If you're running a robust security program, you're regularly conducting security and vulnerability assessments of your both your network and physical environments. But in the quest to uncover security gaps and vulnerabilities, slip-ups are often made, too, that make these efforts less effective at having a positive impact.
At this month's CSO40 Security Confab and Awards event in Atlanta, attendees heard from two expert security veterans about best practices for vulnerability assessment.
Roger Johnston is the leader of the Vulnerability Assessment Team at Argonne National Laboratory. He and his team are often charged with finding the vulnerabilities with physical security systems. Jerry Walters is Director of Information Security with OhioHealth, a regional not-for-profit hospital network headquartered in Columbus, OH. Walters and his team are responsible for the overall information security program including risk management, vulnerability management, incident response, governance and compliance for the organization.
Both Johnston and Walters come at the topic of vulnerability assessment with different ideas and outline these four common mistakes that security teams make in the assessment process.
Lack of vision
When a team sets out to create a plan for vulnerability testing, no idea, even the most far-fetched, should be off the table, said Johnston.
"I think a big mistake people make is shutting down ideas too early," he said.
That means during brainstorming and planning sessions, even the wildest, far-fetched scenarios should be considered.
Johnston said he's observed that creativity seems stifled by the presence of a manager in the room and the perception that security is too serious to float wild ideas for testing.
That's a mistake.
"The best ideas come late," said Johnston. "You're doing yourself a disservice if you shut down ideas too early."
Johnston also encourages all security practitioners to "think like the bad guys" if they want to really get at the most serious problems.
Letting compliance get in the way
As a security manager in the health care industry, Walter's work is obviously intricately tied to HIPAA.
"HIPAA is very non prescriptive. With HIPPAA the intent is go and do good. It's left open to interpretation."
Walters said as a result, there is a lot of speculation in the healthcare industry about HIPAA, as well as attempts to put more definition around how to apply it.
Johnston noted compliance laws often wreak more havoc and damage than good. He believes security teams need to give a certain amount of push back to be effective in vulnerability assessments. At least 30 percent of compliance requirements are bad news, he said.
"For example, there are requirements that guards have to go to their stations at set times during the day -- therefore making it completely predictable when they will be there."
Sign up for CIO Asia eNewsletters.