About Us | Contact Us
View Cart

Where to Begin

By Sara Fultz | Monday, May 3, 2021 - Leave a Comment

…a Crash Course of Security Measures


The first article by Sara Fultz, Creative Assistant of infotex!


Introduction:

As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her first iteration, I found it to be very serendipitous that Sara would title her article, “Where to Begin,” as we are very proud she chose to begin her career with us.

– Dan Hadaway, CRISC CISA CISM

As the rest of the world begins to “wake up” to the need for information security, we’re often asked, “where should a company like ours start?”  The answer to this question can be very nuanced and can depend upon many factors, but the most common answer is that you almost always start with risk measurement.

Security is about risk management, and risk management is a never ending, cyclical process.  At a high level, we provide a variety of services to help with this never ending mission of technology risk management, including services to help with risk measurement, risk response, and risk monitoring.

This article is meant to introduce you to several “risk measurement” tools you can use to determine where you should start.  It can help you to decide what tools would be best for your company.

Risk Assessment

Like managing anything, the best way to start is to determine where you are.  We measure risk with risk assessments.

Risk assessment is where everything begins.  And if you’re going to do a risk assessment, you might as well focus on the “treasure” that you are needing to protect.  We call this “treasure” information assets, and a good risk assessment will start by brainstorming all assets at risk.  Obviously if you are collecting information protected by regulation or law, any device, person, or storage containing this information would be treasure that you want to protect.  After you have a good solid asset inventory, you then begin brainstorming vulnerabilities and threats to each asset, as well as prioritize those assets based on confidentiality, integrity, availability and volume.  This helps to measure inherent risk.  You then identify key controls meant to prevent a threat from exploiting a vulnerability.  As this is very tedious, most organizations prioritize this process by inherent risk (why ignore high risk assets in order to declare controls on low risk assets).  The process can be daunting, and we have been helping people with it since the year 2000.  In fact, at one time Dan was so busy helping banks write their risk assessments, he actually wrote a song called the GLBA Risk Assessment while driving from one bank to the next.

Social Engineering Tests

The people in our companies are our biggest security risk, so there are several tests that can be used to keep them on their toes and help them not be the next big security breach.  There is pretext calling, which makes sure no sensitive information is being shared over the phone.  There are also multiple kinds of phishing tests that teaches how to look out for “fishy” emails and links.  Depending on your risk profile, there can also be physical breach attempts and dumpster diving.  Testing the people at your company, instead of telling them what protocols they should follow, allows them to better understand why these specific, and often tedious, steps are taking place.

Technical Vulnerability Assessment

We do an internal and an external scan of your network.  The external blind scan is in a similar vein to our phishing tests.  Here we utilize the latest attack methods that hackers use in an attempt to access your internal network.  This is done blind to better mimic what a real security breach would look like.  We then do an internal network scan by installing a proprietary device that connects to our operations center to scan for vulnerabilities that could have been missed.

IT Governance Review

An IT Governance Review looks at policies, procedures, and people.  Are we properly responding to risk?  Are we actually enforcing controls we declare in our risk assessment, or is this process giving us a “false sense of security.”  People can be the Achilles heel of a financial institution, and to help combat this we review your IT management practices, which then allows us to assess the IT controls related to policies, procedures, processes, and training.  infotex will also perform a risk-based Policy Gap Analysis relating to policies and procedures, human threats, vendor threats, and compliance related threats.

Network Configuration Audit

How do you know the network is set up securely, safely, and for best practices?

We perform an assessment of your current network configuration in accordance to vendor and industry best practices using automated tools like the Microsoft Baseline Security Analyzer or CIS benchmarks.  This includes all client and server applications as well as IT practices, as practice makes perfect.  We review vendor documentation for AVS, spyware defense, firewalls, and more.

Virtual Environment Review

Like a network configuration audit, we can review the configuration of your virtual environment using SANS Institute publications and vendor publications as a best practice framework.  This review takes into consideration visibility, configuration management, network management, and disaster recovery as well as security.  Even though people can be the weakest link, we know it isn’t the only one to look at.

Places to Start:

Like I said earlier, people are our biggest security risk, because of that we test your user-level awareness with various social engineering services.  We obviously offer many more assessment services, but the above services are a great place to start!

 


Original article by Sara Fultz, Creative Assistant at infotex. Her fresh perspective hopefully makes technology security a little more fun!


same_strip_012513


 

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]