Attestations Don’t Always Measure your Defensive Posture

An attestation, by definition, is an indication that makes something evident. In the case of the security, specifically security programs it means to certify in an official capacity.

People often ask me what makes a good security program. As much as I would like to point to one aspect of my security perimeter to use as an example, there are multiple items to highlight. The industry relies on attestations and certifications to measure your security defenses. Engineers and operators will tell you that your actual security perimeter and threat assessment capabilities define your security program. I will tell you it is both compliance attestations as a measurement and the operational capabilities of your security team that define your program. Though attestations alone are not an accurate benchmark to measure a program.

Attestations are an industry necessity to ensure compliance with federal, local and state statutes as well as industry best practices. ISO, NIST or DoD standards form the baseline of most attestations. NIST, for example, publishes a set of standards and technical guides to help organizations build perimeter defenses that are “acceptable” to the government. As I will outline however, just because the standards are set doesn’t mean implementation is always stellar.

Deployment of a Tool Doesn’t Mean it is Providing Value

Controls allow for flexibility in implementation and operational growth and innovation over time. Unfortunately some organizations use the flexibility to check the box, but have no real defenses in place.

A prime example of this problem is intrusion detection/protection systems (IDS or IPS). Like virus scanners, most organizations invest in IDS/IPS as a matter of standard security practices to guard against malicious traffic and data exfiltration. The industry is replete with vendors making various forms of IDS/IPS systems. However, some organizations build systems rather than buy.

I recently left one such organization that “built” their own intrusion detection system from open source tools. Auditors were told the system was a “fantastic tool”, and even given examples of traffic. When I dug deeper into the telemetry the tool was providing, I realized that traffic was not being analyzed at all. Rather, passing through the sensor as it was not configured to capture any traffic or alert at all. Furthermore, the credentials used to administer the tool were set up by a previous employee and were never updated after his departure. So essentially, the tool was sitting idle for months without any human intervention. Not only does this put the company at risk, but it also compromises the perimeter.

A savvy auditor wouldn’t have caught the issue because the attestations don’t look for “operational” information on all systems – the standard is literally one layer of question and answer. In fact, most attestations measure simply if the tool exists, not operational viability. Additionally, most auditors are not technical enough to discern a functional IDS/IPS from a non-functional. The meat of the audit relies on the company to put their best foot forward rather than answer tough questions. Auditors also have to cover a vast array of controls during an audit so time is a large factor in the quality of their analysis.

An attestation alone will tell you that a company has a mature security program with controls. Requiring a potential partner to complete a vendor survey won’t provide you confidence either. Surveys merely outline the same information in a different format. So how do you evaluate a mature security program?

Evaluate the Entire Cloud Security Program

First, you should review at a minimum the attestations and the findings report, not the executive summary. That will provide you with an overview of the program reviewed by a third party. Second, you should definitely review if the company undergoes a third party penetration test or bug bounty program. Personally I am not a fan of bug bounties, but I am a fan of third party penetration testing on an annual basis. Pentesting provides you with a structured test of your defenses and real feedback on vulnerabilities. Finally, review the security documents (usually table of contents) the company utilizes as a basis for implementation. This includes (but certainly is not limited to) a security policy, incident response and vulnerability management. An experienced security team will offer to share those documents and artifacts as a part of normal business.

I make it a matter of course to evaluate every vendor and partner from the perspective of access to company data. Meaning if the partner or vendor manages company data, they’re subject to more scrutiny than a vendor that does not. Keep in mind the business purpose when evaluating a security program. I review the business purpose and type of information involved, then evaluate from that perspective, rather than handle all partners and vendors the same. When in doubt, always ask for more information.

— Steve Murray
CISO

Mailgun migration blog footer 600 150

In 2012, 2644 data breach incidents were reported worldwide, and it is thought that the statistic represents only 10% of actual cases. Of these reported data breach incidents, 97% of them were avoidable.  In total, 267 million records were exposed, $5.5million was the average cost of each breach and the overall impact of reported data breaches is $8.1billion.

These sobering statistics preceded the data loss prevention talk by Craig Spiezle, Executive Director & President of the Online Trust Alliance during the Best Practices track at Interact 2013.

Craig Spiezle

In a data-driven economy, more personal information on consumers is being collected, and likewise, data breach repercussions are becoming more severe. Perhaps, one of the most embarrassing things for companies that experience a data breach is explaining why they possess such information on their consumers in the first place – which might account for why such a large percentage of breach incidents go unreported. In the European Union, Internet service providers have 24 hours from the moment of the discovery of a data breach to report the incident to the authorities.

All companies must operate under the assumption that the data they possess includes confidential information subject to regulatory requirements and that there will come an unfortunate day that they will experience a data breach. As such, security and privacy by design needs to be part of your corporate DNA. Data stewardship is everyone’s responsibility and data security policies need to be continually reviewed. The absence of a plan is clearly disaster.

Zappos, for example, was a brand that floundered in the wake of a data loss incident. With no clear internal communication or pre-prepared phone scripts to help their staff deal with anxious customer enquiries, the brand struggled to deal with phones that were ringing off the hook when 24 million records were compromised.

In the US, there are 46 different regulations that deal with data breaches – this means that in a data breach scenario, your business would need to notify 46 different states, all of which have different processes for reporting the breach.  Conversely, the European Union, is moving towards one regulation and one notification point. If a data breach is specific to one country however, you might not need to notify everyone.

Data Security Best Practices

While you may not know when you will have a data breach, there are ways to make sure that when the time comes, you are able and ready to deal with it.

  • Create an incident response team.
  • Have a draft email that is ready to go out to partners in the event of a data breach.
  • Create a relationship with your local FBI so you know how to contact in the event of a breach.
  • First responders and PR teams must be briefed and prepared in the event of data loss eg. media and social monitoring.
  • Consider a contract with a forensic company beforehand or a company with data breach remediation.
  • Think about where funding will come from and consider insurance coverage.
  • Create a website section for Frequently Asked Questions and consider translating it into different languages.

A data loss incident can cause significant damage to brand reputation.  In a keynote at Gartner Symposium/ITxpo 2013, Goggle Executive Chairman Eric Schmidt said that a significant data breach at Google Inc. would be “devastating” and threaten the company’s existence.

And in an industry that is being increasingly shaped by mobile behaviors, consider too that mobile has the potential to become compromised. The 2013 Data Protection & Breach Readiness Guide published by the Online Trust Alliance covers the topic of data breaches in far more depth and detail, so do download a copy of the report if you are interested in learning how to safeguard your brand!

Want to find out more about how to keep your email secure? Get the How DMARC Is Saving Email eBook and find out how this new authentication standard is putting an end to email abuse.

How DMARC Is Saving Email