Today’s cyber security programs are a lot more complex than they once were, but it’s still important to cover the basics.
Cyber security is getting more complex all the time. The number and types of end points are exploding and applications contain more APIs and third-party code than ever. Meanwhile, bad actors are constantly inventing new exploits.
As companies continue to become more digital, their level of cyber risk will continue to rise, so they need to have both proactive and reactive cyber security practices to minimize that risk. Following are five staples that should be included in any cyber security program.
Application vulnerabilities are being exploited all the time. According to the U.S. National Institute of Science and Technology (NIST) there were 160,127 vulnerabilities listed in its database at the time of this writing. The key question is which of these vulnerabilities matter to your company? Clearly, the Microsoft Exchange vulnerability was cause for alarm for many organizations.
As many security teams have discovered, the traditional scan and patch approach is problematic for a few reasons. First, there’s a time element. By the time a vulnerability has been identified and patched, a hacker may have already exploited it. Second, while scanning helps teams prioritize vulnerabilities based on their criticality, not all of the most severe vulnerabilities apply to all organizations. Finally, a more fundamental problem is that scanners lack the context they need, not the least of which is a detailed understanding of the attack surface and the data from security controls such as firewalls and IPSs.
Configuration exploits are popular among hackers because configuration mistakes are so common. In fact, AWS S3 bucket configuration issues have been the subject of headline news. One way to invite a breach is to utilize the default configuration settings which bad actors expect.
The point of having security configuration management (SCM) software is to identify misconfigurations so they can be rectified and alert security professionals to configuration changes which seem suspect. SCM also provides a means of enforcing security standards such as HIPAA, PCI or Sarbanes-Oxley (SOX).
IT/OT Systems and Asset Management
Many organizations lack the visibility they need to understand their entire attack surface. To get that knowledge, they need to understand the details of the assets they have on-premises and in the cloud to protect them. This includes both IT and operational technology (OT) systems.
IT asset management (ITAM) solutions identify hardware, software and networking assets. They also ensure that software licenses are current and that assets conform to the security policy. ITAM also helps facilitate the management of assets throughout their respective lifecycles including their decommissioning and replacement.
Importantly, ITAM solutions not only inventory the asset itself, but the software associated with devices and equipment to enable effective end point protection and vulnerability management as well as faster incident response.
Every company should have a security policy that is comprehensive and enforced. Some of the basic elements include:
- Background information that provides the plan’s context such why the policy exists and what it’s designed to achieve, the scope of the policies (e.g., physical and cyber or networking only) and the target audience of the plan.
- Measurable objectives. What do you plan to achieve specifically, by when and how much.
- A clearly articulated hierarchy of authorization levels as well as system and data access permissions.
- A description of data classes such as highly-sensitive, sensitive, public.
- Data collection, retention, storage, backup/disaster recovery and transfer rules including encryption.
- Other governance items including applicable laws and regulations.
- Technical implementation requirements.
- Key personnel and responsibilities.
- Reports and their cadence.
The most effective security policies are those that have been developed with the organization’s uniqueness in mind, not copied from a website verbatim without any thought of the consequences. The document should be a living document which is updated as situations and technology change.
Procedures and Standards
The security policy should provide an overview of procedures and standards. The trick here is including the right amount of information – not so much that it becomes impractical, but enough to withstand an audit. The standards may include international standards (e.g., ISO), national standards (e.g., FIPS, NERC and NIST), and industry-specific standards (e.g., PCI and HIPAA).
In 2020, many organizations broke from their documented security procedures to enable a 100% remote workforce in a number of days. At the time, business continuity was the primary consideration as evidenced by Zoom bombing and the targeting of home Wi-Fi routers. Security took a back seat, but not for long. If anything, 2020 emphasized the need for contingency planning so procedures can adapt as necessary. The year also underscored the need for endpoint security and identity and access management (IAM) that does not interfere to greatly with user productivity.
More Content on Cyber Security Basics Coming Your Way
Effective cyber security requires careful planning and implementation as well as constantly evolving strategics, tactics and procedures. This piece covers just a few of the basics organizations need. In the coming months, we’ll be providing more overview pieces covering various topic areas. We’ll also follow those up with short, in-depth pieces that explain part of the security fabric in more detail.