External threats seem to be getting all the attention in InfoSec these days, but they only represent one aspect of the overall threat every enterprise faces. Internal threats can be just as damaging and much more difficult to detect — which means every CISO has to consider internal security when designing an overall plan for his or her business.
While there are a number of positive steps to take when considering internal threats, the most important may be crafting a simple set of rules, a step too many CISOs don't invest enough time into.
Modern internal threats are concerning for two reasons. First, the traditional internal threat is a nefarious actor who has legitimate access to one or more systems within the network. These actors need certain levels of access to do their jobs, and they can then leverage that access for nefarious means. These internal threats can be difficult to notice, since they originate with legitimate employees who are using the systems they're supposed to. Additionally, internal threats can come from benign actors accessing or storing information they shouldn't, which then opens up the data to other, more nefarious, agents.
Second, modern attacks from external actors now occur in stages. Through social engineering, these actors will obtain network credentials, establishing themselves inside networks where they will utilize internal security lapses to access other systems and install malicious code. Once one of these hackers makes it past the network perimeter, it'll be up to the organization's internal controls to ensure he/she can't use the stolen credentials to find insecure data or access other critical systems.
Every effort to defend a network has to start with an understanding of the modern world of InfoSec. Enterprise networks are impossibly complex latticeworks of interconnected applications and access points. The traditional perimeter is no longer completely defensible given this complexity, which is why the application layer should be seen as the new security perimeter.
CISOs have to inject security measures into all their internal and external application development, from the earliest stages. Internal development should be done with security in mind, and the code should undergo rigorous tests throughout the development lifecycle to ensure it is truly secure. Outsourced code and applications, which are becoming more and more common, need to undergo security testing as well, ideally through a method that can scan the binary code in instances where the source code is not available.
But of course, secure application development can't occur in a vacuum. Individual developers may have different ideas about what constitutes true security, and even worse, may work to get around security measures in the name of productivity. That's why every CISO needs a robust, published set of security policies to cover how the organization handles security.
CISOs can't come into this process blind, however, or the results may be worse than foregoing security policies altogether. Creating a reasonable set of internal security policies is much more complicated than simply tasking one security asset with listing a number of things not to do. A real security policy is a living document, created with input from a number of sources and tested, then rewritten, using real-world experience.
The complexities of creating a true security policy are covered in "Five Golden Rules for Creating Effective Security Policy," a report published by Gartner. This detailed report posits the importance of effective policies for internal security, then lays out in a digestible manner the steps CISOs have to take to ensure their policies will be more than just writing on a page.
The report focuses on taking a flexible approach in all stages of policy development. InfoSec assets tasked with creating policy have to receive input from all potential users — or at least their departments — to ensure security measures can exist within a productive business environment. Policies should also have lifecycles, coming up for renewal every few years to ensure that emerging security trends are accounted for.
Gartner also points out the power of testing. Just as with application security, one will never know the effectiveness of a policy until it gets put into place. CISOs must create a measurement mechanism for compliance, and then discover if areas of noncompliance are because of an undue burden, before adjusting the policy accordingly.
The threat internal actors pose is growing as enterprises continually increase both the size and complexity of their internal systems, and CISOs have to take the initiative when it comes to internal security. A policy project undertaken now, and updated regularly, can wind up saving both effort and money down the road.
Want to learn more about creating effective security policy? Download Gartner's full report.
Photo Source: Flickr