I think it is that time of the year again when the security experts see the future and predict the present. I guess I should join the bandwagon, so can I have your attention please?
#1 Organisations will continue to be breached
It’s days away from 2020, and the rate of breaches are not likely to go down, organisations will still be breached, as much as I would love to believe that organisations are doing well protecting themselves, you will be surprised with how many organisations that cant even meet the minimum requirements that are set to comply with NCSC top 10 steps to cybersecurity (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security), simple questions is your patch management program integrated with your vulnerability management process that cover that unpatched windows 2003 server? sorry I meant windows 2008?
#2 Increase spending in cyber security budget otherwise you will be breached
Increase budget in cybersecurity program is a good thing, but spending the money only in buying security appliances without first establishing ‘what assets’ need protecting is not a good move. Organisation should ensure that the security objectives are aligned with the business objectives, and establishing this is should be systematically done through documenting a business security architecture. So security execs (CISO/CSOs) should be able to trace back when they are asked why do we need to invest in ‘dark web monitoring service’ or ‘shiny security appliance’?
#3 Your applications are still vulnerable to OWASP Top 10 (of 2013)
A number of web apps are still vulnerable to the 2013 version of OWASP Top 10, and if you see any of the below during your testing, I guess you need to have a word with your dev team, should we say DevOps or DevSecOps? whatever the name, this means there is something wrong with the development practise and whole lifecycle.
- A1 Injection
- A2 Broken Authentication and Session Management
- A3 Cross-Site Scripting (XSS)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A7 Missing Function Level Access Control
- A8 Cross-Site Request Forgery (CSRF)
- A9 Using Components with Known Vulnerabilities
- A10 Unvalidated Redirects and Forwards
#4 Your Incident Response Plan have been table-top tested for the past 3 years, the real storm comes this January.
I have seen organisations end up doing only table top exercises in order to tick compliance tickboxes, while one may argue that invoking the full IRP may be costly, but it may cost you more, if the only test for the past 3 years you have done are just table top exercises.
Real-life test maybe needed to mimic if the actual disaster happen or data breach happen? Maybe a question to ask yourself, how is that public relation department prepared? do you have one? do you have a forensic expert internally or do you need to have external experts comes in? do you have a retainer arrangement in place? they may be busy!
#5 My people are security trained at least once a year
Most organisations now have information security trainings, that happens at least once in a year. As you know, this involve sitting down in front of the computer go through slide decks, or CBT , with an exam to complete at the end or maybe a coupe of policies to read. Whilst these are good practises, organisations should aim to conduct social engineering tests on frequent basis to test how well their human security defense is effective.
To be continued …