Information security programs are like onions. They have layers. Understanding the control layers of an information security program helps management of a financial institution stop seeing the program as a set of ugly policies and start seeing it as a way to provide peace of mind for themselves and for their customers.
Whenever I start working with a new customer, my brain immediately goes to “onion mode”, where I mentally start to put the controls of the institution into the right layers to identify the strengths and weaknesses of existing controls. You can also do this if you start thinking in terms of these layers. The layers and controls I look for are as follows:
- Third-Party Security: Data housed by vendors is in a completely different onion which must be peeled to ensure proper controls are in place. Institutions cannot directly protect data that is housed by vendors, so they must continuously perform due diligence to make sure those vendors are at least as secure as they are. Performing SOC reviews, discussing any questions resulting from the SOC reviews, and ensuring that contract language provides the proper control expectations and notification requirements are the controls that I look for here.
- Employee Education & Monitoring: Technically, employees are just outside of the onion, but they contain all of the knowledge that an attacker needs to get to the data at its core. I will always look at whether employees are trained to be secure. I will also look at whether this training is regularly tested to ensure that employees are always on the lookout for threats. Finally, I will look at whether any controls exist (DLP systems, etc.) to protect data from employees who might intentionally or unintentionally exfiltrate data.
- Perimeter Security: The outside layer of the cybersecurity onion is the network perimeter. At this layer, I look for well-configured firewalls and an Intrusion Prevention System (IPS) to block malicious attempts to breach the perimeter. I also look for periodic testing of these controls through vulnerability assessments and penetration tests. I look at remote access to ensure that it is properly secured. Finally, I look for Internet and email content filtering, Internet routing controls (DNSSEC, etc.), Internet certificate strength, and email security controls (DMARC, etc.).
- Internal Network Security: An attacker that manages to get through the network perimeter will find themselves on the internal network, where they will try to leverage that access to get closer to the data that is on the network. Controls that I look for at this layer include strong password controls, the proper configuration of several protocols (SMB, DNSSEC, etc.) that are commonly abused by attackers in “Man-in-the-middle” attacks, and security tools that detect (and perhaps block) unusual internal network traffic. I also look for regular vulnerability scanning and remediation as well as periodic penetration testing of the internal network.
- Workstation Security: At the workstation level, I look at whether the workstations are properly hardened and patched to make it harder for an attacker to attach. I also look for firewalls and threat prevention software that will help detect and block any attacks. I ensure that users are not local administrators on their machines. Finally, I look to see whether application whitelisting is in place to prevent the execution of unauthorized software on the workstation.
- Server Security: At the server level, I look at whether privileges are defined to limit users to just what they need to have access to in order to limit potential exposure. I also look at local administrator and service accounts to ensure that they are all necessary and properly controlled. I look for proper configuration hardening and patch management of the servers. Finally, I look for a threat management package with proper logging to a central system.
- Application Security: Applications can give an attacker access to view or even change customer data. At this layer, I look for strong authentication controls at the application level. I also look at how the application communicates with the database to ensure that the communication is encrypted and configured to not provide a user with direct access to the data outside of the application.
- Database Security: If an attacker gets to a database, they have reached the core of the onion. Controls at this level include ensuring that database authentication is secure, that sensitive data in databases is encrypted, and that only those absolutely needing access to the database are given privileges. Other potential controls at this level include packages that observe database transactions using artificial intelligence and alert on any abnormal patterns.
By going through each of the layers above, you will start to gain a better understanding of all of the layers an attacker would need to penetrate to get to your data. If you need some help navigating these layers, please contact us at support@bedelsecurity.com.
Additional Resources:
5 Tips for Creating an Information Security Program That Works
https://www.bedelsecurity.com/blog/5-tips-for-creating-an-information-security-program-that-works
Free Resource: Information Security Program Tasklist
https://www.bedelsecurity.com/isp-tasklist