April 21, 2016 By M. Gene Shantz 3 min read

No matter what city you live in, you have likely seen a police officer conducting a traffic stop or talking to someone on the street. The officer may be issuing a ticket to the red light runner in hopes of changing the driver’s behavior to prevent a potential serious collision. Or he or she may also be talking to a person who seems out of place, gathering intelligence on who they are and why they are there, trying to identify possible criminal activity in a particular location.

Policing the Organization to Reduce Risk

You may be thinking: How does this relate to cybersecurity? Well, it is my belief that the chief information officer (CIO) or chief information security officer (CISO) is charged with the security of the corporate network in much the same way a police chief is responsible for the security of the city. The police chief is responsible for protecting citizens from criminal activity and situations that cause injury, while the CIO/CISO is responsible for protecting the company’s crown jewels from malicious cybercriminals.

Imagine if the police officers were just sitting at the police station waiting for something to happen before they responded. Crime would go up, collisions would increase and the overall risk to the public would be much higher. The police chief reduces these risks by having the patrol officers take a proactive approach to stopping drivers whose behavior is likely to cause a collision or educating the public on how to secure their residences and not become a victim to theft.

What CISOs Should Do

A CIO/CISO who takes a similarly proactive approach in looking for and eliminating threats or risky behaviors can dramatically reduce risk. At a minimum, the organization will be better prepared for a security incident when one occurs.

While many organizations have excellent information technology teams that do a great job of configuring networks in place, the configurations are often designed around functionality and performance, with only a touch of security built in.

Consider security activities that can inform IT organizations of areas where they may want to consider additional enhancements. For example, an active threat assessment (ATA) approaches the network from a fresh perspective, using intelligence from years of incident response investigations and current security trends to identify active threats and risky behavior.

How to Reduce Risk

A thorough ATA should include components such as penetration testing, host scanning and assessment, log analysis and an assessment of essential practices and critical controls.

Pen Testing

Penetration testing, depending on size and scope, can help to identify the unpatched servers that still have exploitable vulnerabilities and find weaknesses through social engineering. Considering that the human factor is the weakest link in any security chain, testing and educating employees should be high on the list of any proactive practices.

Host Scanning and Assessment

Host scanning and assessment should not only include a search for the obvious malware running on the system or residing static on the drive, but should also feature an assessment of the system and program configurations an intruder may use to further traverse the network.

For example, it is not uncommon for administrators to unintentionally leave credentials in configuration or batch files on servers in plaintext; they don’t realize they left the keys to the kingdom under the doormat. While not intentional, this type of risky behavior can be the difference between a simple infection being contained and complete ownership of the network by the malicious intruder.

Log Analysis

Log analysis is an extremely important part of a threat assessment. Firewall logs can show if there is suspicious traffic coming from an internal endpoint, even if that traffic is blocked at the firewall. This can help identify an indicator of compromise. Security event logs may also indicate possible remote desktop connections and brute-force attacks on user accounts.

Additionally, the ability to respond to a security event and follow an intruder through a network depends heavily on network visibility in the form of logging. Threat assessments often flag blind spots in the network logging that could limit the ability to track an intruder or impede the root cause analysis of a situation.

Assessing Practices

The essential practices and critical controls element can be anything from looking at everyday processes and the risk associated with them to examining the architecture of the network for security risks that could improved.

Are You Prepared for a Security Incident?

Networks are commonly referred to as jelly-filled hard candy. Once an intruder gets through the hard outer shell, the rest is the soft and chewy center that yields the most flavor. The hard shell is generally defeated with a breakdown in the human factor via phishing emails, drive-by downloads, etc.

So as you read this and reflect back on your own network and security posture, think about how proactive you are and whether you could do more. It’s only a matter of time until your organization comes under attack. Implementing sound, proactive assessments and thorough testing designed to improve the network security posture will help prevent or reduce the risks when an attack does occur.

The cyber storm is coming. Are you ready?

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today