Information Security in 2016...Will we get any better???

What did we learn in 2015?

We are still not serious about Information Security.  It seems that 2015 was a year of complacency regarding security practices.  Just Google Security Breaches 2015 and you'll see the depth of the problem.  Breaches involving 80+ million records and dollar loss figures above $1 Billion occurred in 2015.  That's not acceptable, yet we've moved on and seem to just wait for the next massive data breach. So with that my hope is that in 2015 we learned that we're not done...in fact, we have not even started yet with Information Security.  We have to get better in 2016. 

The Human Being...By far the weakest link in Information Security

My apologies for being very honest and direct here.  However, if we still believe that Mark Zuckerberg will give us his billions by clicking, liking, and sharing a Facebook post, then we've got work to do to educate people better.  If it's too good to be true...it's probably a fake!  Great deals, free $200 gift cards, incredible coupons, share this and you'll have good fortune...come on folks, let's stop fueling this nonsense!  And, if you have clicked, liked, or shared these things...congratulations, you've probably given a criminal valuable data about yourself that may be used to defraud you.  Let's get a little smarter with Social Media in 2016.  Educate yourself.  My favorite resource for Social Media scams is Facecrooks

Email, wow, what can I say as we are still falling for email Phishing scams.  They are getting better and really look like they come from the cable company, delivery service, retail store, etc.  Don't click on those links or buttons in the email unless you are really, really sure that it's authentic.  Remember, you can browse directly to the provider website and get that same deal, browse your account, etc. to verify that the email is legitimate.  For more about Social Engineering check out this site: Social Engineer, Inc

There are many really cool security technologies out there that work very well.  However, if you are tricked into giving away your user credentials, that technology is worthless.

The Information Security Program

I think that a lot of companies are struggling with the concept of a comprehensive security program. The mentality is that writing a few policies and throwing them out on the corporate Intranet is all they need.  Security professionals use the term "Program" because Information Security is not a project, it's a never ending cycle.  It takes a long time to establish a sound and comprehensive security program that functions well.  You need support from all levels of the organization and if you don't have that, you're not done yet!  Here are a few very basic steps...there's much more but this points you in the right direction:

• Get Management and Board support in writing...if you can't get this, it's a huge red flag.
• Educate the business on all things security...read the sections above...need I say more?
• Assess your current security program state and present that to management.  If you have budget, get an independent 3rd party to verify your findings.
• Develop an Information Security road map and go out up to 18 to 24 months...that's also a stretch as things change very quickly but you can adjust within that time frame.  If you go longer term than that, you're probably going to end up constantly changing things so keep it relatively short.
• Document, document, document...if it's not documented, it doesn't exist and you're not doing it!
• Establish a controls environment and start with the SANS top 20 controls...they are a very good start..see bullet point above about documenting.
• Use the NIST Cybersecurity Framework as a starting point. It cross references the major security frameworks so you can decide if you need to go deeper with a more specific framework.
• Establish your security policies, processes, and standards and enforce them.
• If you have business units, managers, etc. that want to negotiate the policy content with you, that's another red flag.  Use those frameworks to argue your policy stance.
• Note that you will likely be non-compliant with some policies as soon as they are published. That's not good but it's also going to be reality and you must be prepared to address that reality.
• Develop and manage your exception process so you can get into policy compliance. Remember, exceptions can't be permanent...if that can't be avoided, you need to take a look at your policy...tread carefully here though as you just can't strike a policy that's NIST or ISO based because you can't comply with it.
• Take things day by day...security is stressful and hectic...don't let it consume you and make yourself walk away from time to time!

To The Cloud?

Folks in IT and Security have been talking about the cloud for quite some time.  I think the last year or so, Cloud has become part of many non techie folks vocabulary.  Everything can be put into the cloud and constantly be connected to it.  Is that bad?  No, but we must be responsible.  Let's not dive head first into the Cloud, throw everything out there and then try to figure out how to secure it.  If you do, you're going to be another news story.  Cloud providers should be very clear what they provide and what your responsibilities are.  Also, there are many different forms of Cloud computing so make sure you educate yourself and at least gain a basic understanding of the various Cloud technologies.  Here are a few tips to get started:

• Educate yourself on Cloud technology.  There are many free resources out there so use Google! Some technologies such as Amazon Web Services (AWS) offer a very nice free basic online course for their technology.  
• Even with technologies such as continuous deployment and auto scaling, your security controls and policies shouldn't change much if any at all.  You may have to update some terminology, but the basics should be very similar to what you are hosting yourself or in a traditional data center.
• Know and understand what your security responsibilities are.  Most Cloud vendors are very clear what they will do and what you are responsible for.
• Make sure you have authentication, authorization, security controls, etc, mapped out before you deploy.
• Make sure you have a transition plan to the cloud and move slowly.
• Will your applications scale well in the cloud?  Can you migrate or do you need a code re-write?
• Remember, you still need BCP and DR plans.  High availability is not necessarily DR.  And DR is not all you need for BCP.  If done correctly, HA and DR can be very seamless and efficient using the cloud...just make sure you have those in place!
• Audit, Audit, Audit! With rapid deployment and auto scaling technologies, you have to make sure that you're well informed about what's going on in Cloud environments.
• Make sure you account for logging and SIEM so you can audit your Cloud environments.  
• The biggest key with Cloud is to plan before you go!

So Let's Get Better in 2016!

I'm hoping that 2016 becomes the year of Information Security.  We need it as right now, we are losing the battle.  We know what we're doing wrong and we must take responsibility to be more proactive and less reactive.  Security education on all fronts is the most important factor that can help us turn the corner.  We have great security technology and we must use it effectively and not fall victim to the human factor.  Slow down a little bit, learn more, and have a great and secure 2016!