Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/15/2017
02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

20 Tactical Questions SMB Security Teams Should Ask Themselves

Or why it pays for small- and medium-sized businesses to plan strategically but act tactically.

Any sound approach to security will involve both strategic and tactical elements. The security program of a small- and medium-sized business is no different. Tactical guidance is more focused and more instructive than strategic guidance. But it doesn't readily lend itself to a list of only 20 questions or a simple road map to achieve long-term goals. What can be boiled down to a concise list are tactical questions SMB security teams should be asking themselves to improve their security posture. Let's get going.

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

  1. Do we provide executives, the board, and other stakeholders with meaningful metrics on a regular basis? Not how many tickets were opened or how many alerts fired, but how we are reducing risk and averting potential financial loss. Reporting may not seem important, but showing value, in the language of our stakeholders, on a regular basis goes a long way toward building relationships that we will need to accomplish our goals.
  2. Do we regularly focus on building relationships and maintaining a dialogue with executives, the board, and other stakeholders? Meaningful metrics are a first step that can open the door, but we need to make sure that we walk through that door. We need to continually work to build the relationships that will help us achieve our desired results.
  3. Do we regularly work to understand what vulnerabilities we have within our organization and what types of risks those vulnerabilities introduce into the organization? This is an important operational picture for us to understand continuously, and it is one that is extremely dynamic.
  4. Do we understand where our most critical/sensitive data lies? We need to make sure that we always know the answer to this question, even as the environment changes, and that we take extra measures to safeguard that data.
  5. Are we continually taking in new information, updating our operational understanding of the environment, and working to understand the risks and threats to it?
  6. When looking to mitigate a risk, do we have organized, thought-out, and documented plans for implementing solutions that mitigate that risk?
  7. When planning to request budget for a solution, do we map the desired solution to the risk it mitigates? This helps us show the immediate value and return on investment that the given solution (and its associated budget) will provide.
  8. Do we have a staffing plan in place that includes resources for steps beyond implementation? In order to provide value in the boardroom, any solution requires people and process, in addition to technology.
  9. Have we looked into closing holes and tightening security in areas where we might be able to leverage existing investments? For example, have we looked at segmenting different network segments that have no legitimate business need to communicate with each other but could be leveraged by attackers to move within the organization?
  10. Have we ensured that we are following the principle of least privilege? For example, there is no reason that most users require administrator access, yet many have it.
  11. Have we implemented two-factor authentication? Believe it or not, even in 2017, brute force password attacks are still a favorite attack vector. There are more organizations than I'd like to believe that still do not use two-factor authentication.
  12. Have we limited remote access/Remote Desktop to only the instances in which it is needed for work-related functions? In many organizations, this is not the case. Sadly, in those situations, once an attacker is in, he or she can often move between different systems using legitimate remote access protocols and masquerading as a legitimate user.
  13. Do we have visibility across endpoints, network, and the cloud? If not, we will not be able to put eyes on the enterprise to monitor continuously. It's particularly important to keep up with the environment as it changes, especially now as much infrastructure moves to the cloud.
  14. Are we continuously monitoring the environment for malicious or suspicious activity, including exploitation of vulnerabilities that we have identified?
  15. Do we have all the skills, expertise, and resources required to implement the solutions we've identified and planned for? If not, we should ensure we work with a trusted partner who does.
  16. Do we know where our peer organizations stand and how we can look upon them as another data point and input to our standing? The goal here isn't perfection but rather a reasonable trade-off between cost and risk. Peer data points can be quite helpful.
  17. Do we communicate our progress and expenditures vs. risk mitigated on a regular basis? We may not think that our stakeholders are all that interested in this information, but I would argue that they are.
  18. Are we implementing and enforcing policies and procedures that will help us achieve our goals? As mentioned above, solutions require people, process, and technology to be effective.
  19. Are we running security operations or working with a trusted partner who will run it for us? All the security investment in the world won't do us much good unless we continually keep an eye on things.
  20. Are we prepared to perform incident response, or are we working with someone who can in the event of a serious incident? It would be a shame to focus so much on risk mitigation, only to forget one of the biggest risks of all — being caught with your pants down.

Security is a field where the to-do list never seems to end. While no list of actions would ever be complete, some actions have a greater impact and mitigate more risk than others. The choices we make in prioritizing investments in time and money can greatly affect how quickly we mature our respective security postures. It pays to plan strategically and act tactically.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
salynage
50%
50%
salynage,
User Rank: Apprentice
8/15/2017 | 4:33:30 PM
Re: Pending Review
really its good
recomasa
50%
50%
recomasa,
User Rank: Apprentice
8/15/2017 | 4:24:50 PM
thanks
thank you 
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...