From the Trenches, Part 1: Security Strategy and a Path To SuccessLiz Bush
As we wrap up Cybersecurity Awareness Month, I had an opportunity to sit down with ThreatQuotient’s Security Operations Engineer, Aaron Louks.
For IT and security practitioners charged with keeping your organizations safe, we hope Aaron’s tips for driving security operations from a corporate strategy standpoint and advice from his journey in the field will provide valuable insights and inspiration.
How do compliance and regulatory requirements affect a company’s security policies?
Complying with various regulatory frameworks such as SOC2 or ISO 27001 requires you to take an introspective look at your daily operations and define those operations as written policy. This can be a tedious process, but it really helps to expose vulnerabilities that can be overlooked while being comfortable in a ‘business as usual’ mindset. Compliance forces you to be accountable to a third party and identify gaps in your process that you haven’t considered. For example, without compliance requirements, you may not be compelled to implement monitoring throughout your network to assist with incident response.
Regulatory requirements are created to instill trust and improve business relations. Enforcement of a comprehensive Information Security Management Policy signals to potential customers that your organization is serious about data protection and privacy.
How important is it to have a patch management strategy and where should you start if you don’t have one?
Patch management is one of the most important aspects of an Information Security Management Policy. Remediating vulnerabilities in a timely manner throughout your entire infrastructure is a proven method of reducing your attack footprint. If you are starting from square one on your patch management strategy and have no central management (e.g., Active Directory), I would recommend first doing reconnaissance on your network to understand what assets are currently connected. Nmap is a great open-source tool for this, but there certainly are other network scanning utilities out there.
Once you have all of your assets identified and recorded into a database (along with OS version info), then you will need to map owners to these assets. If you’re not able to put a service account or install an agent of some sort on these assets, then they would fall under ‘Shadow IT’ and it’s your responsibility to hold the owners accountable for updates (not an ideal situation).
However, if you’re able to get a service account or agent installed on your assets, then you can start actively managing package versioning and use a tool to monitor your package versions against known vulnerable versions and be alerted for remediation. At this point, your patch management strategy flows into your Change Control policy for actual execution.
Is two-factor authentication necessary for every corporate application? Is it enough?
It’s important to implement Multi-Factor Authentication (MFA) wherever possible within your organization. If an attacker somehow acquires a user’s password, MFA is the last line of defense before that user’s account is exploited.
Security is a multifaceted balancing act of trade-offs. For example, we have to choose between user experience and completely assured validation. Would users accept 4-factor authentication (password, TOTP code, yubikey, biometric)? How practical is that? DO the assets we’re protecting warrant this level of assured validation? Is it enough? That really depends…
How did you get into cybersecurity and advice for those interested in pursuing a career in the field?
My path to an infosec role was through years in various Support positions > Sysadmin positions > Software Engineering > SecOps. It’s not the path everyone takes, but it has allowed me to grow and experience different aspects of the industry while picking up some wisdom along the way.
My advice is to learn a high-level programming language well, learn about OS internals, and become familiar with networking and various protocols (http, ssh, ftp, etc..). There is an endless pool of knowledge to digest, so try to specialize. Know that certificates are helpful but do not equate to knowledge or wisdom. In the end, a passion for technology will go further than anything.
How do you stay on top of the evolving threat landscape and what would you recommend to your peers?
I read some news sites (KrebsonSecurity, The Hacker News, Threatpost), but mostly I get information from following interesting people in the infosec community on Twitter. I watch a lot of conference talks (e.g., Defcon talks) on YouTube for topics that pique my interest. Pre-pandemic, I was attending security conferences as much as possible to compete in capture the flags. Just being involved in the social scene introduces you to new resources and ways of thinking that you probably would not stumble upon on your own. From my experience, the infosec community is a very open and accepting place – you just need to be willing to participate.
Check back for Part 2 of my interview with Aaron, where he offers advice from the trenches on how to work with employees to strengthen your company’s security posture.