Data transcends all of what we do. To start off their discussion, the group placed a heavy emphasis on the basics. While many security professionals are probably familiar with the SANs Top 20, a list of critical security controls for effective cyber defense, how many execs and security teams have actually been adhering to these “rules of the road” for the last 15 to 20 years? Practices like hardening, patching, vulnerability scanning, knowing your inventory, and knowing your data flows, while all seemingly simple, are some of the key things that many regulators still cite organizations for not doing.
The group then turned their discussion towards access privileges. “Question not only who shouldn’t have access to information, but also who should.” They discussed how some industry guidelines and standards have helped mature the industry, with particular attention being paid to PCI Compliance. Even though a number of really tough questions like “What is the best way to map your data flows and systems?,” aren’t always answered in organizations, PCI has really forced the industry, at least for those environments, to find those answers in order to comply with mandated regulations.
Next, the conversation focused on the topic of admin threats. Not just from the perspective of “you might have a rogue admin” but rather, “you might have an admin making poor decisions.” For example, an organization might have a scenario where an admin sends files from their work computer to their personal computer at home which opens up avenues for sensitive data to end up in the hands of threat actors. Thorough controls need to be in place to help prevent admin credentials from falling into the hands of hackers and to help limit the overall exposure of privileged users. Things like removing admin accounts on all of the office desktops or having less exposed admin portions on the server can go a long way to keeping these critical privileged user credentials safe.
Finally, the group also accepted the fact that at some point, hackers will find a way into your enterprise. Even though this was unanimously agreed on, the group also established that it is more important that these threats don’t manage to leave the enterprise with critical data. It is vital that security teams have the right controls in place to prevent the egress of data exfiltration and to ensure that organizations have the necessary programs and best practices to catch and eliminate threats once they enter the environment.