Making The RIGHT Security

Security seems to be tough to get it right. Just take a look at the many breaches and incidents published in the news. Some of the most significant data breach uncovered are in MNCs (Annex). They incurred serious damages. Their reputation takes a drastic dip. Jobs of senior management are lost. The privacy of many individuals is compromised. 

Are we ready for the next biggest hacks? Are we ready to protect our assets and not be the next breach victim?

What this suggests is that security is not being looked into seriously by the "food chain". The project team is ignorant and under pressure to be the first to market and push out a product that is not properly security checked. The company chooses high savings and settles for a mediocre product with marginal protection on their intellectual property and customer data. On the flip side, the consumer or user is not vigilant and informed enough about a threat, so adopts poor habits that endanger their privacy. It is a vicious cycle. 

Security 3Ds

To put things into proper perspective, we need to put in place good security "3D" principles (Figure) throughout the "food chain":

1. Security by Design - The project team has to build in early security processes into their existing project life cycle. It must not be an afterthought as it will be too late if a higher cost must be incurred to rectify it. Identify a security advisor, or look out for such a professional - be it the CISO or IT staff savvy with this domain. 
   • Activity - critical review of architecture, control component specification, security acceptance testing
      
2. Security by Default - Develop a baseline security standard for the whole system and processes. Reduce the risk exposure to hackers and online attacks through the rigor of a hardening regime prior to actual production release. 
   • Document - hardening guide for server/client system/network, security configuration, and checklist
     
     
3. Security by Deployment - Implement adequate security controls to be selective and aim to achieve high supply chain integrity, such that this chain is well supported by a trustworthy supplier. Policy compliance is not enough without further assurance checks to validate that design and controls remain effective against evolving threats.
   • Guideline - International standard body (NIST) guideline, Industry best practices, scorecard of performance

To put these into practice, we need to identify the key domain and stay focused on making the RIGHT security.

RIGHT security  

Risk Assessment - This is one of the critical and early security activities in a systems development life cycle. The gist of it is to identify all possible threat scenarios and determine the likelihood it can happen and controls to be put in place, so as to reduce the risk level to the product or service. 

• Tip -  Update the Senior management and seek approval for any residual risk acceptance. 

Incident Management - We cannot be complacent that product and service are always free of bugs, and are 100% secure. Be prepared for "Murphy law". Incident handling needs a proper plan to be put in place. It needs clear stakeholder involvement. The communication plan needs to account for not only the internal user but also public media attention. They need to be timely informed of progress and action taken. 

• Tip - Include a playbook that can be regularly revised to record possible incident handling steps (e.g. malware infection, identify theft, denial of service attack, unauthorized access etc). Review the plan as part of the after action review. Update regularly on the response procedure to stay robust and comprehensive. 

Governance Oversight - Without top management support and buy-in, security implementation can take a back seat. Establish a dedicated steering committee that is given the mandate to approve security implementation, and risk acceptance of critical and high severity 

• Tip - Have the steering committee as a platform to track on the overall enterprise security scorecard standing which submits a report stating the compliance level of patch hygiene, timeliness to incident closure etc.

Hosting Policy - There is no one's man island in doing business. Outsourcing and Insourcing are inevitable to get the project implemented with a lean resource and a limited budget. To do more with less and keep the business competitive, we need to work smart. Consider adopting cloud services to scale up limited resources with highly resilient online services, tap into the "as a service" platform for a ready secure infrastructure and development environment

• Tip -  Do not rush through when you are new to the technology. Build the network of experts through conference and learn from their narratives. Establish a strategic partnership with MOU and contractual aids to invest and co-create secure innovations like Smart Internet of Things.

Test Regime - Leave no assumption that the product and service are secure. Gaps are left uncovered. It is our responsibility to surface them and put in remediation as early as possible. Do not give hackers the chance to find those vulnerabilities first. 

• Tip - To stay ahead in a rat race with the adversary, consider even having a whitehat that takes on the "hacker" to discover the "holes". Bounty aids (like HackerOne) is a form of crowdsourcing for such initiative to get feedback early with manageable rewards for those quality findings that penetrate through our controls. 

Plan how you can institute the 3Ds as part of the development lifecycle. Do up the action plan that can help in operationalizing them. Check that the plan makes sense to the stakeholder. Act on it and refine further. It does not end here. Initiate regular rapport building events. This is a journey to a successful and safe business with the RIGHT security.

================================================================================================

Annex - Some of the most significant data breach in MNCs

• 2018 - FedEx stored more than 119 thousand extremely sensitive customer data (e.g. passport, driving licenses and security IDs) on an open Amazon S3 bucket, essentially making all the information public.
• 2017 - Equifax, one of the largest credit bureaus in the U.S. had exposed personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers' license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.
• 2016 - Uber concealed a hack that affected 57 million customers and drivers worldwide and 2.7 million users in the UK. They kept that in the wraps and paid hackers $100,000 (£75,000) to delete the data.
• 2014 - eBay exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. Hackers got into the company network using the credentials of three corporate employees and had complete inside access for 229 days
• 2013-14 - Yahoo announced in December 2016 of the August 2013 theft which has all of its 3 billion email users (instead of their past announcement of 500 million users) likely to be compromised, breaking its own record for largest ever potential data breach.
• 2013 - JP Morgan Chase, one of the largest banks was a victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses.