Strengthening Corporate Governance over Cyber Security

Morey Haber, Chief Technology Officer
February 2nd, 2017

Strengthen Corporate Governance

We are squarely footed in 2017, with 2016 leaving many lessons to learn. The outbreak of hacks, including the one that impacted the presidential election, IoT devices, and others have companies trying to strengthen their defenses against intrusions. To mitigate these risks, should they strengthen their corporate governance efforts, including disclosures and board committees, to focus on cyber security? The simple answer is yes, but the reasons are not obvious.

Adhere to Best Practices

Teams from the board of directors down to security engineers do not need to invent anything new (yet) to mitigate the effects of modern security risks plaguing our government, the cloud, or to our personal computers. We do not need to necessarily purchase new technology (of course some do if they are not doing anything already) to mitigate the risks. We just need to do a much better job at the security best practices we already know. Sometimes a product is needed but most of the time it’s just doing the basics and doing them very well.

Ensure These Areas are Addressed in Revised Board Reporting

Here a few areas that if every company did them backed by solid service level agreements, and leveraging existing or new tools, the vast majority of risk and attacks could be mitigated:

Vulnerability Assessment, Patch Management and Penetration Testing

If you can document your known risks, patch them or apply configuration changes, and ultimately test them like a hacker, you are removing the low hanging fruit attackers use to gain access. This is effective against web application threats to drive-by browser attacks. Keep all systems – from desktops to servers – fully up to date and do it well.

User Privileges

The crown jewels in every company should be protected from unauthorized users. This includes databases, servers, infrastructure, middleware and workstations authorized to access the information. Users should never be running as administrators anywhere, at any time, unless they absolutely need to. So remove admin rights, control access when needed, and document all privileged transactions so you know when the crown jewels are being inappropriately accessed.

Application Control

Whether you subscribe to white listing, black listing, grey listing, reputation based controls or application risk compliance, monitoring the applications executing on your assets is critical. Simple anti-virus solutions alone do not do this. Monitor applications and identify or block the exceptions that do not fall into acceptable use parameters. This is critical to maintaining the operation integrity of your environment and if it is done well, can block or alert on any new or malicious code that attempts to execute.

Back to Basics

Years ago Burger King tried this philosophy and it saved their business. Without a solid foundation of basics, anything you try on top could crumble like a deck of cards. This means that basics like Active Directory, DNS, NTP, etc all should be working well before you layer on any tools from network management to security solutions. Without the basics operating efficiently, the reliability of any tool that uses that could be called into question and the results intentionally altered or difficult to interpret.

Training, Training, Training

Educating the masses – from executives to interns – is critical to any safe computing environment. All users should learn how to identify a phishing attempt or how to manage their passwords, smart phones, and even identification badges. The human element is the weakest link in the entire attack chain and training teams well should be a high priority for the management of any organization.

Strengthening corporate governance over cyber security is always a good thing, but there are several steps every organization should take as part of an overall governance strategy. I’ve outlined these steps above and encourage you to take a look at your organization to determine where your weaknesses might be before that report comes due to the board. Take the first steps today. Download our free Privilege Discovery and Reporting Tool and Retina IoT scanner to uncover where your biggest risks might be.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.