As a part of Secureworks’ Incident Response Team, Secureworks® is continually performing incident response tabletop exercises to help our customers prepare for a potential cybersecurity incident. Each exercise is a bit different and may have different goals; for example, one customer may place emphasis on increasing familiarity with how to respond to a cybersecurity incident while another customer may desire to stress test their plan.
Regardless of the specific goals for the tabletop exercise, common trends emerge between different customers regardless of their industry vertical or maturity.
For Whom Security Policies Do Not Apply
An exceptionally common finding during tabletop exercises is the practice of granting individual users or departments the right to operate outside the purview of information security policies and controls.
We can all agree that information security policies and controls exist for good reasons. It makes sense to have a password complexity policy and technical controls that ensure a user cannot define their password as “password.” It also makes perfect sense to have an information security policy that prohibits users from e-mailing work data to personal e-mail addresses with technical controls to reaffirm this policy.
But what happens when users are exempt from these security controls based on their job function?
Part of our job during a tabletop exercise is to poke and prod commonly known risk factors. While some vulnerabilities may be unique to the customer’s vertical, there are several well-known vulnerabilities that run astray of codified information security policies are observed time and time again.
For example, two common situations that we commonly encounter often run afoul of information security policies:
Communications and marketing personnel who monitor social media accounts at all hours of the day are using personal ..