Critical Security Controls Permeate Everything We Do
I recently attended a local security session that highlighted the TARGET data breach and procedural deficiencies many organizations have in their operations.
Per the speaker, Lance Hawk of Computer Forensics & IT Security, the highly publicized data breach was the result of a hack of Target’s Point-of-Sale (PoS) system using malware called Dexter. The PoS hardware was infected with the malware and that led to disclosure of Card holder’s account numbers, credit card information, expiration dates etc. PoS systems are slow to be patched because of regulations and store managers fear of “killer” patches. This makes PoS systems highly vulnerable for attack.
Now consider other Internet Aware “smart” devices that are ripe for attack in your home: That Blu-Ray player that gives you NetFlix; the new 60-inch Smart TV that offers a bizillion video and audio feeds; the fabled refrigerator that sends you an e-mail to get milk before you come home. Not to mention, when is the last time you updated your Blu-Ray player software? When did you upgrade your Smart TV with latest patches? Patching is fundamental to maintaining a viable security posture.
Consider also the list of Critical Security controls from SANS. SANS the most recognized organization for information security training and security certification in the world. It publishes the SANS – CSIS: 20 Critical Security Controls – Version 4.1: http://www.sans.org/critical-security-controls/guidelines.php. This list of controls highlights processes such as Inventorying authorized hardware, software and applications; ensuring the continuous monitoring of vulnerabilities malware and application security; controlling wireless access, data recovery capability and awareness of staff skills; securing network devices, ports and privileges; monitoring traffic flow and audit logs, following need-to-know, account control and data loss prevention; performing incident response, network architecture validation and finally penetration tests.
The very last control listed by SANS if the very first control many of our clients request. The TARGET breach and the security prowess of SANS further validate the importance of due diligence on processes to improve security posture. Without the first 10 measures, it is guaranteed that a penetration test will succeed.