By Dave Parsons, Chief Information Security Officer at Abacus Group
The Cyber Security lifecycle is based on the never ending evolution of system upgrading, vigilant assessment and audit analysis, education, communication and remediation. Our Information Security (InfoSec) team at Abacus Group is constantly improving our security posture by taking a proactive approach to updating our systems, procedures and processes. We ensure privacy and security are given priority at the inception of every project, and our team is well versed in the defense in depth philosophy.
Along these lines, our entire InfoSec team, along with other key members of other teams within Abacus from across our eight geographically dispersed locations, came together this month at our Dallas office for an internal InfoSec Summit. The goals of this gathering included standardizing communication and workflow of our InfoSec analyst roles to find ways to better serve our clients and our internal teams. We used the opportunity to identify and analyze our security workflows, procedures, tools and documentation.
Defense in Depth
“Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset. For example, a software system with authentication checks may prevent an attacker that has subverted a firewall. Defending an application with multiple layers can prevent a single point of failure that compromises the security of the application.” (source: US-CERT)
By making InfoSec a core competency for Abacus, we develop competitive advantage and team unity. We foster a culture of holistic circumspection by repeating the mantra: “Every step in the Abacus supply chain and lifecycle must take security into consideration.”
To that effect, here are some of the strategic InfoSec initiatives we have as ongoing priorities:
Operating System Hardening & Benchmarking
Workstation, server, and network systems by default have numerous features installed that are potentially vulnerable to compromise. To secure the storage and management of data, we compare our operating system builds to benchmarks maintained by the Center for Internet Security (CIS). This process of disabling services not required of our business includes changing default passwords, eliminating unnecessary service accounts, and removing superfluous software packages.
Incident Response Planning, Training & Mock Breach Exercises
Abacus takes significant measures to ensure our data and systems are protected from malicious attack. Incident Response Planning (IRP) is designed to define, in advance, the action staff must take in the event that Abacus suffers a digital or physical breach. We’re constantly updating our IRP to prepare for recent trends, such as Ransomware. We then rehearse response, escalation, containment and documentation procedures.
User Recertification & Privileged Access Review
Periodical review of the access rights provided to our staff is executed to confirm least privilege (i.e. limiting access to the systems and information needed for their role in the firm). If someone leaves the organization and retains access to sensitive information, there is room for misuse, exploit, or sabotage. Staff members also change departments and may erroneously retain access to data limited to their previous position. This process also includes access review of system managers to confirm administrative rights are limited to only those that absolutely need it.
Penetration Testing & Vulnerability Scanning
Abacus contracts disparate vendors to complete three comprehensive penetration tests annually to address vulnerabilities in our constantly evolving infrastructure. The InfoSec group also runs regularly scheduled vulnerability scans and compares the results with the vendor tests. Remediation efforts to categorize, prioritize, and apply controls are methodically executed to ensure the health and security of our systems.
Cybersecurity Awareness Training
Users are the first line of defense against social engineered cyberattacks, so a consistent cybersecurity awareness education program is key component of our IT security program.
In 2017, we implemented a new annual web-based program designed to provide employees with cybersecurity training, an understanding of common social engineering threats, and the steps required to avoid exploitation, including a phishing test. Read more about the results we’ve seen from this in my recent post on the importance of cybersecurity awareness training.
GDPR Compliance & Privacy Shield Certification
Our InfoSec team in also near completion of an internal data privacy project. Read about how Abacus is preparing for the EU General Data Protection Regulation (GDPR) and Privacy Shield Certification in my recent post on this topic.