Thursday, December 4, 2014

Blueprint: Building an IT Security Road Map to Avoid Cyber Attacks

by Matthew Goche
Will you be (or have you been) the subject of a headline? The victim of a damaging cyber attack or intrusion? If you’ve avoided it, count yourself lucky. But if you’ve already been victimized, you aren’t alone. It appears that such attacks and data breaches are practically inevitable today.
However, help is at hand. Organizations can build a strong IT security road map to counter – and more importantly, prevent – what was once an occasional hacking attempt to today’s constant bombardment by savvy cyber gangs.  
Consider this your Cybersecurity Roadmap and Toolkit
The first priority is to perform an initial gap analysis. This will identify weaknesses in your network and other IT infrastructure defenses. It helps you locate where the starting point is, where to spend your time and where you need to improve.
As my colleague Chris Sell advised in a recent article on information security gap analysis, you should compare your security program as it stands versus overall best security practices. This will help pinpoint vulnerabilities and risks. Also, have a clear understanding of the security threats you should be looking for or may find.
In addition, develop a security organizational chart that clearly outlines all participants’ roles and responsibilities to disarm intruders. This is vital because today’s security world has become much more complicated. There’s more hardware and software to monitor – period. Regulators also have become much more in-your-face about protecting their constituents, who likely are your customers and who you are protecting – especially if you’re in the financial services, retail and health-care sectors. Auditors, too, have higher thresholds to examine operations.
Identify your ‘Security Chieftain’
In developing that security chart, first identify the ‘security chieftain’ empowered to lead this group. If you have a chief information security officer (CISO), this is likely your leader. If you’re a smaller organization without a CISO, tap someone with authority – someone who has a seat at the executives’ table but who also doesn’t have a blatant conflict of interest.
The chief information officer (CIO) is fine, unless she or he also holds the CISO role. If an IT professional is responsible for uptime of applications, that person shouldn’t be the security chief because of an inherent conflict. Too many pressures exist in terms of uptime and innovation that can influence that individual’s mindset. In these cases, the security chief’s role usually falls to the lead infrastructure specialist. 
Be sure to build in checks and balances. If the organization chart lists the person responsible for managing a firewall device, also include the person ensuring the firewall device is managed correctly. At every stage, insert in an additional layer of control.
Consider including someone that deals with risk on a broader basis. A trend has begun that converges security roles and budgets into the same hub overseeing continuity and recovery roles, as well as budgets. An organization will likely reap real benefits by assessing the different categories of risk and judging them on their merits while measuring them together. In doing this, you can distill a clear understanding of overall risks and risk tolerance and invest, accordingly, for business continuity and data recovery.
Find a Hacker and Let Him Loose
Here’s a revolutionary suggestion – but a good one. Appoint your own internal hacker to poke holes in your IT systems, identifying vulnerabilities and seeking ways to strengthen those weak links. Initially when enterprises searched for a third-party internal hacker, they could find few candidates without criminal records.
Today, an increase in ethical training grounds has boosted the number of legit IT professionals trained to take on that role. Since most organizations don’t have an IT professional trained for such duties, it’s best to look to a third-party source.
Next, develop a clear methodology that allows for testing of the basics. Why? Because most successful attacks reflect a basic element that wasn’t followed. Also, inject methodologies that test the latest malware and other threats to outages.
Develop a plan for “application interdependence” that identifies where third-party vendors leave companies the most vulnerable to be hacked. Some of the most recent major cyber intrusions involved the attackers getting into an enterprise’s system through a vulnerable third-party security weakness. Target’s data breach late last year is an example.
Retain an external consultancy or partnership with expertise in business continuity/disaster recovery or in the regulatory/compliance sectors. This firm can review your security processes and test the resiliency and compliance of your IT infrastructure.
Consider identifying a partnership with a managed security services provider that, basically, can serve to augment your current resources. Its IT professionals can provide 24/7 eyes and ears monitoring your environment and looking for the gaps and weaknesses in your defenses.  
This managed security services provider is performing, not reviewing, operations. These providers do this for a living, so their specialists maintain constant communication with law-enforcement agencies, perhaps global in nature, that identify new types of security attacks cropping up somewhere and advising companies and organizations to watch out for them. 
While you can never be certain you’ll be completely safe from a cyber attack, you can definitely take measures that will make it more difficult for today’s sophisticated cyber thieves to crack the safe.
Plan. Prepare. Prevent. These three Ps can lead to a hopeful outcome that also begins with a fourth P: Peace. 
About the Author
Matthew Goche is director of Security Consulting at Sungard Availability Services, which helps clients keep mission-critical information and applications available, recoverable and secure.   

Got an idea for a Blueprint column?  We welcome your ideas on next gen network architecture.
See our guidelines.