Five Key Considerations When Applying a Trust, but Verify Approach to Information Security and Risk Management

Doveryai, no proveryai or ”trust, but verify,” the Russian proverb made famous by former US President Ronald Reagan, means that a responsible person always verifies everything before committing themselves to a common business with anyone, even if the other party seems completely trustworthy. Applying a trust, but verify approach to information security and risk management is essential with today’s speed of business, which is constantly challenged by an ever-evolving and advancing threat and vulnerability landscape. Often, organizations inherently trust that their security controls and capabilities have been implemented comprehensively and are operating as intended. Unfortunately for many enterprises, that is not the case. They come to realize that their environments are not nearly as protected as previously thought when deficiencies in their security postures are uncovered by audits, risk assessments and security reviews. In the most unfortunate of circumstances, organizations may not know how vulnerable they are until they experience a material security incident from which they believe they should have been protected.

A trust, but verify approach to information security and risk management supports the concept of information assurance. Information assurance is defined by the US National Institute of Science and Technology (NIST) as “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection and reaction capabilities.”

Essentially, the goal of information assurance is to highlight and validate the steps used to protect information systems. The successful implementation of this approach requires multiple layers of capabilities and activities that need to be consistently applied and constantly matured. The following are 5 key considerations when implementing a trust, but verify approach for security control assurance:

1. Use multiple tools to verify and validate asset inventory—One cannot protect what they do not know. An accurate inventory of business processes, their supporting data and technical assets, and the security controls associated with them are essential to a comprehensive information security and risk management program. Often, technical assets that are not included in operational inventories (i.e., configuration management databases [CMDB]) fall behind in basic security hygiene maintenance activities such as access reviews, patching and hardening. The inventories should account for operating systems, manifests of applications and application code (both proprietary and open source), business processes and data that the asset supports and/or interacts with, and the security capabilities and controls that support them. Adversaries often target technical assets that they feel will be overlooked or difficult to inventory (e.g., Internet of Things [IoT] devices; network-connected multifunction printers; network-connected heating, ventilation and air conditioning [HVAC] control systems; and any other endpoints that have network connectivity to an organization’s operating environment or access to sensitive data).In most cases, technical infrastructure operations groups are charged with creating and maintaining asset inventories that they will consider their source of truth. They often accomplish this with common IT system management platforms. However, these platforms only provide a single source of insight and are only as effective as the technicians that operate them. Information security and risk management groups should consider using independent technical asset discovery tools to verify that the operational inventories that the IT organization trusts and bases their activities upon are comprehensive, current and accurate. Ideally, security-operated asset discovery tools should produce identical results to what exists in the IT operational inventory. If a discrepancy exists in the outputs of the 2 different sets of tools, this is a key performance indicator (KPI) that suggests a tool is not functioning properly and that further steps need to be taken to reconcile and validate the accuracy of the IT asset inventory.

2. Use vulnerability management scanning tools to ensure that patching is taking place and that hardening settings are implemented—Comprehensive system and application patching and hardening are foundational and essential security capabilities that need to be aggressively maintained within organizations. Numerous data breach and security incident studies have highlighted the fact that a significant number of publicly disclosed security incidents would not have occurred if the organizations had effectively patched and hardened their technical infrastructures. Many enterprises trust native operating systems and system management tools to implement patches and hardening settings. Unfortunately, these tools often inaccurately report success when they have only achieved partial success—or none at all.Vulnerability management tools are the current industry-leading practice for verifying the successful implementation of patches and hardening settings on IT assets. These tools should be operated so that they have privileged access to all network-connected assets and are able to conduct comprehensive scans and analysis (i.e., authenticated scans). The output of this analysis should be reviewed by IT operations teams and compared with the results of system management tools to ensure that the results consistently match. Any differences should be considered a KPI that demonstrates the IT patching and hardening processes are not functioning as intended. This could also be an indicator of compromise (IoC) that requires investigating to ensure that a malicious actor has not manipulated any of the assets in question to impact their integrity or reduce their security levels.

3. Use access reviews to verify least-privilege access is consistently applied—The principle of least privilege (PoLP) is based on the idea that an individual or system should only be given the privileges needed for them to complete their approved tasks. This principle is considered a current industry-leading practice in information security and risk management and is a key security control for many organizations. The oversight and enforcement of a least-privilege philosophy is often associated with the use of access reviews as the verification or assurance control. Access reviews are the verification control typically associated with the review of user and system accounts within technical infrastructure and physical environments. Access reviews are a systematic process of evaluating the need for the existence of users and system credentials and their associated entitlements. In many cases, organizations are proficient in the onboarding and offboarding of user and system access within their environment at the time of initial provisioning and termination. However, such enterprises may lack the capabilities needed to effectively manage access for individuals and systems that are active on the network, but have changed their role or function since their initial onboarding. In these cases, users and/or systems may be granted privileges that overlap between their initial access requirements and their new ones; the intention is that this will only be the case during the transition period, however, the initial requirements are sometimes inadvertently left in place beyond their needed duration. Access reviews should be conducted on a regular basis using a risk-based approach to ensure that users and systems only have access to what they need to be successful in their current roles.

4. Use point-in-time penetration tests and continuous security posture testing in production environments—Technical penetration tests can be an effective assurance tool to evaluate the security posture and control effectiveness of IT capabilities. Point-in-time, human-guided technical penetration tests should be conducted by independent third-party security testers prior to major technical and/or operational changes being deployed in production environments, and at least annually thereafter or whenever the organization has determined a material change in its threat landscape. These tests should only be conducted once an organization believes that it has implemented effective security measures and controls for the technical assets that will be tested. The tests then become verification measures for the effectiveness of the implemented security controls. Ideally, these penetration tests are conducted by different security professionals and/or firms each testing period to minimize the risk of bias that may arise from any 1 individual or firm’s single point of view. The results of these tests should be reviewed by the organization’s security personnel and business process owners to identify risk and assess weaknesses in the architecture, design and security controls. Continuous security posture testing can provide an ongoing automated assurance mechanism to test the effectiveness of security capabilities and controls that are complimentary to human-driven penetration testing activities. These solutions should be applied to high-risk and/or high-value technical environments. They should be configured to test environments against technical threat scenarios with a high likelihood of occurrence, monitor security control effectiveness and be regularly updated with threat intelligence to ensure that methods and tactics are current.

5. Require supporting artifacts and evidence for audits and reviews—Internal and third-party risk assessments and security reviews have become a business-as-usual practice for many organizations. Many of these reviews are conducted using questionnaires. These questionnaires are often detailed in their content but lack the assurance mechanisms needed to ensure that the answers provided are accurate. It is possible for answers to be incorrect or subject to interpretation if not supported by independent and objective evidence. For high-risk targets, the answers to key questions should be supported by artifacts and evidence. Expectations of the artifacts to be provided should be defined in the risk assessment and security review processes to limit false interpretation or ambiguity. Once assembled, these artifacts should be reviewed by knowledgeable subject matter experts who specialize in the areas of interest covered in the questionnaire.
   
   Effective information security and risk management programs and activities can be bolstered by a trust, but verify approach. The adversary community is constantly seeking weaknesses in the security postures of their targets. The rapid pace of change and evolution of today’s business activities make it easy for mistakes and oversights to occur. Using a trust, but verify approach ensures that the appropriate checks and balances are implemented and that comprehensive and effective security capabilities and controls are in place that meet the expectations of the individuals and organizations that they protect.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.