped open to see if anyone checks on it, plug a (safe!) device into the network to see if it’s identified, run a (safe!) noisy scan on a non-critical network segment, or lock yourself out of a system through a bad password to see if anyone investigates. Basically, test your systems and processes when it’s not critical if they fail, and include a “lessons learned” process to make sure you document and escalate any issues you find.

Obvious disclaimer to cowboys/cowgirls: Don’t get yourself fired here, break anything, light anything on fire, or cause more work for someone else.  It goes without saying that you should use a very healthy dose of common sense to ensure that you are not introducing any real threats to your environment - ensure key stakeholders are aware and approve of the design, execution, and expected results of these scenarios. 

2. Spot check your assets:

Go look at your IT Asset inventory. If you don’t have one, I’ll wait here while you develop one.

Okay good, you’re back. Now spot check a few systems and see if they are reflected in your asset list as well as change control records. Then determine:

  • Does the inventory include key assets and owners? 
  • Is it up to date? 
  • Can you easily determine if rogue systems are currently on your network?

If the answer to any of these questions is “not so much” than you need to do some digging; knowing what’s supposed to be on your network and what isn’t is one of the first steps to maintaining a secure baseline; a spot check only takes a few minutes and is a good thing to put on your calendar between comprehensive inventories. 

3. Put on your reading glasses:

Here’s one that’s not as boring as it sounds: block off a few hours on your calendar, grab a coffee/cup of tea/margarita, and read through your information security policy. Is it up to date or did you have to blow dust off of it? In an ideal world, you would be updating this (at least) annually or when the environment changes. Your InfoSec policy is the foundation of your security program, and should be an accurate reflection of your security philosophy and direction. If you find something that’s out of date or missing, note it, talk it over with the group, and get the appropriate team members involved to update, approve, and distribute.

4. Security news, free delivery:

If you don’t already, use RSS feeds to quickly scan relevant headlines and the latest InfoSec news; there are RSS readers built into most mail programs and browsers, or you can use a phone or desktop app. Personally, I’m a fan of Wired Magazine’s Threat Level, SecurityWeek, SecurityFocus, DarkReading, SANS Newsbites, The Register, and TechRepublic; tune your favorite feed reader to what is important to you and your industry to keep current on new threats that warrant a response (vendor feeds about the technologies you use in your environment are also very valuable). RSS feeds are free, and have made me at least 14% smarter. As a bonus, sharing the latest InfoSec news for hours on end impresses my wife, kids, and strangers in line at the grocery store (I assume).

Bonus link: I found this lovely RSS Security feed list from a guy/gal with the handle “t3kn1cs “. This should keep you busy:

https://github.com/t3kn1cs/Infosec-RSS-Feeds/blob/master/InfoSec-RSS-Feeds.opml.

5. Get the real scoop on your security issues:

Put a reoccurring meeting on your calendar and take some non-technical/non-security coworkers out for lunch (okay, not technically “free” unless you raid those leftovers from the breakroom fridge). Make sure they know that this is not an audit, and no one is in trouble – you are asking for their help in making your organization safer. Inquire about their security concerns, and then listen: before you finish your salad you might find out that Jane the Sales Engineer emails spreadsheets full of sensitive customer data back and forth to her home computer, Jim the Receptionist has noticed that the HR filing cabinets are always left wide open, and Steve from Accounts Receivable shares a password with his whole team. These feedback loops from the front line will almost always turn up issues that you never thought of and some easy wins.

An informal, open dialog like this is a great way to get everyone involved in the security discussion, and demonstrates that the organization cares about everyone’s participation and concerns. And even if you don’t uncover anything interesting, you still got to make new friends and expense your lunch.

The goal here is to get out of the day-to-day routine and sole reliance on tools and technologies, and to take a step back to assess your program from both a top-down and bottom-up perspective. Remember: information security can be constantly improved without huge effort and capital expenditure, and margaritas are a proven way to make policy reviews more tolerable.

Tony Fulda

Tony Fulda has over fifteen years of information technology, information system security and technology training experience, performing technical and enterprise risk assessments and consulting for clients in the higher education, hospitality, healthcare, service provider, and retail industries. As AppSec Consulting’s Managing Director of Strategic Advisory Services, Tony is responsible for driving the strategic direction of the assessment team and ensuring that AppSec Consulting’s clients receive exceptional service and maximum return on investment.

Tony has assisted hundreds of clients achieve their security and compliance goals through scope reduction, process improvement, and strategic technology integration.  He has led or participated in a multitude of remediation projects and has performed US-based and International Level 1 Report on Compliance audits for some of the largest organizations in the world.

read more articles by Tony Fulda