A recent, real-world project of mine to dramatically mature the information security resources of a client guided this blog. This project, while unrelated to security, identified the current security as deficient. It was a simple consumer-grade antivirus and a solid firewall, that was it. There are multitudes of companies out there, small and large alike, who mistakenly believe this qualifies as “bare minimum” today. The following recommendations loosely align with the NIST Cybersecurity Framework 5 core functions: Identify, Protect, Detect, Respond, and Recover.
Many of these security deficient companies doing the perceived minimum implementations to secure their organizations would be surprised to hear that the standard level of security necessary to meet today’s cyber threats is based on implementing eight components. A fully vetted CISSP security engineer would have more to say, so I’m just presenting the 101 on these components. As an IT Trusted Advisor, I’m sharing with you how to meet these standards and point you in the right direction to ensure success!
THE MORE YOU KNOW
A professional risk assessment project should be near the top of your list of priorities. An external penetration test against all public IPs and publicly registered domains should test your public access points, provide a well-documented risk assessment, and possibly even include social engineering. This assessment’s goal is to determine the gaps in your defense. The results of these tests should define the tactical response for the year. This process should be repeated yearly, or whenever there is a major change to your organization like an acquisition or a divestiture.
WHAT’S GOING ON
Logging all your security events is just the start. Knowing when an account is being brute forced guides your team’s reaction towards resolution! Resolve the issue, instead of bring annoyed at the daily helpdesk ticket for that one executive whose account is locked out yet again! A SIEM or Log Manager solution can leverage well-trained analytics (often labeled AI by marketing departments) to bring genuine alerts to the top of the stack. It really is like having an analyst constantly watch logs and make decisions on when to alert the team. Correlating events for your organization is just a start! Choosing an application with a diverse global footprint means your organization can gain information from the analytics developed on other customers for use in your own environment. Pattern matching in near real-time allows your team to do more with less and thwart attacks within minutes vs weeks.
DDoS protection has become super simple these days involving just a checkbox on most hosting providers! Keeping your website up throughout a coordinated attack on a global scale is significantly easier to prevent than weather-related outages.
WHO AM I, REALLY
Identity and Access Management was once entirely the domain of Novell and then Active Directory. Today, Active Directory is still the #1 identity provider and security database, but we add-on Single Sign-On (SSO), multi-factor authentication (MFA), and cloud application security broker (CASB) to fully secure identities and access. The weakest links in any organization are the end-users and what they do with their identity. These tools all ensure the right person is doing what they should be doing and where they should be doing it.
YOU ARE THE WEAKEST LINK
Did you think I was just going to gloss over that “weakest links” comment in the previous section? NOPE! There is no recommended solution to upgrade your users this side of a Matrix adaptation – so we TRAIN our end-users. Security Awareness training from dedicated security vendors or even from popular human resource services it a great resource. It should at a minimum contain live phishing tests and watchable/memorable training videos. Training should not only be a part of onboarding but completed throughout the year.
FREE ANTIVIRUS DOESN’T CUT IT
Securing the hardware, platforms, and operating systems that allow your organization to run the applications and access the data required for the business to succeed should not be a casual thought. Your antivirus program that came for free with the new laptop is not going to cut it by itself. It’s just the start! That free-for-a-year antivirus may be convenient, but is it centrally managed, updated, and monitored for compliance? New ways to prevent malware from taking a hold in your system are in wide use now but don’t forget to deploy a solid asset management tool as well as encryption on those devices to prevent access via hardware theft.
GET OFF MY LAWN
Firewalls, intrusion prevention systems (IPS), and virtual private networks (VPN) are all good at keeping people out – but you can’t call your security enhancements complete after getting a good firewall in place. Ensure the digital assets also physically secured and monitored! The best perimeter security by itself is just not adequate these days against more and more innovative threats! And, between you and me, how many holes (rules) have you poked in your firewall? Are they all pointed to secure and locked down systems?
BACKUPS AND DISASTER RECOVERY!!!
Even with a great and reliable implementation of 7 of these security initiatives, not having a plan when disaster strikes is planning for a disaster. Determine if your backups taken in sufficient increments. Ensure they can not be discovered by malware and encrypted. Are the backups off-site and/or air-gapped? When the sysadmin’s credentials are compromised and an entire data center is cryptolockered, is the malware already encrypting the backups and DR site as well?
No Chief Information Security Officer (CISO) can defend every single attack out there 100% of the time. Considering cheap compute power available in the Cloud, a lucrative market for hackers, and insider attacks that can negate a lot of security protocols, a full defense against every attack is simply impossible. The goal is to decrease the frequency and impact of attacks. It’s not a matter of IF you have a cybersecurity incident, but WHEN.