20 Questions to Help Achieve Security Program Goals

20 Questions to Help Achieve Security Program Goals There are always projects, maturity improvements, and risk mitigation endeavors on the horizon. Here’s how to keep them from drifting into the sunset.Recently, I was at the beach and found myself gazing out toward the horizon. Of course, as we all know, if you were to travel out into the sea trying to reach the horizon, you would never get there. The horizon just keeps on moving right along with you.
Unfortunately, the same can be said about many security programs I’ve seen over the course of my career. But most often, the horizon — in this case, a time horizon — just keeps on moving. Organizations just never seem to be able to achieve many of the goals they set for themselves.
There are many reasons why this is the case, but I’d like to focus on how organizations can actually achieve their objectives. I know this probably will not surprise you, but this is another great opportunity for a game of 20 questions.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Do we have a focused and well-defined list of risks to the business? No matter how good we are, if we start off without any focus, it will be very hard to achieve successful and timely results.
Do we derive our goals and priorities from the risks we’re most interested in mitigating?  It’s hard enough to deliver results on time for things that we need to do, never mind things that don’t address any of the risks we’re most concerned about.
Do we regularly assess where we may have gaps in our security architecture? This can be another great way to identify where it makes sense to invest time and money in projects. No sense in investing in something that you’ve already addressed at the expense of something else that sorely needs addressing.
Do we follow the Pareto principle (80/20 rule)? The Pareto principle states that “for many events, roughly 80% of the effects come from 20% of the causes.” In the security world, that means that we can typically achieve 80% of the desired results with 20% of the effort. For organizations that are resource-constrained, this is something to think seriously about.
Do we have talented leaders who can shepherd and manage projects through to successful completion?
Do we have talented people who can execute our plans to bring them through to successful implementation?
Do we understand that we cannot do everything? We need to choose our battles wisely to ensure that we do not waste resources on items that may need to take a lower priority.
Do we remember to set aside budget for the most important things? Not everything can be a priority.
Do we remember to include operation and maintenance costs when budgeting? Not doing so puts all of our goals at risk, since people who were meant to be working on different goals will get dragged into O&M.
Are we properly managing the signal-to-noise ratio? Wasting time on false positives is not going to help us achieve our goals in a timely manner.
Are we working to keep shiny-object syndrome at bay? Sometimes management, executives, and the board can get caught up in all the hype and hysteria around the issue du jour. This can pull valuable resources away from long-term goals. Working from a risk register can help organizations manage the hype and hysteria.
Are we focused on what will have an impact and mitigate risk? It is all too easy to get distracted.

Are we managing a continuous dialogue with management, the board, executives, and other stakeholders? This can build confidence and demonstrate movement toward goals in a strategic and calculated manner. That, in turn, can buy fewer distractions and interruptions.
Are we reporting relative metrics, rather than absolute metrics that provide no value for management, executives, and the board? For example, reporting on progress mitigating a $5 million potential loss, rather than reporting the number of alerts that fired in a given week.
Are we showing our progress toward mitigating the risks that we’ve committed to mitigating? This means reporting progress in terms that are understood by non-security types.
Are we reinventing the wheel? Our field has lots of talented people. If someone has already done something that we can leverage, we can save a lot of time and effort.
Are we staying realistic? We can’t all be a 100,000-employee financial company, and we shouldn’t approach security as if we are.
Are we working with the right partners? Often, those who specialize in addressing certain challenges can help us achieve our goals more quickly.
Are we continually assessing our security posture and evaluating progress against our goals? It would be a shame to charge ahead 6 to 12 months in a given direction only to find out that it didn’t bring us any closer to achieving our goals.
Are we continually assessing our goals against the evolving security environment to ensure they are still the right goals? How disappointing to achieve a goal, only to find out that it wasn’t really the right goal to achieve.
Ultimately, a security program shouldn’t be like the horizon. We want to achieve our goals in a reasonable amount of time, rather than having them constantly drift away. While there is no simple answer to this all too-common-situation, our game of 20 questions can point organizations in the right direction.
Related Content:
The Case for Crowdsourcing Security Buying Decisions
20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud
Mikko Hypponen’s Vision of the Cybersecurity Future (Video) 
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


【一周投资日历】关注2017中国互联网安全大会 (附股)

Equifax: Breach Exposed Data of 143 Million Consumers

Credit reporting agency Equifax says Thursday a web application flaw exposed 143 million customer records to hackers, a startling breach from a company that ironically offers identity theft protection services.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The information exposed includes names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers, according to a news release. Although most affected are U.S. consumers, Equifax says some “limited personal” information for U.K. and Canadian residents was affected.
Equifax also says the breach exposed credit card numbers for 209,000 U.S. consumers. The hackers also accessed what Equifax described as “dispute documents” containing personal information for 182,000 U.S. consumers.
While not the largest breach on record, it’s certainly one of most sensitive. Equifax is one of the largest aggregators of financial data for U.S. consumers, and its records are used by a variety of other businesses to gauge a person’s creditworthiness.
CEO Apologizes
The breach was discovered on July 29. Equifax says the cybercriminals “exploited a U.S. website application vulnerability to gain access to certain files.” The exposure period ran from mid-May through July.
Equifax didn’t identify what kind of web application was illegally accessed. But it said that its consumer and commercial credit reporting databases did not show evidence of unauthorized activity.
Still, it’s a worst-case scenario for consumers. The type of information leaked is a perfect package for a fraudster looking to impersonate someone else.
In the news release, Equifax Chairman and CEO Richard F. Smith says, “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.”
“I apologize to consumers and our business customers for the concern and frustration this causes,” Smith says. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
山东钢铁职工监事刘秀元辞职 选举孙永和接任 https://www.howbuy.com/news/2017-04-14/5183577.html
Although major data breaches have become nearly routine, Equifax’s lapse is “especially alarming and serious,” says Atiq Raza, CEO of the web application security company Virsec. Of particular concern is the static nature of information data such as birth dates.
“Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity,” Raza says. “It’s one thing to ask a consumer to change a password, but how do you change your birth date?”
Questionable Notification Process
It doesn’t appear that Equifax is directly contacting consumers. Instead, the company has set up a web-based tool for people to check if their data is in the breach.
That is likely to raise eyebrows amongst security experts, particularly after Equifax attributes the breach to a web application security flaw. The tool asks consumers for their last name and the last six digits of their Social Security number.
Social Security numbers are widely available on underground cybercriminal markets, so it’s not difficult for fraudsters to procure large numbers. That makes Social Security numbers a very poor way to authenticate a consumer.
Virsec’s cofounder and CTO, Satya Gupta, says Equifax’s notification method is “very unusual.”
“This reinforces the conundrum of these breaches – with more information exposed, how do you now prove a person’s identity?” he says.
Equifax says that it is offering free identity theft protection and credit file monitoring for all U.S. consumers, even for those not affected by the breach.
After a last name and the last six digits of a Social Security number is entered into the tool, it returned whether the person is in the breach. If a person isn’t in the breach, it offers up a date when someone should come back to Equifax’s website to enrol in the service, called TrustedID Premier.
Enrolment is only free for one year, after which consumers would have to pay a fee.
Web App Risks
Flaws in web applications are one of the most common vectors for hackers to access data. Since web applications by their nature face the internet, it’s crucial that companies code them correctly to prevent information those applications collect from leaking.
Most web applications have backend database that are supposed to be configured to not respond to potentially malicious input. Hackers will often try what are known as so-called injection attacks, where certain commands are entered into web-based forms to see if a backend database will divulge information.
According to the Open Web Application Security Project, a community dedicated to web application security, injection attacks are rated as the top risk to applications for this year.