5 Thoughts to Improve Your Infosec Maturity

Posted: January 8th, 2013
Filed under: Web and Application Security
Tags: , ,

From our partners at Net-Square

The year that was 2012 has ended, and it is time to start thinking about challenges that the New Year shall bring. As defenses get stronger, so do attacks. 2013 shall be the year of hybrid attacks – targeting man and machine together. The greatest challenge for 2013 shall lie in re-designing your Information Security strategy to measure up to heightened expectations. As you make your plans, let me share with you my top 5 thoughts for improving the maturity of your InfoSec program.

1. Plan on staffing a Red Team

A Red Team is “an independent group that seeks to challenge an organization in order to improve effectiveness”. Red Teaming has its origins in the military. In an InfoSec context, Red Teams serve as an “intelligence agency” to identify gaps, vulnerabilities and shortcomings in your organization’s IT infrastructure. The sole agenda of the Red Team is to find the holes before attackers do, while continuously coming up with new threat scenarios that impact the organization’s IT function.

2. Ensure that all IT purchases require InfoSec approval

There are few tasks more thankless than having to maintain security for an IT system that is defective by design. Talking to our clients revealed that 80% of all vulnerabilities fall under the “we know it already” category. “We have inherited a mess”. “We know it is broken, but what do we do?” Do these phrases sound familiar? Well then, make it a policy decision to evaluate and test all major IT requisitions before signing the cheque.

3. Insist upon pre-tested 3rd party developed software

Majority of the vulnerabilities we find lie in 3rd party developed software, or heavily customized implementations of large packaged applications. Shouldn’t the software vendor have their software tested for security vulnerabilities before selling it to your organization? It is time to insist for it during the procurement cycle and I would add insist on getting a White box testing certification.

4. Publish a testing calendar for the entire year…and stick to it!

Announce all your vulnerability assessment and penetration testing schedules for the entire year at the very beginning of 2013. Schedule quarterly or half yearly tests for all critical applications, and at least annual tests for all others. Let all your developers and vendors know of the testing schedules. Do not let the testing schedule get sidetracked by release cycles. Software production shall always be delayed. Delaying your testing shall only prolong the agony.

5. Conduct at least one surprise attack on a critical application

Hackers aren’t going to wait until after your system migration is complete. Hackers aren’t going to spare you during peak transaction hours. Hackers will target your live systems, not your UAT systems. And your IT team will always be stressed – 365 days a year. That is reality. So why conduct fairy-tale penetration testing? As a leader of your InfoSec organization, plan on conducting a surprise attack on the production servers of your critical application during peak business hours. Let me just say that this shall be the shortest path to figuring out the biggest gaps in your organization.

As always, I would like to quote “that which does not kill you makes you stronger.”


No Comments »

Leave a Reply