teissTalk: Security Assurance – identifying the gaps in your security controls

On 9 June, teissTalk host Jenny Radcliffe was joined by Dr Veselin Monev, Information Security Officer, Pilatus Aircraft; Fritz Y. Jean Louis, CISO, The Globe and Mail; and Danny Dresner, Professor of Cyber Security, University of Manchester.

 

Views on news

 

UNC2165 was sanctioned by the US Treasury Department in 2019 for using the Dridex malware to infect hundreds of banks and financial institutions across 40 countries and stealing more than $10m. From a regulatory standpoint, these sanctions essentially prevented targeted organizations from paying UNC2165 a ransom to restore access to their systems.

 

According to Mandiant, the hacking group changed tactics by starting to utilise the ransomware-as-a-service (RaaS) known as Lockbit in 2021. This news begs the question whether this could be the right time to make any ransomware payments illegal, but that could turn the victims of ransomware attacks into criminals.

 

Commonalities and differences in security assurance

 

The entire ISO27001 approach to security has some sticking plaster characteristic about it as it relies on experts detecting gaps in the defence system and filling them rather than designing a secure system. Quality assurance is about demonstrating your maturity to your clients in terms of security controls.

 

Therefore, the real dilemma is not if you need it but when. It can also help the company to land some public contracts. In a constantly changing environment, security control needs to adapt to new threats all the time. Even if businesses have to cope with the same challenges for a longer period of time, the threats’ intensity keeps changing – as we have seen in the case of ransomware.

 

The 5 maturity levels are a useful tool, but it only reflects capability and not whether the company is actually doing things securely at any given time. There is a wide range of tools that can help businesses with quality assurance.

 

Although standards may be different across the world (SOC2 Type II or ISO 7001), the core aspects – Identity and Access Management and the necessity of measuring   –  are the same.  Security assurance should be forward-looking, and although security awareness is an important thing, ways need to be found to minimise the damage if malware gets through the system – see network segmentation, active monitoring of what’s coming in and adjusting filtering accordingly.

 

Security is still reactive rather than proactive thanks to both lack of resources and the wrong focus. The 18 CIS Security Controls are yet another interesting and useful concept based on information gained from real cyber-attacks.