Why Are Widely Adopted Security Practices Falling Short?

In a recent Tenable webcast, a panel of CISOs discussed why widely adopted security practices are falling short. While the focus was on higher education, attendees representing insurance companies, banks, security firms, hospitals, retail, and payment processors voiced similar challenges.

The panelists included:

• Kevin McKenzie, CISO and Executive Director, Clemson University
• Brad Sanford, CISO, Emory University
• Randy Marchany, CISO, Virginia Tech
• Ron King, Co-Chair / Co-Moderator PCI Workshop, Treasury Institute.org
• Jeff Man, Strategist, Tenable Network Security

If you were not able to attend the webcast, you can access it here.

Here are key topics, highlighted quotes, and valuable tips from the webcast.

Background

Although corporate networks face IT security challenges supporting multiple users, devices, and threats, higher education institutions face additional security and compliance challenges. For example:

More than 30% of cyberattacks infiltrate networks through computers that belong to a student or employee

• Enterprises and universities can both be highly distributed with multiple teams managing security and compliance practices. Universities may also have multiple networks that are separately managed (athletics, dining, clinics, etc.) and adhere to multiple compliance requirements (PCI, HIPAA, GLBA).
• Both must support a variety of users with different privilege levels and multiple devices (phones, tablets, laptops). Universities face the additional challenge of school-related devices.
• Both face inside risks and unknown outside risks. But the open nature of universities means they can’t lock down users.
• Both enterprises and universities must protect large amounts of personal data. But universities also have research data to protect – a major target of cyberattacks from foreign governments and companies.

How do you find the unknown risk?

One of the biggest challenges in both higher education and corporations is identifying unknown risks. The proliferation of devices is particularly challenging for a university that functions like an ISP provider, where students typically connect to the campus network using four to six devices which may not be regularly updated.

What can you do?

• Tip #1: Identify all network devices and rank them by which have not been scanned recently.
• Tip #2: Perform vulnerability scanning regularly (Tenable solutions can help) to identify connected devices. But periodic scanning is not sufficient; you need to monitor what’s happening in your network continuously.

What about mobile devices?

Mobile devices are difficult because they are transient and are often disconnected from the network.

What can you do?

• Tip #1: Prioritize administrative systems (HR, Payroll, etc.) first because their functions are critical to the university. BYOD can come later.
• Tip #2: Focus on protecting the sensitive data first instead of the device.
• Tip #3: Identify critical data such as social security numbers, credit card data, driver’s license numbers, and passport numbers. Use commercial or freeware tools (such as Identity Finder or Tenable’s SecurityCenter Continuous View™).

How do you bring it all together?

In highly diverse environments, where multiple products are deployed and multiple teams manage them, achieving a centralized view of risk can be challenging.

What can you do?

• Tip#1: Use the 20 Critical Controls as an implementation strategy.
• Tip #2: Security should start at the local level. In places where you might not have enough local staff, a central IT group can take on more control.
• Tip #3: Implement key enterprise level controls or policies across all departments. Implement centralized reporting (Tenable Dashboards may be useful) and tools that provide visibility across the organization.
• Tip #4: Implement network layer controls across the enterprise. (Example: Enterprise group policies for Windows environment or Vulnerability Management programs that are easy to implement across the organization)

Act with precision

The current corporate strategy to keep the bad guys out has failed. The bad guys are already in.

Organizations and educational institutions face many security requirements. Should you focus on security or compliance? Gap assessment or risk assessment? What actions have the greatest impact?

What can you do?

Monitor data that is leaving your network

• Tip #1: Focus on a risk-driven program. Meeting compliance obligations provides a minimum of protection.
• Tip #2: Monitor what’s leaving your network. Many organizations focus on keeping the bad guys out; they don’t monitor what’s already compromised and leaving their networks.
• Tip: #3: Use tools like NetFlow, SIEMs, and Tenable SecurityCenter CV™ that can help consolidate data and monitor outbound connections.

Gaining Assurance

Gauging the effectiveness of your security investments is a challenge to any organization. In security, managers are often measured by their failures and not by the success of their programs. Security professionals must gain assurance and demonstrate their successes to executives.

What can you do?

You’re never given credit for the one great year where you had no security breaches, but you’re always remembered for the last time you were breached.

• Tip #1: Build dashboards that are easily understood by management. (Tenable ARCs are useful)
• Tip#2: Minimize mean time to recovery. Reduce the time between a problem awareness and mitigation.
• Tip #3: Make sure executive leadership understands the nature of the threats you’re dealing with. Keep them aware of the big risks and the measures you are taking to address those risks. Compare your results to peers.
• Tip #4: Implement guidelines from Educause.

Conclusion

For more details and insights, listen to the full webcast on our website.