A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Similar documents
A company built on security

Combating Cyber Risk in the Supply Chain

Keys to a more secure data environment

Teradata and Protegrity High-Value Protection for High-Value Data

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

Getting over Ransomware - Plan your Strategy for more Advanced Threats

The Problem with Privileged Users

IT & DATA SECURITY BREACH PREVENTION

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

The security challenge in a mobile world

But it Was Such a Little Phish February 2016 Webinar

Choosing the Right Security Assessment

6 Vulnerabilities of the Retail Payment Ecosystem

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

RiskSense Attack Surface Validation for IoT Systems

Onapsis: The CISO Imperative Taking Control of SAP

An ICS Whitepaper Choosing the Right Security Assessment

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Are we breached? Deloitte's Cyber Threat Hunting

Integrating 3rd Party Scoring Services into your Enterprise KRIs

10 FOCUS AREAS FOR BREACH PREVENTION

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Cyber Security Stress Test SUMMARY REPORT

Cybersecurity and Nonprofit

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Is Your z/os System Secure?

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Best Practices in Securing a Multicloud World

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

InfoSec Risks from the Front Lines

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

CYBER RESILIENCE & INCIDENT RESPONSE

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Securing Industrial Control Systems

Security Automation Best Practices

How to Build a Culture of Security

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

From Russia With Love

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Device Discovery for Vulnerability Assessment: Automating the Handoff

6 Tips to Help You Improve Configuration Management. by Stuart Rance

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

What every IT professional needs to know about penetration tests

The McGill University Health Centre (MUHC)

External Supplier Control Obligations. Cyber Security

CYBER SECURITY FOR BUSINESS COUNTING THE COSTS, FINDING THE VALUE

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Monthly Cyber Threat Briefing

Cybersecurity Session IIA Conference 2018

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CYBERSECURITY RISK LOWERING CHECKLIST

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Transforming Security from Defense in Depth to Comprehensive Security Assurance

The Value Of NEONet Cybersecurity. Why You Need To Protect Your The Value Of NEOnet Cybersecurity. Private Student Data In Ohio

How Breaches Really Happen

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

Managing EUC Threats. 3 Simple Ways To Improve Endpoint SECURITY

Is Your Web Application Really Secure? Ken Graf, Watchfire

A quick-reference guide to secure your organization s data and reduce cybersecurity attacks

Tripwire State of Cyber Hygiene Report

Practical SCADA Cyber Security Lifecycle Steps

The University of Queensland

Sage Data Security Services Directory

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

MIS5206-Section Protecting Information Assets-Exam 1

Why you MUST protect your customer data

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

How Cyber-Criminals Steal and Profit from your Data

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Effective Strategies for Managing Cybersecurity Risks

Integrated Access Management Solutions. Access Televentures

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

CyberArk Privileged Threat Analytics

Cloud-Based Data Security

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

THE COMPLETE FIELD GUIDE TO THE WAN

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

AKAMAI CLOUD SECURITY SOLUTIONS

In the wrong hands it s an open invitation

Transcription:

A GUIDE TO 12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at your organization, but actual security is much more difficult to understand. Why? Because actual security requires verification not just what you believe to be in place. So how can you better understand your actual cybersecurity standings and health? The first step is to better understand the three primary ways that your organization can experience a cybersecurity incident: 2

1 2 3 Someone on the outside. As an example, a hacker could send you an email with a piece of malicious code and if you click on that email, you ll download the malware onto your system. If and when it spreads throughout the corporate network, it will allow the hacker to do what he wants within the organization. We ll refer to this below as an external threat. A trusted insider. This is someone who has a lot of access inside of your organization who can steal data, intellectual property, trade secrets, and more, without the knowledge of colleagues or co-workers. This person has been given a certain level of trust and exploits that trust either willingly or unknowingly. We ll refer to this below as an internal threat. An attack through the supply chain. A company can experience a cybersecurity incident because someone has been able to manipulate hardware or software that the company uses in order to gain access to their network or infrastructure. Or, they are able to leverage a third-party service provider that they re using and steal a company s data through that vendor. We ll refer to this below as supply chain threat. 3

Of course, you ll want to build a security program that thoroughly addresses all three of these so-called threat vectors. But how do you go about doing this? Through the use of specific, quantifiable cybersecurity metrics. Below, we ve detailed 12 actionable metrics in no particular order that help you specifically assess how an organization is doing with cybersecurity. These metrics help you go beyond simple yes and no answers and dig deeper into your vendor s (and your) security posture. Keep in mind that these are only a few of the key metrics you should be watching; not all of them. This isn t a be-all, end-all list, but it s certainly a good place to start. 4

External Threats 1 Number of botnet infections per device over a period of time. Knowing that your company has had a few botnet infections in the past is one thing but this metric forces you to examine how many (and likely what kinds) of botnets have infiltrated your network. There are many different types of botnets, and there are several reasons why an organization should be monitoring this metric. One reason is data exfiltration. Many botnets communicate back with a command and control server, and they are often written to collect user data or gather specific information. Other botnets can be used to install additional malware on computers. So if you have 10 affected devices, whoever is controlling the botnet can send more malware to those devices and this additional malware could then cascade across your corporate network. While examining the number of botnet infections, it s also important to consider the type of botnet infections you ve had. If a company had all Confiker infections, for example, that says something different than if they were hit with a variety of types of botnets. This is particularly important to consider if you re a financial organization, since there are botnets like Zeus that are specifically created to seek out financial information. 5

2 Number of unpatched known vulnerabilities. By measuring and understanding the implications of this metric, you may be able to help avoid an attacker from using known vulnerabilities that have been published on the internet to access computers on your network. Vulnerabilities like Heartbleed, Poodle, LogJam, or Freak Attack can be easily exploited and cause significant damage to an organization. Thus, you want to be sure that you re patching your own network when any and all known vulnerabilities are announced, so you aren t susceptible to these non-sophisticated attacks. 3 Number of properly configured SSL certificates. Monitoring this metric may help you answer these two important questions: Does the SSL certificate meet the accepted level of security? Is the server configured properly to use those SSL certificates? If the answer is no to either of them, someone from the outside may be able to steal your SSL key. This key ensures that company communications are trusted to and from the server and databases. If someone with malicious intent is able to use this key, they could potentially gain access to very sensitive data or information. Thus, you ll want to be certain that all of your critical third parties (and you) have properly configured SSL certificates in an effort to avoid this issue. 6

Insider Threats 4 5 Amount of peer-to-peer file-sharing activity on a company s corporate network. If employees have been given the unrestricted freedom to download software, applications, movies, or music on the corporate network, that is likely a very bad thing. A metric that measures the number of files that have been shared or downloaded through peer-to-peer activities helps company leadership get down to the bigger issue of why personal downloads are happening at all. Not only does this activity open the corporate network to botnets and malware, but we ve also found that companies who have a lax policy on this issue typically have poor cybersecurity postures in general. Percentage of employees with super user access. The goal for every organization should be to only provide employees with the level of network access they need to do their job. That being said, most employees do not need access to every single piece of data in an organization which is why this metric is vital. If you give everyone unlimited access to the network, you re drastically increasing your chances of an insider-based cyberattack. Once you ve monitored this metric and reduced privileges, you can focus your attention on monitoring the employees you ve trusted with the greatest amount of access. 7

6 Average number of days between notification of job departure and elimination of corporate access. Often, employees who are leaving a company may walk out the door with some sensitive data. Once you ve established this metric, you ll be able to get a better idea of how quickly your company is acting to avoid the likelihood that a disgruntled former employee could access the network and wreak havoc. Additionally, you ll want to create a baseline of behavior for each employee, so you can tell if an employee who has given notice is doing anything different with their network access. For example, if someone typically downloads three documents a day and is now downloading 30 per day, you ll want to know. But without a baseline, this number will be meaningless. From there, you can put a policy into place to monitor employee behavior against this baseline as soon as notice of leave is given. 7 Frequency by which employee access is reassessed. This metric is focused on timeliness, which is something you want to measure for certain. Frequency is either measured in weeks, months, or years and is entirely dependent on the organization. If your organization is constantly in flux but waits for three years to reassess employee access and controls, there may be cause for concern. 8

Supply Chain Threats 8 Number of open ports during a period of time. Monitoring the number of open ports is vital because it helps you understand whether third parties are communicating to the outside using unencrypted channels. For instance, if an HVAC service provider connects to your vendor s network through telnet which is typically port 23 that is a risk to your organization and could potentially be used for harm. Their unencrypted user credentials could be stolen, and a hacker could use them to breach your network through telnet access. Here s how: A telnet port is an unencrypted communication channel into a network. The problem with leaving it open is that the user credentials and data transferred through it can be seen by anyone. If a third party houses your company s confidential or personally identifiable customer information (PII), you should ensure that the port is closed. If it s open, you should certainly know why. It may be for a particular reason for example, they need it for certain network device access but it could also mean that your vendor needs a more modern network infrastructure with SSH connections. 9

9 10 Percentage of third-party software that has been scanned for vulnerabilities prior to deployment. Ideally, you ll show 100% for this metric at all times. This metric is important because it allows you to assess the security of the software you re using before your entire organization begins using it. If you skip this step even once and miss a critical vulnerability, your corporate network could be at risk. Frequency by which a company reviews its entire list of suppliers and vendors and designates those that are critical. The process for identifying supply chain threats begins with understanding two important designations: who your third parties are and who your critical third parties are. If this process is performed frequently, your organization is more likely to find third parties that have a surprising amount of access to your data or network, and thus should be deemed critical. 10

11 12 Frequency by which a company verifies its vendor s controls. Vendor assessments come in many different formats, but they are all designed to do one thing: evaluate whether the proper controls are in place to assure security. The frequency with which vendor controls are verified is important, because your organization needs to be certain that the controls reported to be in place are in operation and that those controls stay in place. This goes back to the ageold adage trust, but verify. Some companies do this on an annual basis, while others may opt for more or less frequent evaluations. Regardless of the timing, it s important to make sure you and your vendors have agreed to when these verifications will occur. Percentage of critical vendors whose cybersecurity effectiveness is continuously monitored. Questionnaires, audits, penetration tests, and vulnerability scans are all important pieces of vendor risk management. But these four practices only offer you a snapshot in time of your vendors. You still won t know what is going on with these critical third parties on a day-to-day basis which is vital in today s security landscape. Continuous monitoring software helps you keep an eye on all your vendors and can help you make better, data-driven choices. 11

In Conclusion Years ago, you could simply ask if your organization (or your vendor) had a cybersecurity program in place but today, that s simply not enough. Senior executives, CEOs, general counsels, and board members are taking cybersecurity more seriously than ever, and by monitoring the 12 metrics above, you ll be taking steps to protect your customers, your vendors, and yourself. But while monitoring these 12 metrics is crucial, it shouldn t stop there. You can t possibly assess whether or not your vendor s security is in order unless you have access to their network in real time and that s where a continuous monitoring solution like BitSight comes in. It allows you to take action against real threats immediately. Want to see BitSight in action with a free demo? It s easy. Click here to get started. 12 Download: 40 Questions You Should Have In Your Vendor Security Assessment Need some assistance with the creation of your vendor security risk assessment? This ebook will give you a strong head start.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback