BLOG

One Hundred sixty nine questions about your security program - By Tom brennan

4/10/2022

Commerically Reasonable Cyber Security in 169 Questions - By Tom Brennan

Mature organizations want to manage to "best practice" so that they can be proactive about the technical risks they face. Below are 169 questions to start that discussion and just like eating a elephant, you have to start one bite at a time.

Question

Do you remove sensitive data or systems not regularly accessed by your organization from the network?
Are these systems only used as stand-alone systems (disconnected from the network) by the business unit for occasionally use?
Can thes systems be completely virtualized and powered off until needed?
Do you utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices?
Do you establish and maintain an overall data classification scheme for the enterprise?
Do you document data flows? Does your data flow documentation include service provider data flows, and is it based on your data management process?
Do you use enterprise software that can configure systems to allow the use of specific devices if USB storage devices are required? Do you maintain an inventory of such devices?
Do you encrypt all sensitive information in transit?
Do you encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into your operating system, in order to access the information?
Do you segment the network based on the label or classification level of the information stored on the servers and locate all sensitive information on separated Virtual Local Area Networks (VLANs)?
Do you use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system?
Do you enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring)?
Do you maintain documented, standard security configuration standards for all authorized operating systems and software?
Do you maintain a standard, documented security configuration standard for all authorized network devices?
Do you automatically lock workstation sessions after a standard period of inactivity?
Do you ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system?
Do you apply host-based firewalls or port filtering tools on end systems with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed?
Do you securely manage enterprise assets and software?
Do you change all default passwords before deploying any new asset to have values consistent with administrative level accounts?
Do you uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function?
Do you configure trusted DNS servers on enterprise assets?
Do you enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices? For laptops, do allow no more than 20 failed authentication attempts? For tablets and smartphones, do you allow no more than ten failed authentication attempts?
Do you remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate?
Do you ensure separate enterprise workspaces are used on mobile end-user devices, where supported?
Do you maintain an inventory of all accounts organized by the authentication system?
Do you use passwords to accounts that are unique to the system where multi-factor authentication is not supported (such as local administrator, root, or service accounts)?
Do you automatically disable dormant accounts after a set period of inactivity?
Do you ensure that all users with administrative account access use a dedicated or secondary account for elevated activities?
Do you only use this account for administrative operations and not internet browsing, email, or similar events?
Do you establish and maintain an inventory of service accounts? Does your inventory, at a minimum, contain the department owner, review date, and purpose? Do you perform service account reviews to validate all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently?
Do you configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems?
Do you establish and follow a process for granting access to enterprise assets upon new hire, rights grant, or user role change?
Do you establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor?
Do you Disable these accounts, instead of deleting accounts in order to preserve audit trails?
Do you require all externally-exposed enterprise or third-party applications to enforce MFA, where supported?
Do you require all remote login access to your organization's network to encrypt data in transit and use multi-factor authentication?
Do you use multi-factor authentication and encrypted channels for all administrative account access?
Do you maintain an inventory of each of your organization's authentication systems, including those located onsite or at a remote service provider?
Do you centralize access control for all enterprise assets through a directory service or SSO provider?
Do you define and maintain role-based access control by determining and documenting the access rights necessary for each role within the enterprise to carry out its assigned duties successfully?
Do you establish and maintain a documented vulnerability management process for enterprise assets?
Do you utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities?
Do you deploy automated software update tools to ensure that the operating systems are running the most recent security updates provided by the software vendor?
Do you deploy automated software update tools to ensure that third-party software on all systems are running the most recent security updates provided by the software vendor?
Do you perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested?
Do you utilize an up to date SCAP-compliant vulnerability scanning tool to automatically scan all systems on your network on a weekly or more frequent basis to identify all potential vulnerabilities on your organization's systems?
Based on your remediation process, do you remediate any detected vulnerabilities in software through processes and tooling on a monthly or more frequent basis?
Do you establish and maintain an audit log management process that defines the enterprise's logging requirements? At a minimum, do you address the collection, review, and retention of audit logs for enterprise assets?
Do you ensure that local logging has been enabled on all systems and networking devices?
Do you ensure that all systems that store logs have adequate storage space for the logs generated?
Do you use at least three synchronized time sources from which all servers and network devices retrieve time information regularly so that timestamps in logs are consistent?
Do you enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements?
Do you enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains?
Do you log all URL requests from each of your organization's systems, whether onsite or on a mobile device, to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems?
Do you enable command-line audit logging for command shells, such as Microsoft Powershell and Bash?
Do you ensure that appropriate logs are being aggregated to a central log management system for analysis and review?
Do you retain audit logs across enterprise assets for a minimum of 90 days?
Do you review the logs to identify anomalies or abnormal events on a regular basis?
Do you collect service provider logs where supported?
Do you ensure that only fully supported web browsers and email clients are allowed to execute in your organization, ideally only using the latest version of the browsers and email clients provided by the vendor?
Do you use DNS filtering services to help block access to known malicious domains?
Do you have enforced network-based URL filters that limit a system's ability to connect to websites not approved by the organization?
Do you have enforced filtering for each of the organization's systems, whether they are physically at an organization's facilities or not?
Do you uninstall or disable any unauthorized browser or email client plugins or add-on applications?
Do you implement a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy and verification to lower the chance of spoofed or modified emails from valid domains?
Do you start by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards?
Do you block all e-mail attachments entering your organization's e-mail gateway if the file types are unnecessary for your business?
Do you deploy and maintain email server anti-malware protections, such as attachment scanning or sandboxing?
Do you deploy and maintain anti-malware software on all enterprise assets?
Do you ensure that your organization's anti-malware software updates its scanning engine and signature database on a regular basis?
Do you configure devices to not auto-run content from removable media?
Do you configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected?
Do you enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system, or do you deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables?
Do you utilize centrally managed anti-malware software to continuously monitor and defend each of your organization's workstations and servers?
Do you use behavior-based anti-malware software?
Do you establish and maintain a data recovery process? Do you address the scope of data recovery activities, recovery prioritization, and the security of backup data?
Do you ensure that all system data is automatically backed up on a regular basis?
Do you ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network?
Does this include remote backups and cloud services?
Do you ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls?
Do you test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working?
Do you install the latest stable version of any security-related updates on all network devices?
Do you maintain an inventory of authorized wireless access points connected to the wired network?
Do you manage all network devices using multi-factor authentication and encrypted sessions?
Do you maintain an up-to-date inventory of all your organization's network boundaries?
Do you centralize network AAA?
Do you ensure that wireless networks use authentication protocols, such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that require mutual, multi-factor authentication?
Do you require users to authenticate to enterprise-managed VPN and authentication services before accessing enterprise resources on end-user devices?
Do your administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access?
Do you segment the device from your primary network which is not allowed Internet access and not use the device for reading e-mail, composing documents, or browsing the Internet?
Do you deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis?
Do you deploy a host-based intrusion detection solution on enterprise assets, where appropriate and supported?
Do you deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of your organization's network boundaries?
Do you enable firewall filtering betDo youen VLANs to ensure only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities?
Do you scan all enterprise devices remotely logging into your organization's network prior to accessing the network to ensure that each of your organization's security policies has been enforced in the same manner as local network devices?
Do you enable the collection of NetFlow and logging data on all network boundary devices?
Do you deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and supported?
Do you deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of your organization's network boundaries?
Do you utilize the port level access control, following 802.1x standards, to control which devices can authenticate to your network?
Do you tie the authentication system into the hardware asset inventory data to ensure only authorized devices can connect to your network?
Do you ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections?
Do you tune your SIEM system to better identify actionable events and decrease event noise on a regular basis?
Do you create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of your organization?
Is your organization's security awareness program communicated in a continuous and engaging manner?
Do you train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls?
Do you train workforce members on the importance of enabling and utilizing secure authentication?
Do you train workforce on how to identify and properly store, transfer, archive, and destroy information?
Do you train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email?
Do you train employees to be able to identify the most common indicators of an incident and be able to report such an incident?
Do you train the workforce to verify and report out-of-date software patches or any failures in automated processes and tools? Does the training include notifying IT personnel of any failures in automated processes and tools?
Do you train workforce members on the dangers of connecting to and transmitting data over insecure networks for enterprise activities? Does the training include guidance for remote workers to ensure that they securely configure their home network infrastructure?
Do you deliver training to address the skills gap? It is identified to impact workforce members' security behavior positively?
Do you establish and maintain an inventory of service providers? Does the inventory list all known service providers, include classification(s), and designate an enterprise contact for each service provider?
Do you establish and maintain a service provider management policy? Do you ensure the policy addresses service providers' classification, inventory, assessment, monitoring, and decommissioning?
Do you classify service providers?
Do you ensure service provider contracts include security requirements consistent with our service provider management policy?
Do you assess service providers consistent with the enterprise's service provider management policy?
Do you monitor service providers consistent with the enterprise's service provider management policy?
Do you securely decommission service providers?
Do you establish secure coding practices appropriate to the programming language and development environment being used?
Do you establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group?
Do you perform root cause analysis on security vulnerabilities?
Do you verify that the version of all software acquired from outside your organization is supported by the developer or appropriately hardened based on developer security recommendations?
Do you only use up-to-date and trusted third-party components for the software developed by your organization?
Do you establish and maintain a severity rating system and process for application vulnerabilities that facilitate the prioritization order to fix discovered vulnerabilities? Do you set a minimum level of security acceptability for releasing code or applications?
Do you use standard hardening configuration templates for applications that rely on a database? Do you test all systems that are part of critical business processes?
Do you maintain separate environments for production and nonproduction systems? Developers do not have unmonitored access to production environments?
Do you ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities?
Do you ensure that explicit error checking for in-house developed software is performed and documented for all input, including for size, data type, and acceptable ranges or formats?
Do you only use standardized and extensively reviewed encryption algorithms?
Do you apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software?
Do you conduct application penetration testing?
Do you conduct threat modeling?
Do you designate management personnel, as well as backups, who support the incident handling process by acting in key decision-making roles?
Do you assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners?
Do you devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and do you include this kind of information in the incident notification?
Do you ensure that there are written incident response plans that define the roles of personnel as well as phases of incident handling/management?
Do you assign job titles and duties for handling computer and network incidents to specific individuals and ensure tracking and documentation throughout the incident and to resolution?
Do you determine which primary and secondary mechanisms will be used to communicate and report during a security incident?
Do you have plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats?
Do you test the exercises' communication channels, decision making, and incident responders technical capabilities using tools and data available to them?
Do you conduct post-incident reviews?
Do you create incident scoring and prioritization schema based on the known or potential impact on your organization?
Do you utilize incident scoring to define the frequency of status updates and escalation procedures?
Do you establish a program for penetration tests that include a full scope of blended attacks, such as wireless, client-based, and web application attacks?
Do you perform periodic external penetration tests based on program requirements, no less than annually?
Do you remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization?
Do you validate security measures after each penetration test? If deemed necessary, do you modify rulesets and capabilities to detect the techniques used during testing?
Do you perform periodic internal penetration tests based on program requirements, no less than annually?
Do you maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information?
Do you ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to your network?
Do you ensure that unauthorized assets are either removed from your network or quarantined, or the inventory is updated in a timely manner?
Do you utilize an active discovery tool to identify devices connected to your organization's network and update the hardware asset inventory?
Do you use the Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update your organization's hardware asset inventory?
Do you utilize a passive discovery tool to identify devices connected to your organization's network and automatically update the organization's hardware asset inventory?
Do you maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system?
Do you ensure that only software applications or operating systems currently supported by the software's vendor are added to your organization's authorized software inventory?
Do you ensure that unauthorized software is either removed, or the inventory is updated in a timely manner?
Do you utilize software inventory tools throughout your organization to automate the documentation of all software on business systems?
Do you utilize application whitelisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets?
Do you ensure that only authorized software libraries (such as *?dll, *?ocx, *?so, etc?) of the organization's application whitelisting software are allowed to load into a system process?
Do you ensure that only authorized, digitally signed scripts (such as *?ps1, *?py, macros, etc?) of your organization's application whitelisting software are allowed to run on a system?
Do you establish and maintain a data management process? In the process, do you address data sensitivity, data owner, data handling, data retention limits, and disposal requirements based on sensitivity and retention standards for the enterprise?
Do you maintain an inventory of all sensitive information stored, processed, or transmitted by your organization's technology systems, including those located onsite or at a remote service provider?
Do you protect all information stored on systems with file system, network share, claims, application, or database-specific access control lists?
Do these control lists enforce the principle that only authorized individuals should have access to the information based on their need to access the data as a part of their responsibilities?
Do you retain data according to the enterprise's data management process? Does your data retention include both minimum and maximum timelines?
These are are just some of the things that need to be considered for your business to demostrate commicatelly reasonable security contrtols. Second we have to look at the maturity of those controls ultimatly arriving with a score. For more information, talk to a member of our team. Call 973-298-1160 today and become proactive about the risks you face.

17 TECHNICAL CONTROLS FOR EFFECTIVE M&A DUE DILIGENCE - BY TOM BRENNAN

4/10/2022

Published in CPO Magazine April 6th 2022

Post-COVID, a growing number of mid-sized businesses are merging with and acquiring other companies to adapt, grow and expand. This process takes a tremendous amount of preparation and research. From business financials and intellectual property to contracts and tax issues, there is much to be done to help ensure a successful M&A transaction.

Among top considerations during the M&A process should be your technical controls. In specific, you need to pay close attention to the software bill of materials (SBOM), and several other vital areas of your technology-enabled business. If the target organization cannot demonstrate technical maturity, it will be score lowered and may ultimately see a reduced acquiring offer or be a deal-breaker altogether.
During the due diligence process, be prepared to present and describe your software-based technology product with documentation. What is expected during a technical due diligence review is architectural diagrams, scalability, and performance metrics. Technology choices made, including programming languages, databases, and infrastructure choices, will be reviewed. Your key staff must also be able to describe any software development practices and provide details on continuous deployment environments..

In particular, a review of the OWASP Top 10 2021 List is recommended. Be certain that you are able to answer questions about how you ensure code quality in a hostile internet-connected environment and perform an independent third party code audit

Depending on the reason for the merger or acquisition, it could be equally important to have technical controls in place for the operations side of the business. Here it’s important to evaluate how data is processed in 17 key areas:

Access Controls focus on identifying and limiting the people and other entities allowed to access your systems. These controls also involve limiting the types of functions and transactions that those authorized users can perform.
Asset Management includes requirements for managing services and devices that store or interact with your data, whether on your network or hosted in the cloud.
Awareness and Training helps to demonstrate that the business has a training program for their staff, contractors, and vendors so that they are equipped to report and overcome threats they may encounter.
Audit and Accountability for all actions is necessary. Your business should have controls in place to track individual users’ activities, as well as various system activities.
Security Assessments. Most organizations do not have an annual program to assess testing to make sure your system security plans are working. CREST can share lists and resources regarding International accredited service providers. For more information check out the Service Selection Platform.
Configuration Management lists the requirements for creating baseline configurations and inventories, as well as making actual changes to those systems. It also requires that your organization monitors for any unapproved changes that might occur.
Identification and Authentication is similar to Domain Access Controls in that they are focused on user access. However, in this case, the emphasis is on ensuring the person using an account is indeed the correct user.
Incident Response demonstrates that the organization has controls over, and has plans in place to anticipate security incidents. This also specifies what their response will be if any incidents occur.
Maintenance is based on the premise that all computer systems are vulnerable to failure at some point. That means your business should protect critical systems and data against vulnerabilities in the instance of a system failure. There should be a regular process of monitoring and re-evaluating how your security and backups are doing.
Media Protection covers the use of removable media to store data, including both electronic storage devices and paper. Storing information on removable media can be dangerous and leave you vulnerable, so it must be carefully controlled, and encrypted.
Physical Protections should be considered along with technological protections. Ask yourself, “How difficult would it be for someone to walk into my business and steal the hardware with its data?” This should be a good base for what is needed to secure your property.
Personnel Security asks if your business screens employees before allowing them to gain access to systems containing controlled unclassified information (CUI). It should also be considered that when an employee is transferred or terminated, and is no longer authorized to access data, how does your business plan to protect that data For example, what is your off-boarding process like? Are you organized with logs of who does and does not have access to your systems?
Recovery means regularly backing up your data. This is absolutely critical for preventing unnecessary data losses.
Risk Management demonstrates the maturity of the business. Have risk assessments of your data and systems taken place? What were the findings and corrective actions?
Situational Awareness. Organizations need to take intelligence regarding cyber threats from external sources seriously and respond to them appropriately. You should always have some level of awareness regarding your business and its security.
Systems and Communications Protection includes an extensive list of controls focused on securing the transmission of information within a system. It also prohibits the sharing of CUI on public forums. This might show itself in the encryption of emails and data loss prevention.
System and Information Integrity is the proactive monitoring for issues and then the prompt application of security patches as needed. Demonstration of this process is defined as a policy, a procedure, and staff task assignments.

Remember – confidentiality, integrity and availability are important items of consideration for your technology choices from day one. Be certain to use company that has been accredited to perform valuable third-party assessments with proven policies, processes and procedures to validate your technology and environment. With a credible third-party validation of your technical maturity, you can ensure that the technical elements of your due diligence will enhance acquisition offers and simplify the integration process.

For more information, contact us on how we can help you be proactive.

MeasureRISK Services

GRAY BEARD BLOG

One Hundred sixty nine questions about your security program - By Tom brennan

17 TECHNICAL CONTROLS FOR EFFECTIVE M&A DUE DILIGENCE - BY TOM BRENNAN

Categories

Tom Brennan

BLOG Archives