Managers on the Cyber Front Lines
Updated: Apr 30, 2018
When meeting with IS (Information Security) and IT professionals, senior management and board members sometimes feel overwhelmed. As decision makers they are bombarded with technical terms, usually far from their comfort zone and are asked to take responsibility, make decisions and approve budgets and projects.
There is no point in asking decision makers: "Why didn't you ask the IS manager?" when they don't know what to ask in the first place.
With increasing regulation, senior management becomes more liable for the company's cyber security posture. Maya Security is committed to working with senior management and boards of directors to help them understand and lead their companies' efforts for better cyber security.
This is a first of a series of articles that are supposed to shed some light and clear the "fog of war" for senior management so that at the very least – decision makers will know what to ask their IT and IS professionals.
Malware (malicious software) in general, refers to any piece of malicious code running on a compromised machine. Malware comes in many shapes and forms, it is resilient, evasive and benefits the perpetrator at the expense of the compromised network and business.
When discussing how your organization is doing in the fight against malware, following are some questions you should ask your IS and IT professionals. Please note that this is only a partial list of controls and is intended to give decision makers an idea of the efforts taken by their IS and it professionals.
IT best practices
After years of experience, the industry has a pretty good understanding of how a computer network should be built and managed. Although IT Best Practices come from IT management, applying them is crucial to information security.
1. Network Segmentation: designed for more efficient network communication, segmenting your network also makes it more difficult for malware (and other attackers) which already penetrated the network to spread through the network and compromise more endpoints. Questions to ask your professionals:
a. How are we segmenting the network? (networks should be segmented according to purpose e.g. printers, servers etc.)
b. How small are the segments? (the smaller a segment is, the fewer the endpoints in danger of compromise).
2. Regular Backup: initially planned for DR purposes, backing up proved an effective weapon against ransomware and other data-destroying malware. Questions to ask your professionals:
a. What are we not backing up? Is all business-critical data backed up? (backup is expensive, so some companies will back up only some of the data.)
b. Are we testing backup? How often? (only validated backup processes can be relied on. Testing your backup recovery for the first time when your server crashes is a bad idea)
c. Are we practicing FULL disaster recovery? (restoring certain directories is one thing but a full server recovery is a whole different ball game)
3. Windows & 3rd Party Software Update: as with any other software, the operating system has flaws which are regularly patched by the vendor. Although patching could affect system-wide resources, it is crucial part of securing your company network. Questions to ask your professionals:
a. How long do it take us to patch the entire network? (from
b. Are there machines we are not patching? Why? What is the risk involved in not patching these machines?
c. What percentage of machines is successfully patched on average? What are we doing to monitor this? What are we doing to increase this percentage? (in past years 98% of machines patched was considered a successful figure. Today there should be a fight to reach 100% as we know that it takes just one vulnerable machine to compromise the entire network)
Obviously, the best chances we have against a cyber-attack is to avoid it. Preventive measures can stop an attacker in his or her tracks, leaving our network safe. Some of these measures are:
4. Employee Training: in a recent talk, I've heard ISACA Chair, Theresa Grafenstine, after serving as inspector general of the US House of Representatives say that over 90% of cyber-attacks on government infrastructure initiated by an employee's wrong 'click' either email or web-related. Cutting down on this factor can significantly decrease your company's exposure to cyber-attack. Questions to ask your professionals:
a. How and how often are we training our employees?
b. How many employees are we not training and why?
c. What metrics are we using to test training effectiveness?
5. Safe Browsing: Internet browsing has become an integral part of our workday but that doesn't mean we should expose our employees and company network to the dangers of the internet without protection. Questions to ask your professionals:
a. Are we blocking malicious websites? How?
b. Are we using safe browsing infrastructure? (web-isolation lets the employees surf the web while minimizing the risk of compromise to the company network)
6. Spam / Phishing Filtering: sending malicious content via email is an effective, easy attack vector. Blocking spam and possible phishing attacks lowers the risk of a cyber-attack and increases the employee's productivity. Questions to ask your professionals:
a. Are we filtering mail? How are we doing so?
b. Are we blocking malicious senders? How?
Once malware found its way into the company's network it is imperative to detect and contain it as soon as possible.
7. Malware Heuristics: Traditional Anti-Virus solutions are signature-based which means they're comparing a file to a predefined list of know viruses to determine whether it is malicious or not. This is considered one of the least effective anti-malware technologies today. Better solutions look for malicious behavior (Heuristics), disregarding prior knowledge of the file itself. Questions to ask your professionals:
a. Does our traditional AV solution incorporate heuristic abilities?
b. How are we monitoring for and blocking malicious behavior?
8. Deception: another tactic against malware and attackers is deception. Mainly done by deploying honeypots and/or anti-evasion techniques, making malware believe the network is behaves differently than it does thus directing the attack in different directions to thwart attacks and reduce risk. Questions to ask your professionals:
a. Are we using deception techniques?
b. How are we dealing with threats we cannot detect?
In conclusion, even though IS professionals (may) know-it-all, they are in dire need of senior management’s support in pushing information security forward. As previously mentioned, the questions above are by no means an information security game plan but rather the basis on which a healthy, productive and desperately needed conversation between decision makers and IS managers can develop.
Bridging the knowledge and language gaps between senior management and IS professionals is Maya Security's passion and promise to its clients, providing the right tools to create sound IS strategy and practices.