Table of Contents
Transcript: Understanding Information Security and Risk Management With Parul Khanna
Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam, Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and we invite security experts to learn about their journey and also to get these questions answered. Our goal is to build a community where we learn about security together and leave no security questions unanswered. With that, let’s get started with today’s episode. For today we have Parul Khana.
Parul is a Senior Consultant in the field of information risk management with background in incident response, cybersecurity investigations and software engineering. Previously she has worked as a core team member of Cybersecurity Operations Center at one of Canada’s Big Five banks. She holds a Master’s degree in Information Security and multiple certifications around security like CISSP, CCSP, Caesar and CRISC, et cetera, et cetera. She has also published a research paper on Doxing and International Conference on Information Security, Privacy and Forensic held in Montreal. She serves as a Vice President for the ISC to Toronto chapter and is also an active mentor at Cybersecurity. Community is dedicated to guiding folks looking to advance their career in the security field. Parul, thank you so much for joining me today
Parul: Great, yeah, it’s my pleasure and thank you so much for having me as part of Scale to Zero.
Host: Absolutely, thank you. So the way we do this show is we have two sections. One is the security questions and the other one is the rapid fire. So let’s start with the security questions.
And in that I want to start with how does generally organizations set up their risk management program? Typically what security leaders do is they follow a risk matrix methodology to assess and also determine the priority of different risks at hand. So,
How should the organization approach assessing risk and how should they prioritize the risks from the matrix?
Parul: Right, so yeah, it’s a great question and thanks for shooting for this question considering that I’m itself from the risk management field.
So I think when it comes to assessing the risk or approaching the risk, I think the first thing that I would like to point is and we have heard very common term, we have heard about this as like shift left security which is essentially the practice of moving our testing quality and performance, all those things early in the software development lifecycle. So I think that’s one of the approaches that the organization should be taking when it comes to deploying anything in production.
And there are associated advantages like when we say about shift left security, you get your early detection to your vulnerabilities and your software bugs. You have cost savings because the time it takes for you to fix something when it has literally like you are towards the end of your project is more as compared to the cost and time it takes to fix something at an early on stage when you’re still doing your requirement, capturing all your design phase. So, yeah, it’s one of the things I would say it’s a shift left security and probably a good ideal example of this would be a use case that comes on top of my head would be something like a CICD pipeline, which is your continuous integration and your continuous deployment.
So, continuous integration where we actually validate the code as it goes through the different gates or the different checks, through the process of like the automated testing and then your continuous deployment is then that once the code has successfully passed through the continuous integration phase, we are confident enough to deploy the code into production. So yeah, I think it’s good if the organization start taking this approach for half the focus on the shift left security and engage the stakeholders, the risk partners and all of the appropriate security teams at the beginning itself and at the beginning means that during the requirement of the design phase as well, design phase itself, rather than during the development or the testing phases.
And then to answer your second question, which was like, how should they prioritize the risks? So I think it’s important to see that what a risk matrix actually depicts is like your livelihood versus the impact and then it has a severity rating associated with those risks. So it’s important to see here that address the risks that are ranked high or extremely critical. So it’s important to address those risks. And then depending upon your team’s resources, then you can also see address like the medium as well as the low risk categories. But let’s just say if something has a high impact and there is a high likelihood of occurring for that risk. So definitely that needs to be addressed first. So that’s where I think what the risk prioritization or the risk matrix brings to ourselves. It helps us to prioritize like what other critical risks that need to be addressed first and foremost.
Host: Right, so you touched up on two areas, right? One is start as early as you can when it comes to security, right, in the software engineering lifecycle and shift left, don’t let it let the security hold score to production, right. Maybe you start as early as you can. And the other thing that you mentioned, like around the matrix, like prioritization, like criticals or high severities, maybe it should be a must that you need to address them. Maybe medium and low can be in the backlog, but extremely likely risks, high-severity risk should be addressed.
Parul: That’s right.
Host: So I want to extend that a little bit, right.
You mentioned about working on high priority critical, but sometimes what happens is according to the risk appetite of the organizations, they tend to put mediums minors of the low ones into the backlog and nobody pays attention to that for months. And we received this question from a fintech startup. They’re trying to understand that when we put things in backlog they become like a security debt, right, similar to tech debt or product debt and if you don’t address them on time then they affect overall productivity, performance and many other areas of the organization. So,
What are your thoughts on the security debt and how would you measure and then use that to prioritize those security types?
Parul: Yes, it’s a very, I would say common occurrence. So let me just take a step back and define what exactly security debt is. As you mentioned, the security depth debt, it’s definitely a subset of your technical debt and what exactly security debt refers to. It’s like an accumulation of your different vulnerabilities within your software that has kind of like gathered because you’re not able to fix or address those vulnerabilities given the resource constraint or given the time of fixing those.
So that is essentially what your security debt is. I think a part of it is a part of challenges when we look at the backlog to address those many issues and build upon your cost times as well as resources. So I think it’s a balance of these three things that we essentially use as to what part of that security debt needs to be addressed. Then the second way to look at it would be let’s just say when we are shifting security left, if from the starting itself we are able to address or remediate these issues then probably this debt is not going to burden us. Like I said, when there is like a collection of huge backlog. So yeah. I would just reemphasize on the fact that when the security gets baked in or like built in during the early processes or during the early stage itself from the start.
Then it becomes easier to handle this these vulnerabilities rather than having to go through the whole process of accumulating your security depth and then working on your time resources as well as budget constraints to see. OK, which all debt needs to be addressed first and foremost because even then you would have to do a prioritized. Right. Like some debts have more cost, more damage as compared to the other ones. So I think it’s a balance out there.
Host: Yeah, no that makes a lot of sense. Right.
At the end of the day, for organizations, it’s either the cost impact or the growth impact. So finding that balance is the key how you prioritize and then start working on the security tab.
So another area of security program set up is Incident Response Plan and I believe so too highly recommends to have necessary controls put in place. So according to you, like,
What are the top three areas a startup or a mid sized company should consider when they are defining their security controls around vulnerabilities and incidents and what procedures should they follow to address them?
Parul: Right, so on top of my head, when it comes to like the areas, it’s just the CIA triad that comes to my mind when we talk about any incidents or cybersecurity in general when it comes to protecting our data assets or the critical information. So confidentiality, integrity, and availability, like making sure that there is no unauthorized access, making sure that the information is accurate and no one can modify it, and then making sure that the information, accurate information is available to us at all times. So I think these three are the pillars, like, on which the whole cyber security or when it comes to implementing any of the security control here, like these three other pillars where it still stands, and then talking about the incident Management as well as vulnerabilities. So I think it’s important to have incident response plan in place.
I’ll stick to the next framework because that’s the one that we have in our CISP studies and other certifications. So it’s definitely important to prepare in advance, which means that you have an inventory of all your It assets, your networks, your servers, as well as your end points, and then identify which of them are the critical assets. And then comes the next phase of It, which is your detection and analysis. So detection essentially means that you set up rules and you set up policies which actually trigger you or indicate that, hey, there’s something wrong that could have potentially happened, like a precursor or something. And then analysis clearly involves like, identifying a baseline or normal activity for those affected systems and then correlating the related events and seeing how they deviate from the normal behavior. The next part of It essentially is your containment radiation and recovery. So for containment, think of it like for instance, if you have like, applying a bandage or something that you just want to contain the damage, you don’t want it to spread at all.
And then comes your eradication and recovery where you see that once the incident has been successfully contained, you should actually remove all the elements of the incident from the environment. And this might include, let’s just say, identifying your affected host, removing the malware, and then closing or resetting the passwords for the preached user accounts. So I think it’s important to definitely have the incident response management plan. I would like to emphasize on the importance of the post incident activity here as well, which essentially is your lessons learned, or how could we have dealt with this incident better or in a more timely manner? Or what could the staff or the people working to resolve that incident, what could they have done differently next time if the same incident occurred and are we equipped enough to actually prevent similar incidents from happening in future, or have we discovered new precursors or indicators of similar incidents to watch for in future?
So I think, yeah, it’s very critical, it’s important to have the post incident activity just like kind of a brainstorming session and the takeaway from it and then document the same as well. The same thing I would say is applicable for your vulnerability management. So this essentially has to have a process in itself. So you need to identify the vulnerabilities. Again, there are vulnerability scanners which are available to identify like a variety of systems, running your vulnerabilities on a variety of systems, which is like running on a network or your laptops or your desktops and then evaluating those vulnerability, like if it comes to whether it’s true or false positive. And then could someone directly exploit this vulnerability from the internet or how difficult it is to exploit this vulnerability? Or is there like a published exploit code for this vulnerability? And what would be the impact to the business if this vulnerability is exploited and then based off on all these analysis, it gives you CVS like that score itself. So I think that’s where you start treating your vulnerabilities based upon that score. That’s where you adopt the remediation phase, like be fully fixing or fully remediating or patching a vulnerability so that it can’t be exploited. So I think that’s the approach or that’s the process that is followed along the last part of it is essentially is your reporting of the vulnerabilities. So I think it’s important to document not only the discovered vulnerabilities but have a security plan on how to describe these vulnerabilities and then monitor the suspicious activity. So I think that’s quite important as well. So as long as there is like a documented process in place to address this and the steps and there is a procedure as well that’s being followed. So I think we should be okay when it comes to the incident response management plan or your vulnerability management plan.
Host: Makes a lot of sense and one of the areas that you mentioned. And that makes a lot of sense is around post, after the incident is handled. Reviewing how we could have gotten better or in future how we can get better at it right, so that in future your meantime to detection or recovery is reduced and on the vulnerabilities, totally agreed on scanning and following the CVS score. If something is critical then maybe that’s the first priority that you should address.
One of the areas that you touched on is the data, right? Like keeping data secure. And many security analysts claim that around data privacy, human error is one of the biggest factors. And there have been many, like phishing attacks, social engineering attacks that we have heard recently from either Twilio cloudflare where attackers got access to employees data somehow and then through employees they got customer data, access to customer data as well. Right, so
What steps would you recommend organizations to take to prepare for such attacks and also how should they react and even after the attack, how should they rebuild the trust and manage it?
Parul: Right, right, yeah, it’s again a great question. So I would like to pivot here the discussion towards, let’s just say towards my research, which is like kind of like was based on social engineering itself, but rather more focused on Doxing, which is a part of which is a form of social engineering. So Doxing happens when, let’s just say an employee post their personal information or information relevant to the company, like online on their social media and then doctors kind of like scan through that and gauge that information and then have that information, use that information to launch the attack. So basically in a Doxing attack, the hackers might publish someone’s telephone number or Social Security number or the misuse the Social Security number or even the home address as a matter of fact, or the credit card numbers, the bank account number.
So I think it’s critically important that we have the training and awareness in place for the employees and it’s important as well to take certain precautions on our end. For instance, like protecting our IP addresses, like by using VPN and then making sure that we are using strong passwords like not just ABCD or 1234, and then using separate usernames for different platforms and not using the same password for all the different platforms or for all the different accounts. And then it’s critically important that we take enough steps to review and maximize the privacy settings on the social media accounts so that when the third person or someone who is unknown to us is viewing it. They are not able to find that information because a lot of people don’t know that their account. They are like exposed to public and that kind of like leads to breach of their personal information. They are setting up like multi factor authentication definitely be to our banking accounts or social media accounts. So that’s one of the things.
And then just being aware that certain information can never be shared. For example, you don’t want to post your social insurance number on your Facebook profile or your social media account, right? And then just being careful not to overshare and then not to provide your personal information and making sure that even if you’re subscribing like to any of the third party websites, making sure that information the information asked for is actually the one that like information is being put to some hues, right. They’re not asking for unnecessary information which you don’t think that it’s relevant to the context. So I think a lot of these comes as part of your training, awareness and then just making staying up to date and being aware about it. So yeah, that would be my stance on it.
Host: Okay, I definitely learned something new here like Doxing. I’m not very familiar with it.
I’ll definitely research more on that after this episode. But yeah, that sounds interesting. One of the things that you mentioned that we don’t overshare when it comes to either your personal social media or only share which is relevant so that you don’t lead to these attack vectors.
So, keeping the data in mind, I want to talk about data loss prevention a little bit. One of the core principles of that is, like, labeling and tagging it, and it’s not that trivial to do that. And on top of that, if you add the daily volume that we generate, it becomes complicated. And on top of that, there are multiple vendors, every organization works with multiple vendors who have access to the data again, right? So it becomes ever more challenging, sort of impossible as well. So,
What metrics should be put in place to measure and monitor any data loss that might happen? Or how should they be classified and segregated so that we can prevent any data loss?
Parul: Right. So, yeah, I think for data loss, it’s critically important when we talk about metrics, it’s critically important that, first of all, there are a few things to keep in mind.
For instance, like your number of policy exceptions, which is granted for any defined time period. So think of, like, exceptions. They are like temporary permissions, which are granted on a case to case basis. And if the exceptions, they are not tracked or documented, then these could definitely result in potential vulnerabilities, or someone could actually just misuse their exceptions. So it’s important to keep a track of the number of exceptions for a defined time period and that they should remain as minimum as possible. The second part of it like a number of false positives, which is generated by your DLP tool. So I think it’s important for the businesses to maintain a balance between the false positives as well as their true positives, right, because you don’t really want to be an impediment to the business by generating a lot of false positive alerts or just blocking or archiving those false positives.
So, yeah, I think it’s one of a good metric and a good indicator of your data classification effectiveness. DLP rule set effectiveness. The third part of it would be the main time to respond to any of your DLP alerts. And by this, I mean, let’s just say, for instance, you know, that how actively are you monitoring your DLP alert? So that’s the summary of it. Okay, let’s just say some employee has sent their has sent a lot of PII information, like, externally to their own Gmail addresses, and you are kind of like monitoring the same event after a course of maybe like two weeks or maybe three days. So I think there’s like a time gap of it. So it’s important because it’s important to actively monitor your DLP alerts as well, and then take action on them as well, and then prioritize them on the basis of, like, their severity.
So I think it’s quite important just to make sure that there is no insider threat as well. And then the last of it would be the number of your unmanaged devices and your network, which is handling your sensitive data. So I think when we talk about these unmanaged devices, if they are processing or storing your sensitive data, this could be your file share, your endpoint, your servers, then each of these devices, it’s like a potential access point for your sensitive data. So a good DLP program will have all of these devices covered and will generate alerts correspondingly. So I think these are some of the points to keep in mind when we talk about the metrics and then talking about how the data should be classified and segregated to prevent any data loss. So I think if we look at the broad picture of it, it would be like something which is external, internal, and then your highly internal, your confidential and then your highly confidential data. So I think it’s important to have a correct data classification so that your DLP alerts get triggered accordingly. But yeah, I think a lot of emphasis should be actually placed on your data classification as well to have an effective DLP program.
Host: Makes a lot of sense. Some of the takeaways from this for me is like the excessive permission thing that you mentioned that should be minimum, like the duration should be minimum, right. Sometimes when we are in, let’s say, a production issue or something like that, we provide excessive permissions, but we should limit that, the false positives, that is very important. I think you highlighted that really well, that you have to cut down the signal versus noise challenge, right? You cannot have hundreds of alerts then you will start ignoring like the receiver would start ignoring it. Makes a lot of sense.
So I have one more question on the data aspect. Let’s say for startups who are working in Fintech or healthcare, they store a lot of PII or the financial information, health records.
How should they plan about storing that? Protecting that is the encryption and answer to all of this, right?
Parul: So, again, a great question. Yes, I would say, apart from your encryption is one of the possible ways to protect the sensitive financial data, like your PII or your bank account information or your credit card information, then I would say defense in depth, the concept of defense in depth, where we have multiple layers of controls in order to protect the sensitive data. For instance, like using strong password and making sure that there is two factor authentication and multifactor authentication in place, probably like the use of biometrics. And then you’re constantly backing up your data and the data is like encrypted.
And for that backup, you regularly test that backup, like if they actually works or not or doesn’t work. And if there comes a time when you have to purchase or destroy the data, you are safely disposing it. You’re safely, securely destroying your old media with your personal data in it. Making sure the points that we covered earlier, for instance, for example, for the vulnerability management, that all your patches are applied and your systems, your system is up to date and then you’re also using a secure wireless network and not just the public WiFi. So I think it’s important like some tiny steps like if you’re accessing your sensitive or financial information and making sure that there is no shoulder surfing or tailgating and kind of like dumpster diving so those things in place and then you’re locking your device when you’re away from your desk workstation and then avoiding uploading the sensitive documents to the cloud.
These are some of the best practices but I would say when it comes to other than encryption, I would say like defense in depth would be the best. Like having multiple layers of control to protect our sensitive data.
Host: Yeah, I love that you mentioned defense in depth because I also started noticing that a lot when it comes to data security discussions. Thank you so much for sharing that.
Yes, with that we sort of conclude the security questions section. Thank you so much for these answers. There are a few things which I have learned like doxing, going, more details into defense in depth and more around doing the basic things correctly like as you said, like MFA or there shouldn’t be any tailgating and stuff like that. So thank you so much for sharing these insights.
What metrics should be put in place to measure and monitor any data loss that might happen? Or how should they be classified and segregated so that we can prevent any data loss?
Here are the top three things that I learned from the discussion.
- For risk management, have security baked in early in your SDLC process. This helps in your security debt prioritization as well.
- Follow the Information Security triad, which is also known as CIA Triad. The confidentiality, integrity and availability. For Data Protection and Cyber security, apply the NIST framework for identification, detection and analysis of your critical assets.
- To avoid phishing, social engineering or even doxing attacks. Follow the basics of security properly, like use of a multifactor authentication or use of strong passwords and use VPN at minimum.
So I want to go to the Rapid Fire section now.
So the first question is a one liner code that keeps you going.
Parul: So yeah, it would be miles to go before I sleep. I took this quote from like I have been associated like when I was a kid I grew up listening to poems and reading like Shakespeare as well as Robert Frost. So this particular quote is actually from one of the poems from Robert Frost. So it has been associated with me since a while. So I really love this quote. Miles to go before I sleep.
Host: Yeah, that’s lovely. What advice would you give to your 25 year old self starting in security and why?
Parul: Yeah, I would say be more curious, willing to learn and then try to get exposure to as many projects as possible. So if I was like if I was back like in my 25, I would be more I wish I was more of a risk taker rather than getting scared of risk and then be ready to step out of your comfort zone because it’s a place where you can actually experiment, learn, fail, still learn and then grow up. So be curious, have that you are open to taking risks and then stepping out of your comfort zone.
This tolerance is a little higher at that age, so experimentation and taking risks.
Host: Makes a lot of sense. The next question is, assuming you are hiring in one sentence, what stands out in a candidate resume for you?
Parul: Right, I would say the passion. Like the passion to do their job, the passion to learn things as well as the fillingness and curiosity to learn things are some of the things that strike out that really stand out for me when I’m looking around for candidates. Like hard work, dedication, discipline, all these things, they are like an added bonus. But yeah, definitely the person should be passionate about what they are doing and have that willingness in them to actually learn more about it and be willing to take additional tweak and mold themselves to adapt to different situations. So yeah, that’s something I would look forward to.
Host: Learners mindset, I love that. What’s the biggest lie you have heard in cyber security?
Parul: Yeah, I was reading an article recently, so I think one of the things that they said that we are a small company and then they will not hackers. So I think this mindset, it’s more of like a lie, like something which has not been broken until now. It’s not wise enough to assume that okay, we are up to date or we are like totally safe and secure and like nothing can go wrong. We need to do our due diligence at every point and make sure I take steps to improvise and stay up to date.
Host: Makes a lot of sense. How do you stay up to date on latest trends in the security? New threats coming to the security world?
Parul: Right, so usually my go to places like Bleeping computer and then there are community feeds on the LinkedIn which keep me up to date like on the latest security updates as well as news as well as trends. I’m also a part of Community which goes by the name Certification station. So that has like different groups, study groups as well as different like for people who want to provide the updates related to what’s happening in the cybersecurity world. So yeah, that’s one of my other go to place as well. So combination of all these keeps me up to date, hopefully keeps me up to date for the latest happenings around cyber security.
Host: Yeah, I hear the mention of Bleeping computer quite a bit. I see they have very good content around security. Thank you for sharing that. Yeah, thank you so much Carol. It was very insightful. There were many areas that I learned personally. Looking forward to learning more from you in future.
Parul: Great, thank you again for. The Utah for having me here and it was a great discussion. I totally loved it. Thank you.
Host: Thank you. And to our viewers, thank you so much for watching. Hope you learned something new. If you have any questions around security, share firstname.lastname@example.org. We’ll get those answers. I will get those answered by an expert in the security space. See you in the next episode.