8 Tips for Penetration Testing

Posted by Ashley Sims - Marketing Manager on Tue, May 24, 2016

You think that you're safe, that your network is secure, that your firewalls are protecting you - but how will you know if you don't test it? 

A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely tring to exploit vulnerabilities. You may have also hear the term "Red Hat" or "White Hat" when it comes to testing because, while they are trying to hack into your system, these "attackers" are doing so in an ethical effort to find the vulnerable parts of your network in order to patch them. 

There are many options for penetration testing - either manual or automated, a pen test systematically compromises servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other points of exposure. 

With so many things to test and so many options for testing, how do you know if you're getting the most out of your test? 

Download 8 tips to help you get the most out of your penetration test. 

 8_tips_for_pen_testing.png

 

Tags: vulnerability management, vulnerability, pen-testing, penetration testing

How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that

 

  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.

Conclusion

With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Tags: access compliance, access rights, Access Insight, access risk, compliance

Core Impact 2016 R1 Now Available

Posted by Ashley Sims - Marketing Manager on Tue, May 17, 2016

We are thrilled to announce the official release of Core Impact 2016 R1. With this release, Core Security continues to provide the most comprehensive software solution that proactively assesses any security posture of an organization.

The new capabilities released in Core Impact Pro 2016 R1 include:

  • Interactive Support for Web Application Record Login
  • Flexible and customizable reporting
  • Network vector enhancements

Interactive support for Web Application Record Login

In addition to the Web Application Record Login introduced in the last release, we have added support for those scenarios where the engine needs help from the user during the authentication process due to a challenge response test. One example of such functionality is CAPTCHA.

With Core Impact Pro 2016 R1 Record Login Assistant, you can now mark some authentication steps as interactive. When these steps are play backed during the WebApps Information Gathering phase, the user is prompted for input on those marked as interactive, and resume the remaining operations once that input is completed. Core_Impact_Pro_2016_R1_Pic.jpg

Flexible and Customizable Reporting

The introduction of Flexible and Customizable Reporting in the last release was one of the biggest requests from customers over the years and has had a lot of success.

With this release, we have re-engineered the structure and contents of our network existing reports (including Wi-Fi, Mobile, and MiTM) creating a set of new reports which provides more comprehensive information of the networks being tested. All these reports allow users to export to Microsoft Excel and customize many things including vulnerability tables, graphics, and company logos according to their needs. Users are able to save changes as a new template to be used as the base for future report generation.

Network vector enhancements

We have added many new features based on extensive customer feedback, including:

  • Kerberos support for network SQL Agent
  • Agent Persistency using WMI enhancements
  • Improved OSX El Capitan Agent support
  • Domain replication functionality
  • SWF Evasion and polymorphic code
  • Python VM upgrade

For more information on the newest release, download our datasheetor request a demo of Core Impact 2016 R1.

 

Tags: core security, core impact, pen-testing, penetration testing

Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016

 

A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"

 

You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.

 redo.jpg

The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.

 

Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.

 

All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?

 

With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.

 

For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 

 

Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?

 

It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.

 

Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.

 

Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

How Intelligence Enhances Your Cyber Security

Posted by Emily Turner- Product Owner, Access Insight on Thu, May 05, 2016

If you are reading this blog, you most likely understand the benefits of adding identity and access management (IAM) solutions to your business. However, what if you could make that solution better, faster, and help you become proactive instead of reactive? You can! Just add intelligence.

Adding intelligence to your IAM solution can turn complex data into actionable information and find trouble spots, as well as high risk areas. It can compare across roles and with peers, as well as investigate high-risk individuals, groups, and situations. 

Adding Intelligence

By connecting with an organization's applications and collecting information, IIAM solutions continuously monitor information about identities and collect data related to resources (including applications, databases, and files), access rights, access policies, and user activities such as creating accounts and logging on to applications.

This information, which may amount to gigabytes or terabytes of data, is organized in a data warehouse, as seen in Figure 1. Identity and Access Intelligence (IAI) is applied and analyzes the identity and access data using advanced analytic tools to perform data mining, statistical analysis, data visualization, and predictive analytics.

1.pngFigure 1: Data Dissemination capabilities when using IAM 

These data analysis tools aren't generic. They draw on IAM­ specific policies, rules, and risk indicators to provide information of immediate value to IAM administrators, analysts, compliance officers, and incident responders.

An Intelligent IAM solution provides the following:

  • Reports and graphics showing IAM activities and risk factors
  • Notifications and alerts about policy violations and suspicious event Can we show alert screen?
  • "Micro-certifications" triggered by questionable activities and events
  • Automatic remediation , such as removing entitlements and disabling administrator accounts obtained without approval
  • Risk scores that can be shared with provisioning systems and other applications (for example, a score that can be used to determine if special approvals are needed for a provisioning request)
  • Ad-hoc reports and analyses, created by analysts to explore specific issues and risks

These capabilities allow Intelligent IAM solutions to help organizations overcome the governance gap, the complexity gap, and the context gap.

Rapid Response: Turn Complex Data into Actionable Information

An Intelligent IAM solution should not only be able to monitor key data continuously, but also it should provide a flexible range of options for rapid response and remediation. In most cases, the appropriate  option  is a notification  or alert  to a  staff member who  can investigate  and  determine whether  or not the alert represents an issue that requires follow-up. 

In other cases, a specific action should be triggered, such as a micro-certification, or even automatic remediation. In all cases, the solution should not only provide notification of a possible violation or issue, but also it should provide related data, and  if possible recommended actions to make it easier to address the situation. The solution can also improve security analysis and risk management.

                                              Finding Trouble Spots and High Risk Areas

Privg_accts.pngAn Intelligent IAM solution can pinpoint trouble spots, weak points, and quickly answer key questions such as the following: 

  • Which accounts have the most privileged entitlements and haven't reset a password in hundreds of days?
  • Which individuals have the highest number of access rights when compared to peers?
  • Which business units have the most orphan accounts?

An Intelligent IAM solution can provide answers to questions in seconds, helping security and IAM analysts to:

  • Quickly detect potential indicators of attacks and security breaches (for example, a user account receives privileged access directly to a target application)
  • Focus their efforts on high-risk situations (f or example, accounts with many privileged entitlements that haven’t reset their passwords in over 90 days -check out Figure 2-3)

 Comparisons across Roles and with Peers

An IAM solution can correlate data to compare users with others in the same role, or with any individual in the organization who might provide a useful benchmark. Analysts, business managers, and resource owners can answer questions like “Does John Smith have more access rights than other financial analysts?" and "How do the access rights available to John Smith compare with those of Jane Jones and William Brown?"

These comparisons are extremely useful for assessing new access requests from individuals, for identifying excessive rights that accumulate when people move through different positions, and for highlighting outliers that may indicate a process problem or a misbehaving user.

Comparisons with peers also have the advantage of giving enterprises a way to identify elevated access (and risk) with­ out the expense of a major initiative to define and manage roles.

Investigating High-Risk Individuals, Groups, and Situations

With an intelligent IAM solution, you can investigate and analyze high-risk individuals, groups, and situations, as well as compliance violations. This process makes it easier to answer questions like the following:

  • Are there domain administrator accounts whose pass­ words have never been changed?
  • Which non-sales systems has this salesperson been accessing?orphaned_accounts.png
  • Is anybody accessing patient medical information with­ out a genuine "need to know"?
  • Which accounts with at least five entitlements haven't been used in more than 30 days?
  • Does this account have a suspicious number of privileged entitlements?
  • Should part-time employees receive all the access rights they are routinely granted?
  • Do contractors continue to access resources after their projects end?
  • Are system administrators routinely assigned rights they don't need to perform their jobs?
  • Does this business unit have an abnormal number of accounts with unnecessary entitlements (that is, access rights that have never been used)?

 

IAM_dummies_300x250.pngCan your Identity and Access Management solution do all of this? With Access Insight 9.0 it can! Access Insight 9.0 is Courion’s newest intelligence tool works with Courion’s IAM solution, another vendor’s or even when no IAM solution is present to help you make sense of your complex access relationships. 

Want more information on how intelligence improves IAM? Download our eBook “Intelligent IAM for Dummies” or schedule a demoof Access Insight 9.0 for your orgaization and learn how you can get the most out of your complex data. 

 

Tags: Access Insight, IAM, access risk, intelligent IAM, IIAM

What's New in Access Insight 9.0?

Posted by Emily Turner- Product Owner, Access Insight on Tue, May 03, 2016

 

Businesses in all industries need to manage the exploding universe of identities, devices and data employees require to do their jobs. To help make sense of the trillions of relationships, today Courion releases Access Insight 9.0.

Access Insight identifies the risk associated with any misalignment between users and their access within your organization and drives provisioning and governance controls to manage that risk. Specifically designed to answer the critical questions “Who has access to what resources?” and “Have they been given the right level of access?” Access Insight provides IT security, compliance, business and risk professionals with the data and tools they need to successfully deal with these complex challenges.

How does Access Insight 9.0 Work?

Access Insight provides a comprehensive, continuous view and analysis of the trillions of relationships between orphaned_accounts.pngidentities, access rights, policies, resources and activities across a multitude of enterprise systems and resources. Access Insight:

  • Works with Courion’s industry-leading portfolio of IAM solutions, or in conjunction with other IAM solutions to identify potential risks to the business, so you can quickly modify access as needed.
  • Is platform agnostic, and integrates with virtually any data source and commonly used IAM and/or security management application (e.g., SIEM, DLP, AD and others).
  • Enables you to easily configure policies that align with your organization’s corporate and regulatory policies – alerting you to intentional or unintentional violations.

The Access Analytics Engine

Access Insight 9.0 boasts a new analytics engine based on the Privg_accts.pngtechnology Courion acquired from Bay 31 in 2015. This engine enables companies to analyze complex data at significant scale with incredible speed. Access Insight pulls large amounts of identity and access data in continuously, and stores this in its proprietary in-memory access analytics engine. The “engine” correlates identity and access relationships to identify and prioritize risks, surfacing all deeply nested relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current or historical perspective in lines of business, governance, operations and applications.

How it Works:

  • A business-friendly dashboard offers a variety of graphical displays and interactive interfaces, so that an organization’s access-related risks and risk levels can be easily viewed by line of-business managers and authorized users.
  • The access analytics engine continuously gathers and synchronizes an organization’s IAM and IAG information from multiple sources to compile a complete picture of an organization’s identities, access rights, resources and activity.
  • Automated data collection increases operational efficiency and reduces operational costs by eliminating labor-intensive IAM processes and drawn out efforts to demonstrate compliance.
  • Continuous governance and automated policy management provides the ability to automatically evaluate and act upon risks associated with users’ access and activities in accordance with an organization’s corporate controls and government regulations, enabling you to proactively create and enforce policies.access_explorer.png
  • Automated notifications alert you to changes and non-adherence to your organization’s corporate and regulatory policies; notify you of any conflicts and enable the swift assessment of risk level so appropriate action can be taken immediately allowing you to continuously maintain compliance.
  • Remediation controls automatically identify and remediate improper access, including intentional and malicious changes to user access that could harm your organization, as well as unintended changes to access.
  • Access analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. Changes in normal access activity patterns may be a signal of dishonest or malicious behavior. Quickly identify unused or obsolete access entitlements.
  • Drill-down capability allows you to further investigate details for potential threats and resolve risks immediately.

To learn more about Access Insight 9.0, view our datasheetor request a demo with one of our solutions consultants.

Tags: Access Insight, access risk, intelligent IAM, IIAM, intelligent identity and access management

Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?


Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.

 

Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.

 

Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.

 

When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.

 

Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.

 

cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).

 

To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.

 

Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

New Version of TeslaCrypt, Cisco Patches Five Vulnerabilities, Sony Confirms Two-Factor Authentication Coming to PlayStation and More in This Week's #TechTuesday.

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 26, 2016
In this week's #TechTuesday: A new TeslaCrypt variant is being hidden in delivery tracker emails, Cisco patches five product vulnerabilities, researcher finds backdoor that accessed Facebook employee passwords, man arrested in data breach that exposed 55M Filipino voters, and Sony confirms two-factor authentication for PlayStation network. 

Tags: authentication, #techtuesday, data breach, malware, password, vulnerability

Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

Windows Users Warned to Dump QuickTime, Hybrid Malware Targets 24 Financial Institutions, and More in this Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 19, 2016
In this week's #TechTuesday: Windows users are warned to dump QuickTime, hybrid GozNym malware targets the customers of 24 financial institutions, Facebook scam delivers malware instead of a friend's video, an unsecure database leads to a potential healthcare data breach, and a new home security device that can create a sound fingerprint of your home.

Tags: IOT, healthcare, #techtuesday, financial services security, data breach, security, malware