In a recent SANS blog on Analyzing The Cost of a HIPAA-related Breach Through the Lens of the Critical Security Controls, the writer, John Pescatore, formerly of Gartner Research, walks through the Idaho State University data breach and points to the SANS Critical Security Controls that if the University had enforced, would have identified the policy violation before it was too late. He goes on to run a security ROI based on the fine that the University must now pay in addition to the breach notification costs. While generally proving a security ROI is a bit fuzzy, security management is not because there are efficiencies that can be proven… in addition to the soft costs of potential impact from a security incident.
The aspect of this breach that I’d like to focus on is based on the SANS Critical Controls, specifically, Critical Control #10, which describes the “The processes and tools used to track/control/prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.” This ties directly to the Gartner Research metric that 95% of firewall breaches are due to misconfiguration, rather than a flaw within the firewall itself. If your firewall policies and change management practices are up to snuff, you’ve already addressed 95% of this specific issue!
The SANS Critical Control #10 examines security policy configuration, security device configuration and change management processes. Configuration and change management isn’t sexy and isn’t the cool new shiny security technology that has all the latest bells and whistles, but it’s sound security that works.
Think of it this way – you could have the most security layers and the most granular policies, but if your devices are out of date or improperly configured, your network may be exposed to greater risk of a cyber-attack. Or you could be up on your device configurations, but maybe a policy was changed without the proper checks and balances and now you have a new risk in the policy that wasn’t there yesterday.
Here are a few things to consider around the importance of this Critical Control:
If an attacker is motivated enough, they will eventually find their way into your network, but there are things you can do to make it a whole lot harder – and as John Pescatore walked through in detail, there is an actual ROI at the end of it!
Receive notifications of new posts by email.