It’s probably easier to define what isn’t in a security program, than what is in it! That’s right, security is going to touch almost every aspect of your organization. Every organization is different, they all have their own threats, compliance issues, business lines, risks, etc. Even in the same industry, the security program requirements can vary greatly. However, they all typically have the same basic elements.

Every organization has assets. This is what we are defending and we’ll call this tier 1. Assets can be systems, knowledge, data, people, etc. It just depends on the organization, and if applicable, it’s business lines. Tier 2 are the elements influencing tier 1. Assets are protected by network security, physical security, system/software lifecycle security, and communication security. Factors effecting the assets and security of the assets include threats and threat management, compliance with policy (note, we are not talking regulations, that comes at a higher tier), metrics for evaluating our security (defined in a higher tier), vulnerability management, and incident response. Elements that drive tier 2 and therefore will be called tier 3 include personnel security, risk assessment, audits, business continuity planning (BCP), metrics development, process management, threats and vulnerabilities (yes they appear here as well as this level is also being protected), data classification, and  process management. Tier 4 is the final tier we will cover. This however can be expanded to additional tiers depending on complexity of organizational structure and regulations/laws, but we are talking basics here. Tier 4 includes, regulations, laws, risk analysis, the overarching security program, policy development, process development and monitoring, governance model, and organizational security.

In some capacity, your organization MUST have each of these components to have an effective security program. I know, that seems like a daunting task. It is no small undertaking to establish all that, and if the company has grown for years without it, it will be extremely difficult to change the culture of the organization to be accepting of such a wide sweeping change. Remember though, if you followed part 1, you have the authority of the board and CEO. This is a mandate. If not, you’re wasting your time. That isn’t to say, be ugly about it. In fact, just the opposite. The people that need to be involved in this process (which is pretty much everyone in the organization in some aspect) MUST want to participate or they won’t live up to their end. A great way to start is training your employees on how to protect themselves from predators. This will get them engaged and thinking about security in new ways.

Most companies have no idea where to begin trying to get a handle on all those elements. Fortunately, you are reading this article to help you on your way. There are plenty of great resources out there for best practices guidelines. ISO 17799 and it’s successor is a fantastic resource. It is an internationally recognized standard for information security governance and provides high level recommendations for enterprise security programs. Divided into two main parts, the first is an implementation guideline and the second is an auditing guide.

As suggested in part 1, security should be top down. Meaning the board down to upper management, middle management, and finally the staff. A bottom up approach in which the IT department tries to initiate a security program is less effective, won’t get full buy in from other departments/business lines, and is doomed to fail. Other than the obvious lack of buy in from others, it is generally focused on technology and leaves all other vectors of attack untouched. The people actually responsible for protecting the assets must be driving the program.

Contact Shades of Gray Security to find out how we can help you setup and manage your security program today!

But I digress, this series of articles is about the hows of starting a security program, not the whys. Keeping the various sizes and roles of companies I have either worked for or with in mind, I am going to give some pointers on how to get the ball rolling on this daunting task.

First, let’s talk about what security is, and isn’t. It isn’t just having a policy and then turning to network defense appliances and washing your hands of the idea, mission accomplished. If your security program isn’t mandated by the board, mapped to all business lines, legal and regulatory requirements, and threat agents, it isn’t complete. It also isn’t enough to guard the perimeter while leaving the internal network in shambles. Likewise, if you don’t have data classification, you can’t move forward in a security program. After all, what is it you’re protecting and why? How can you have a risk assessment if there isn’t a metric for what is at risk?”If you don’t eat your meat, you can’t have any pudding! HOW can you have any pudding if you don’t eat your meat?!” Wait, I’ve gone off topic again. Anyway…

Let’s agree we need security and doing the above things simply isn’t cutting it. What are the first steps to getting your business security focused? Dive in and start applying patches? Install that much needed IPS? Write policies? No. Our first steps are crucial and should happen in rapid succession.

The board, CEO, and so forth, all must be on board with this. If there is no mandate coming down from the top, hang it up, go home, forget about it, game over man… game over.

First and foremost, let’s agree we need qualified people architecting it. I know most people may laugh, but I have tragically seen unqualified people put in the position of managing security. This is NOT a job to be given to someone because they have seniority. You will FAIL. This director must report directly to the CEO and board. It is not in the best interest of security to report to the CIO, CTO, network director, etc. It is not in their best interest to have anything negative reported by the security department and it will therefore not be. A security team is not a political football to be used to give the board and CEO false hopes of a safe network by the network director all the while not letting them do their job because he may look bad. You will FAIL. It is not a department that needs to be a clapping monkey doing cheap tricks to impress upper management with “quick wins.” If anyone ever thinks about uttering the words “quick win” toss them out ASAP. You will FAIL. That’s another thing, if someone says you won’t fail, toss them out. You WILL FAIL. The difference is, how graceful you fail. Did you fail and know within seconds? Hours? Days? Years? Did you ever find out?

So for our first step, and end to this first installment, we need sign on from the board and CEO. We need qualified people in place to architect this program, we need the team to report directly to the board and CEO. If this is going to be a political football and for some reason, no one can put on the big boy pants and enforce the program, I would venture to say your best bet is to outsource the entire program.

Contact Shades of Gray Security to find out how we can help grow your security department.

An assessment is critical to establish a baseline of your security posture. All future endeavors in security are based off this first, crucial step. Security Assessments from Shades of Gray Security are not your standard canned scan and report assessments you get from other companies. We take the time to learn your organization and present a more accurate picture of your security posture based on our matrix which analyzes your data based on several factors including threat agents, issue severity, and criticality of systems. Contact us today to get more information and schedule an assessment today!

Network/System Tuning

Tired of companies handing you an assessment report, then washing their hands of you leaving you stuck trying to figure out just what to do with it? Don’t know where to begin improving your test scores? Shades of Gray Security can help! From server hardening to firewall rules, to installing and monitoring an Intrusion Detection System (IDS) or even an Intrusion Prevention System (IPS), let us evaluate your needs and offer a great solution to increase your overall security posture today! Contact us now to learn more about what we can do to help keep your data safe!

Penetration Tests

What could a hacker find if they went after your systems? Let us find it before they do! A penetration test performed by Shades of Gray Security is a cut above the average test. We don’t give you a couple days of scanning and a cursory attempt at low hanging fruit. Shades of Gray Security gives a rigorous testing of your organization by a GIAC certified Penetration Tester. Chad Olivier is one of a handful of people in the world to have the GPEN certification from GIAC. We can customize the rules of engagement to suit your needs. Internal, external, blackbox, greybox, etc. Shades of Gray Security is ready to fit your penetration testing needs. Are you ready to pick up your pencil, open your workbook, and begin your test? Contact us today!

Application Testing

Have you developed a custom application? Do you have an interactive web site? Are you accidentally exposing sensitive data? Do you want to test it before it goes live? Has it already gone live and you’re wondering what may happen? Get some peace of mind and order an application test. We can handle source code reviews, or penetration tests. Have your application tested by a GIAC certified penetration tester today! Contact us now to get a good night’s sleep!

Social Engineering

A great many of the big “hacker” attacks were really social engineering. Social engineering is the new term for con artist. It could come in the form of a phishing scheme or the bad guy may just show up and talk his way in. Think it can’t happen? Think again! Chad Olivier has been performing social engineering tests for six years with a 100% success rate. These engagements are great when accompanied by training. We can first test your employees with social engineering efforts, then come back for training and point out good efforts of the staff, as well as areas that need improvements. This is much more effective than a standard training session, or a policy your employees have to read. This is the most effective way to grab their attention and get them thinking about security. The benefits don’t stop at the office, your staff will be able to incorporate the security tips learned during this engagement and subsequent training in their personal lives as well. Let us walk into your vault, before a criminal does! Contact us today!

Incident Response

The first steps in response to an attack are critical. Do you know what to do and when to do it? Let us help you design and plan your response. We offer services to be on call ready to respond with you. Have you ever had a virus spread throughout your organization? What did you do? Attempt to stop it while it continued spreading ultimately resulting in extensive damage both to data and loss of productivity? Did you perform forensics, or merely wipe the systems? Are you sure your data didn’t leak out during the attack? A virus is often times a side effect of having a trojan horse on a system It also makes a great method for covering your tracks after completing an attack. After all, what do people do? They wipe the system and destroy all evidence of the attack. Don’t let this happen to you! Let Shades of Gray Security prepare you for the worse. We will stand by you during your darkest hour and help you through the crisis. Contact us today to find out more about our incident response programs.