, , ,

Using ‘Embrace Cybersecurity’ to check on security progress

In a previous blog posts (Business and IT aligned with Cybersecurity and Baselining Cybersecurity), I introduced our ‘Embrace Cybersecurity’ (EC) model for gathering security requirements that can be used to create an information security policy.

Using this method makes it easy to then also follow up on progress. We can do this by creating the right KPIs. From the question ‘How do we meet the goals we chose to aim for?’, we can also define the KPIs. In the EC model this is represented by the ‘Keyword’ cards.

The Toreon security expert drills down on the chosen keyword to define the right metrics. These metrics become the KPIs to measure the security controls put in place.

However, reporting is not enough. The output of the EC model needs to be translated into the right management practices. How this is done, will be discussed in another blog post.

During the adoption of the information security policy, you might come across a misalignment between what the business and IT want as goals. Another blog post will detail how to identify this misalignment and how to get everyone on the same page.

This is key for a functional information security policy.

, , ,

Baselining Cybersecurity

A new baseline

A typical organisation already has a number of security controls in place to safeguard their business-critical information.
However, organisations can sometimes experience these controls impeding business by being too strict. Furthermore, they see the new GDPR legislation fast approaching. They fear that controls put in place for compliance to this legislation will block the smooth running of their organisation even more.

In other situations, organisations might reconsider their current security controls after a security incident, or they want to be better prepared against current cyber threats.

These situations can be used as a basis to create a new baseline for cyber security. A baseline is the agreed upon standard of security for the organisation as a whole.

IT and Business alignment

The goal of this new baseline is to be more in line with the business’ needs while being compliant with current legislation. If the security baseline puts IT and the business in alignment, then it will work as an enabler and not an impediment.

For a way to create a strong security baseline, check out my previous blogs about the ‘Embrace Cybersecurity’ methodology of Toreon.



, , ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.


To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

, ,

Three recommendations to protect your data

In a previous blog we shared 7 common recommendations to protect your systems. Now, let’s look at 3 recommendations to protect your data.

  1. Make backups and be able to restore systems and data

Can you ever be 100% sure you have completely cleaned up a compromised system after a breach? The only answer is no. You have to be able to completely rebuild any system to a known and trusted state before the incident. Therefore, it’s important to have good data backup and system reinstallation procedures.

  1. Be able to quickly and efficiently respond to security incidents

Suppose that someone lets you know you have been breached. Do you know what to do? You should have a plan rehearsed and ready so you can react to incidents accordingly. Because ‘failing to plan is planning to fail’. Decide who is in charge and what needs to be done. Determine who can make the tough decisions, such as unplugging a business critical server. You also need to know whom you can call for help. You should rehearse your plan regularly. Compare it to a fire drill.

  1. Data encryption

You have a lot of security measures deployed in several locations of your IT environment. But the local environment surrounding your data is sometimes overlooked. If you have data in a less secure environment, you should consider data encryption. That is especially important on laptops, because they have a tendency to get lost or stolen. You don’t want any sensitive data ending up in the wrong hands, or in the wild. Can you easily identify sensitive data thanks to security classification labels on your documents or other characteristics? Then it’s worth considering Data Loss Prevention (DLP) or Digital Rights Management (DRM) to prevent your data from leaking.

, ,

Seven advantages of penetration testing

In a previous blogpost we explained what penetration testing is and how it can help improve your security. Time to take a closer look at the 7 benefits pentests have for your company.

  1. Reveal vulnerabilities

Penetration testing explores existing weaknesses in your system or application configurations and network infrastructure. Even actions and habits of your staff that could lead to data breaches and malicious infiltration are being researched during penetration tests. A report informs you on your security vulnerabilities so you know what software and hardware improvements you have to consider or what recommendations and policies would improve the overall security.

  1. Show real risks

Penetration testers try to exploit identified vulnerabilities. That means you see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands. But they might also tell you that a vulnerability that is theoretically high risk isn’t that risky at all because of the difficulty of exploitation. Only a specialist can perform that type of analysis.

  1. Test your cyber-defence capability

You should be able to detect attacks and respond adequately and on time. Once you detect an intrusion, you should start investigations, discover the intruders and block them. Whether they are malicious, or experts testing the effectiveness of your protection strategy. The feedback from the test will tell you if – but more likely what – actions can be taken to improve your defence.

  1. Ensure business continuity

To make sure your business operations are up-and-running all the time, you need network availability, 24/7 communications and access to resources. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations don’t suffer from unexpected downtime or a loss of accessibility. In this respect, a penetration test is quite like a business continuity audit.

  1. Have a third party expert opinion

When an issue is identified by someone within your organisation, your management may not be inclined to react or act. A report from a third-party expert often has a bigger impact on your management, and it may lead to allocation of additional funds.

  1. Follow regulations and certifications

Your industry and legal compliance requirements may dictate a certain level of penetration testing. Think about the ISO 27001 standard or PCI regulations, which requires all managers and system owners to conduct regular penetration tests and security reviews, with skilled testers. That is because penetration testing focuses on real-life consequences.

  1. Maintain trust

A cyber assault or data breach negatively affects the confidence and loyalty of your customers, suppliers and partners. However, if your company is known for its strict and systematic security reviews and penetration tests, you will reassure all your stakeholders.

Interested to learn how we can help? Just let us know!

, ,

Why every company should get hacked

Did you know that, in traditional western movies, the heroic cowboy wears a white hat, while his enemy wears a black one? That’s where the expression ‘white hat hacking’ comes from. White hat hackers are the good guys. They specialise in penetration testing with the intention of alerting companies to vulnerabilities in their systems, software and networks, to pre-empt hacking attempts by an ill-intentioned individual.

Penetration tests
Penetration tests combine manual and automated methods and technologies. Their objective is to methodically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once the vulnerabilities have been successfully exploited, the testers use the compromised system to launch further exploits and go deeper and deeper from one vulnerability to the next.

White hat hackers evaluate the ability of organisations to protect their networks, applications, endpoints and users. The hackers use external and internal attempts to by-pass security controls with a view to gain unauthorized access to protected assets. Afterwards, full test results and recommendations are sent to help prioritise remediation efforts. Consequently, the company is in a better position to anticipate emerging security risks and protect its critical systems and most valuable information.

There are two main reasons to hire external penetration testers:

  1. Security breaches and interruptions in the performances of your services or applications can have long-term consequences. In addition to the financial aspect, it has an impact on your business’ reputation, with decreased customer loyalty, negative press, fines and penalties.
  1. Defensive security mechanisms such as user access controls, cryptography and firewalls are useful, but don’t offer a full protection against potential security risks. New vulnerabilities are discovered each day, and attacks become more and more sophisticated. White hat hackers eat, sleep and breathe this, so they are in the best position to show companies where they need to improve their defenses.

Hackers come in different shapes and sizes, and may wear different hats. We only wear white ones. Interested in finding out how we work? Let us know and send us an email.

, ,

7 recommendations to protect your systems

Cybersecurity is an issue for all of us. We need to improve cybersecurity risk management and better identify threats, vulnerabilities and risks. From the Centre for Internet Security (CIS), the Australian Signals Directorate (ASD), the American National Institute of Standards and Technology (NIST) to the British Government’s Communications Headquarters (GCHQ), they all have recommendations. But how do you see the forest through the trees? In this blog post, we provide you with our selection of 7 recommendations to protect your systems.

  1. Maintain an inventory of devices and software
    Do you know the systems that are active in your environment? And do you know which systems are authorised to be there? You need to know your IT environment like the back of your hand to ensure you know what you should be protecting.
  2. Maintain and apply secure configurations
    Default settings and out of the box configurations are a no go. They are often way too permissive, so they can easily be abused. Use the good practices you find online to create and apply security configurations for all devices and software you manage.
  3. Patch systems and software and manage vulnerabilities
    Security patches are made continuously available for nearly all software used in a business environment. Hackers know about a security problem if there is a patch for it. So you need to patch your systems before anyone abuses the holes you leave in your system.
  4. Monitor security logs
    Don’t wait for someone from the outside to let you know that you are breached. Be proactive and read the signs. Where? In your security logs. Allocate time for people to monitor the security logs and prioritise this task. Only then will you be able to notice suspicious activity and investigate.
  5. Use active and heuristic malware protection
    A lot of new techniques to fight malware are excellent additions to traditional measures. Use those new features in browsers, email clients, office suites and operating systems among others. Test new types of tools for fighting malware. But don’t let vendors fool you into believing that they have the silver bullet. Effectively fighting malware means betting on more than one horse.
  6. Use signature, known-bad and reputation based malware protection
    Do not write off your ‘old’ antivirus, because it still has a place in your defense strategy. Make use of the variety of complementing services that can feed you information that help to block dangerous network traffic, files, emails, websites etc. Don’t just do this using the protection software on your endpoints, but also filter and block on your gateways to the Internet.
  7. Restrict network communications
    Hackers don’t want anything more than to move around freely on your network. You have to make this as hard as possible for them. Move away from a network design that allows every system to communicate with every other system, no matter how convenient that may be. Use network segmentation and filter network traffic between systems and segments so you can block communications you don’t like. Segmentation also makes it possible to lock down segments if there is a localised breach.
    Introduce security levels in your network zones, so that you’re able to deploy security measures in the security zones that need them. That makes your measures more cost effective.
, ,

7 steps to set up a cybersecurity program

To set up a good cybersecurity program, there are 7 steps you should take. They will make sure the cybersecurity activities that you define fit your business context, the particular risks your business faces and your level of risk-tolerance (how much risk you are willing to allow).

  1. Prioritise and scope

Identify overall business objectives and organisational priorities. This information helps you to make strategic decisions regarding cybersecurity implementations. It will help you to identify your most important processes and assets, so you know what you are protecting. And your attention can go to the most critical ones. Then, in further iterations of this 7 step approach, you continue including lower priority assets. In the long run, you should have all assets covered.

  1. Orientation

Once the scope of your cybersecurity program has been determined, the next step is to identify systems and information you want to target and find the relevant regulatory requirements. Identify threats and vulnerabilities related to those systems and information. Finally, define an overall risk assessment approach.

  1. Create a current profile

Now you can develop a current profile. Write down the outcomes you currently achieve compared to the list of NIST recommended controls. The current profile is basically an evaluation of your current security status.

  1. Conduct a risk assessment

Assess the current risk level. How do you determine risk? Keep it simple and start with a basic risk assessment process, which focuses on business impact rather than just highlighting IT security problems. Also, include an overview of existing security controls and the way they may already reduce risk.

  1. Create a target profile

Select the risks you want to deal with. Based on this selection, you determine your target profile. Down to what level of risk do you want to get your organisation? When you create a target profile, use the same techniques that you used for the current profile. The target profile will help you decide which additional controls you may want to implement.

  1. Determine, analyse and prioritise gaps

The difference between your current profile and the target profile indicates the gaps in security that you want to fill. Determine the actions that are needed to apply the security program. Prioritise these actions based on criticality or other more practical measures in order to determine which controls need to be addressed first.

  1. Implement your action plan

While the previous steps facilitate the implementation, in this last step you finally roll up your sleeves. The gap analysis provides you with a clear goal. You know what has to be done, and how. Now go get it done!

Do you want help setting up your cybersecurity program? Drop us an email. We would love to help you.

, ,

The NIST Cybersecurity Framework: what it is and why you should use it

The latest ‘RSA Cybersecurity Poverty Index’ – an annual maturity self-assessment completed by a variety of organisations all over the world – shows that 67% of organisations had incidents that negatively impacted their business in the last 12 months. Only 24% of those businesses were considered mature in their security strategy. That means that the chances of having incidents are very real, while companies are not able to improve maturity to reduce risks.

It’s high time for improvement. Companies need to get the basics right, but that is not sufficient. One of the most recent and pragmatic initiatives to support further improvement is the NIST Cybersecurity Framework (more on this in one of the next blog posts). It identifies and gives advise about different phases of cybersecurity: Identify, Protect, Detect, Respond and Recover.

A made-to-measure solution

The NIST Framework is based upon various standards that have proven to be successful. While it targets organisations with critical infrastructure, businesses across nearly all industries can benefit from adoption.

The NIST Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk. Organisations will continue to have unique risks: different threats, vulnerabilities and risk tolerances. How they implement the practices laid out in the Framework will vary as well. Organisations can determine activities that are important to critical service delivery and prioritise investments to maximise the impact of every cent they spend. Ultimately, the Framework is aimed at managing and reducing cybersecurity risks.

A common taxonomy

Building from standards, guidelines and practices, the Framework provides a common mechanism for an organisation to:

  1. Describe the current cybersecurity posture;
  2. Describe the target state for cybersecurity;
  3. Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.

You see, the Framework provides you with risk-based guidelines. They are designed tot help you evaluate current capabilities and to create a plan toward improved cybersecurity practices.

Interested in more detailed information? Read more in our next blog, on the different steps of the NIST Cybersecurity Framework.