Archive | Security Practices RSS for this section

The Secret to Great Passwords

Another day, another breach.

We haven’t received details yet, but we’re sure to hear that poor passwords were at least partly to blame in this week’s massive Evernote breach. And Bank of America’s. And [insert company name here]’s.

It seems that we may never get passwords right.

There are many reasons for this.

First, passwords may be the most targeted of all security controls. They are, after all the keys to the kingdom. If you hit something hard enough, long enough, it’s going to break. Even the toughest passwords can be cracked.Password

Second, passwords may be the most numerous of all security controls. I have 200 times as many passwords as I do firewalls, access control procedures or data classification policies. A typical organization may have 10,000 passwords for every other security control they possess.

Third, passwords may be one of, if not the most dynamic of security controls. Think about how often you create new passwords or change existing passwords. You don’t see this level of volatility in other areas of security.

Last, passwords are often designed, implemented and administered by the unwashed masses. Unlike other controls, they may not be reviewed by a committee, subject to monitoring or in the worst case – even required.

So what’s the secret to solving this problem?

Lowering our expectations.

Lowering our expectations? That’s the secret? Yes, don’t be alarmed. Because as sad is that sounds, expecting less of passwords (and the people who create and enforce them) should give us pause about the controls that compensate for these historically weak protections.

Remember that the goal of your security program is not to create one impenetrable wall, but rather to create a system of defenses that together are strong enough to withstand the threats that you are likely to encounter. Your passwords are just one piece of the puzzle.

Spending too much time on developing the ultimate password scheme, training your workforce on developing perfect passwords and monitoring for 100% password compliance may potentially distract you from the job at hand – protecting the crown jewels.

Good generals know it’s not about winning every battle, but winning the war.

Many organizations recognize this and are moving towards requiring or recommending multi-factor or other out-of-band authentication mechanisms to support passwords. Certificates, biometrics and other controls are becoming more popular for this reason, as well.

Take a look at what you’re doing with passwords and decide how practical and effective your efforts are. Don’t make excuses – you can’t lower your expectations so far that passwords offer no protection.

But lowering your expectations may just increase your defenses.

Advertisements

You’re the Next President

Sounds awesome, doesn’t it?

Unfortunately, I’m not talking about getting you elected to the highest, most powerful office in the world.

No, sadly I’m talking about the likelihood that your e-mail will get hacked and pictures of you in the shower will show up on the Interwebz.

Ask yourself when was the last time you sent an e-mail that you didn’t want anyone else to see? It may have been complaints about your boss, or sweet nothings to your girlfriend. It could have been tax or financial information, or perhaps something about a medical issue.Bush

And you probably keep e-mail around forever, right?

I’ve seen people with thousands of e-mails still in their Inbox. They didn’t think to move them to another folder or delete them after they read them.

Receipts from online purchases. New account registrations and password changes. They just sit there like little gold nuggets, waiting for a miner.

The reality is, we all do it. Just like Ashton Kutcher, Sarah Palin and Lindsay Lohan, we normal people use e-mail for just about everything. And few truly think about or understand just how sensitive, or critical e-mail has become.

Until their undergiblets show up in a Google images search.

So take a moment today to manage that risk down a little. If your e-mail is compromised it probably exposes a whole pile of other things.

Make sure you have a good password. If your e-mail service offers multi-factor authentication (SMS, token, etc.), consider it. Delete e-mail that you don’t need anymore. Think about the things that you send through e-mail before you send them – if they ended up in the wrong hands would you be OK with it?

Because it may sound awesome, but you don’t want to be the next President.

Cyber Monday is Dead, Long Live Cyber Monday

Cyber Monday is dead.

At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.

According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.

This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.

The simple fact is, people are doing more shopping on days other than Cyber Monday.

Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.

The opportunities are boundless, for retailers and fraudsters.

But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.

On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.

When one dies, so does the other.

But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.

So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:

  1. Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
  2. Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
  3. Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
  4. Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
  5. Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.

We all shop online. It’s convenient, easy and usually saves you some coin.

And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.

Bullets, Pirates and Risk Management

Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.

Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.

However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.

Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.

But risk avoidance has come at a high cost.

Many factors have contributed to the decrease in pirate hijackings in 2012. One factor is that shipping companies have begun equipping their ships with countermeasures, namely armed guards.

Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.

And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:

  1. International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
  2. Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.

Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.

In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:

  1. Did these investments address your most critical risks?
  2. Were these investments worth it?

Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.

You may also want to ask yourself if you’re the shipper, the pirate or both.

Luckily for us, we’re the armed guards.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

Why Your Penetration Test Might Suck

Penetration testing has become a term synonymous with information security.

Often the stuff of legends, penetration testers spin tales of breaking bank vaults and cracking wireless networks, of perforating firewalls and “rooting” servers. One by one companies fall to white hat hackers armed with Metasploit and cases of Mountain Dew.

The problem with penetration testing is that in many cases, it’s not doing the client organization any good. It may seem odd that something as popular as pentests could be doing so little for companies that perform them, but there are many reasons why this is true.

Here are just a few:

  1. Compliance Takes Priority – Organizations in banking, healthcare and critical infrastructure, among other industries are required to perform annual penetration testing. But they aren’t required to care about the results and they aren’t required to be secure. Getting your penetration test checkbox doesn’t require much, and many organizations aim low and still miss the ten ring.
  2. Clients Limit Test Scope – Many organizations become their own worst enemy by limiting the assets that are tested. By excluding the CEO from social engineering or cloud applications from SQL injections, some of the greatest vulnerabilities are left unexposed and subsequently unmitigated.
  3. Testing is Inconsistent – Any IT provider with a vulnerability scanner (yes a vulnerability scanner) can offer “penetration testing” services. Service definitions vary across providers, organizations and regulations. This inconsistency makes shopping for a pentest similar to shopping for a mattress – you’re usually comparing apples to orangutans. In the worst case testing results can give organizations a false sense of security.
  4. Testing is Unrealistic – If your security provider tells you that they’re going to “pentest your firewall”, do yourself a favor and end your contract. The kids from Romania aren’t going to pentest your firewall, so neither should your security provider. Good penetration testing should simulate a real-world attack. Sensitive assets like intellectual property, sensitive information and bank accounts should be targeted, just as they are in real life.
  5. It’s Not for Everyone – Pentests are great if the results are meaningful and useful. If your security defenses aren’t mature, there’s no sense turning them into swiss cheese just to prove that it’s possible. Instead, use that money for something productive like an assessment or an Incident Response Plan for when something bad happens for real.

If you’re looking for penetration testing standards, you may be surprised to know that there is little out there. NIST has provided some guidance around security testing, but there is only one small section on pentesting.

There is another emerging standard for penetration testing that is getting some attention. Called the Penetration Testing Execution Standard (PTES), it provides recommendations for exploitation, intelligence gathering and perhaps most importantly, reporting.

If you are about to embark on a penetration test, ask your security provider if they utilize these or other standards for testing. Also ask yourself what your goals are and if you’ve set yourself up to be successful.

Your pentest should be as realistic as possible without introducing unnecessary risk. It should target the things that are most important to you, and it should be performed without the knowledge of your organization so you can monitor how well they react to these situations. You should include all of your assets in the test unless there’s a compelling reason not to. Potential embarassment is not a compelling reason.

The security provider that you select should be knowledgeable and experienced. They should utilize a standard for security testing. They should know the difference between a vulnerability scan and a pentest. They should understand that the goal of the test is risk reduction, not legends and campfire stories.

And if you’re lucky, you’ll figure out where the holes are before some kids in Romania do.

Force Multipliers and Why You Need Your Own Seal Team 6

The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.

Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.

Imagine what you could get done if you had your own Seal Team 6.

Think it sounds crazy?

On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.

Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.

Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.

And yes, you can have your own.

Here’s what you need:

  1. Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
  2. Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
  3. Train, train, train – Training is the most important of all, and it should incorporate the following:
    1. The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
    2. Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
    3. Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.

Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.

You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.

Becoming A Low Hanging Olive

In January of 2004 I spent three weeks in Northern Africa. It was one of the most memorable trips of my life.

The second half of my trip would be spent in Morocco with close friends, being catered to by personal attendants, drivers and handmaids, dining on the finest couscous and staying in chic riads. The first half of the trip was spent in Tunisia, a third-world country that has for years suffered through political turmoil. Most of Tunisia is uninhabited, rough and Islamic, which was simultaneously exciting, frustrating and frightening.

It was also educational.

Tunisia is an amazing country. Undiscovered beaches, the endless dunes of the Sahara, ancient ruins, bustling souks with fresh fruit and spices and the planet’s largest herd of camels.

Tunisia is also the world’s largest olive grove. No ladies and gentleman, it’s not Greece. There are only a few roads in Tunisia, but all of them seem to go through olive groves. You can drive for hours with olive trees outside both driver and passenger windows.

When I first arrived in country, I was met by Muslims with machine guns. Which I expected. And appreciated.

In 2004 my security career was rather young, but I was no less exuberant. If they had decided to strip search the only white guy in Tunisia I would have been inconvenienced but impressed.

Little did I know when I arrived that Tunisia would teach me a few things about security.

On the last full day of my trip I visited Carthage, the ancient coastal ruins where Hannibal became famous. Satisfied that I had filled my quota of digital pictures, I headed for the train to begin the trip back to my hotel. I needed to pack, eat and make some calls to arrange for my trip to Morocco the following day. My mind was busy as I boarded the busy rush hour train.

I passed a few stops, continuing to plot out the next day’s early morning checkout and flights. I noticed how overloaded the train was getting. I needed to remember to change some money at the airport. Just a few more stops now. I needed to send post… Is that a hand in my pocket?

Time slowed to a crawl and the roar of the rush hour train came to a hush. My wallet was gone. It had some money, a credit card and a copy of my passport in it. And the doors were closing. Was that the thief escaping? I needed to make a decision and fast. So I did what any security professional would do.

I panicked.

By the time I knew what was happening it was over. I rocked my best Walter Payton 45-Right to get off the train before the doors closed, pulling several likely innocent bystanders with me. But despite my seemingly heroic effort, the perpetrator was long gone by the time I got to the platform. I frantically challenged every pedestrian in the station that looked suspicious. They all looked suspicious. And I looked crazy.

How could this have happened?

  1. I lost situational awareness – Even though I had lived in New York City and I was a security-minded person, I was out of it on that train. It had been an exhausting week and I had less than 12 hours before I was escaping to paradise. My mind was somewhere else. While I was mentally reviewing departure times and sorting out logistics, an attacker was fingerprinting me.
  2. I was poorly defended – I was alone. It was the end of my trip and all of my laundry was dirty, so I was wearing baggy khakis with loose pockets. I was standing on a tightly packed train, hands above my head to keep from falling on some indigenous woman. I might have well been wearing a sign that said “defenseless tourist”.
  3. I became a low-hanging olive – I looked out of place. I was tired. I was in the wrong place at the wrong time. I became the low-hanging fruit and I got picked.

And here’s some advice – if you ever find yourself pickpocketed in Tunisia, save yourself the time and anguish of reporting it to La Police. These are the same people who beat their own citizens with blackjacks.

Your adversaries can strike at any time. The good ones will find your weaknesses and exploit them. Your business may not require the same defenses as the Pentagon, but whatever defenses you have should be up at all times.

Sometimes the best lessons are those hardest learned.

And now the olives in my life usually end up on a salad.

Tactics for Cyber Escape and Evasion

It has become a common occurrence to hear about companies, governments and individuals being compromised by hackers.

Thanks to Anonymous, “the Chinese” and a bunch of kids from a country no one can pronounce, security has become a household word.

Seemingly overnight, information security has moved from a cottage industry to one that finds its sordid tales on the cover of every major periodical and leading every major newscast. It’s no secret that this condition exists because our adversaries have been and continue to be successful, to the tune of billions of dollars in intellectual property, bank accounts and defaced reputations.

Things have gotten sideways.

Many continue to ask why this situation persists, or from some perspectives, worsens. The answer is simply Newtonian – An object that is in motion will not change its velocity unless an unbalanced force acts upon it.

It’s time for an unbalanced force.

The US Military has developed tactics for when things get really sideways. For those life-or-death situations when you’re injured, surrounded by enemies and cut off from your support network. These tactics are called Escape and Evasion, and their applications aren’t limited to military survival.

As you read this, your critical assets sit unprotected. Not because you haven’t deployed firewalls, access controls and network segmentation, but because when those security controls are compromised (and they will be) those critical assets will be unable to protect themselves. They are inherently vulnerable, which is why they need compensating controls.

Enter Cyber Escape and Evasion.

For decades security professionals have been hardening perimeters, blacklisting bad actors and “locking things down”. These practices emerged when cyberwarfare was symmetric, when adversaries were [better] known and when cyberassets were few[er]. Sadly, these practices remain the foundation for many organizations, despite dramatic changes in attacks and attackers.

There are, however, some new concepts emerging regarding the protection of critical assets.

Imagine that your confidential data was camouflaged such that an unauthorized intruder couldn’t tell the data from the container. Imagine that your sensitive information assets were stored so randomly that hackers couldn’t make sense of them, even if they were discovered. Imagine that you deployed information decoys in such a way that it was difficult or massively time-consuming to tell which was the real source. Imagine that your sensitive data, once removed from its authorized container, could poison itself, much like the ink canister that is thrown into a bag of stolen cash.

What if the next time you were attacked, you could flood your attacker with false-positives and false-negatives, effectively disabling their ability penetrate your network?

These are just a few of the security tactics that are starting to get real attention. Each of these concepts moves security controls closer to the asset and emphasizes intelligence over building walls.

If you trust statistics, an intruder has already compromised the networks of 1 out of every 10 people reading this blog post. 6 more of those 10 will be hit sometime later this year. A recent study showed that most security professionals expected their security program to fail when it was truly tested.

I’ll save you the angst of asking the same question.

If there was ever time to inventory your assets, pack a “go” bag and assess your capabilities, it’s now. Things have gotten sideways and your firewall can’t save you. Your critical assets are either going to keep calm, signal the rescue chopper and be exfiltrated by their Security Officer, or their going to apply a tourniquet and die quietly as they’re dragged off to a POW camp.

What are your orders, sir?

Information Security – How Much is Enough?

Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?

Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:

  1. How secure am I?
  2. Am I more secure than I was last year?
  3. How much should I be spending on security?

Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.

Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.

Enter security metrics.

Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.

Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.

To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.

The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.

The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.

Here are some metrics to consider:

  1. Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
  2. Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
  3. Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
  4. Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
  5. Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?

The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.

(For some other ideas, check out the CIS Consensus Information Security Metrics)

Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.

Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”

%d bloggers like this: