Implemented cyber/info Security and common Gaps - A short analysis as per organization, technical and management prospective

 

Your opinions are welcomed and appreciated.

Implemented cyber/info Security and common Gaps - A short analysis as per organization, technical and management prospective:

Generally, a company used to have multiple security solutions along with many teams of security professional with a huge budget to handle organizations data/info from security breach. Multiple security teams may be like as:

1.       Penetration Testing Team

2.      SOC Team

3.      Threat Hunter/Security researcher

4.      DLP Team

5.      Compliance Audit Team

6.      Third Party Vendor management team

7.      Security Owner (Project wise)

8.      Phishing Campaign Runner or working towards employee behavior for security

9.      Network operation team

Etc.

There is a huge budget/expenses occur in managing all these teams for any company. Even after these teams deployed and working towards their responsibility, we are seeing such HACK/Breach on a day-to-day basis for different organizations. Which requires analysis from organization point of view, where is the gap exactly. Is there additional team required or a bit of Job responsibility need to be change for different teams to remediate such possible GAP. Let’s try to dig a bit to find the answer and Gap.

I’ve worked in few of these security teams for multiple organizations and trying to add the real time work culture/responsibility here in short along with common gaps. Analyzing for all the teams will be much longer here (which may we can discuss if required) so let’s see for the pentesting.

1.      Penetration Testing Team – Generally make security assessment towards identifying the vulnerability before the hacker catches it, of assets (App/Infra/network & Security devices) either before go-live or for the live applications. The work area also somewhere lies related towards vulnerability management and tracking.  

Common gap which can be seen from here:

a)      Identified vulnerability remains open for long sometimes (may be multiple reason for it such as dependencies on different teams/technologies, major modifications required in applications, end of support from OEM, patch releasing is getting delayed, Down time not available for change/upgrade, lack of budget, etc…). It means identified existing risk remains open which may be an easy access point for attacker.

 

Solution:

·        A proper vulnerability management is required what need to be done in which case. Priories the risk/vulnerability remediation based on the severity. Fix a time period identified such as 20/30/40 days to remediate critical vulnerabilities, for High 30-60 days, etc. It can vary as per org and asset.

·        Also a retest need to be performed after remediation.

·        Even a complete remediation is getting delayed, mitigation with compensating controls can be attempted.

·        Sometimes hard call such as decommissioning of assets can be taken if there is no remediation possible. (sometimes Identifying an alternative solutions/creating new app may be much cheaper than data breach cost)

 

b)     Testing environment – Generally tester perform (or asked to perform) test in non-production environment (may it can be due to high risk of application crash, real time data tempering, customer data exposure to tester, etc…). which fall under a partial testing in few scenarios. (Partial testing – may be software code/application get analyzed in UAT, no test of underlaying Infra associated with application, Configuration of application in production environment have not been assessed).  Here the product owner will have confidence that their application is secured which may be false or partial true.

 

Solution:

·        Generate a framework organization wise which can ensure the production environment testing.

·        If compete production environment testing is not possible, go with UAT (exact replica of production) with partial production testing. Make sure underlaying infra of application along with configuration of application environment have getting assessed.

c)      Pentester Experience – In many cases, pentester deployed does not have required experience/ skill sets which may lack to identify even a common security gap.

 

Solution:

·        Perform a proper due diligence for the deployed vendor/tester

·        Make sure a primary assurance implemented means challenge tester on quality of testing and report.

 

d)     Strict timeline – Number of man-days testing is getting limited by app owner or company to save budget and due to it the vendor/tester have to submit report whether all the attack surfaces have been analyzed or not.

 

Solution:

·        Again a organization wise framework required to fix minimum man-days testing for different applications fall under different category/severity. Again, here a wide anysis (based on asset type/size/ crown jewels analysis/BIA analysis/…)  is required to add application is different category and assign man-days testing based on it.

 

e)     Sometimes senior management remain unaware about the open gaps or pentesting team keeping them with false assurance that everything is running fine. Which may result of a big loss anytime.

 

Solution:

·        Here it is required to add an important knowledgeable person as a   pentest activity lead/ Pentest assurance team which can understand the real time objective of the complete pentest activity and ensure the periodic in-depth security assessment/vulnerability management on track and reporting to management.

 

f)       Similar way few more gap can be seen.

 

Identification of the issue/Gap is real challenge than getting a solution. I’m open for your comment and ready to discuss / understand the reader thinking on it….