Security by design and defense in depth
Technology is often the area in which companies tend to pour a lot of resources; there all manner of technical solutions available on the market, and all offer a variety of security benefits. Once an organization understands its risk and compliance landscape correctly, then the application of technology should be straight forward and cost-effective.
An organization must apply technology, which first seeks to put in place good cyber hygiene. The technology must be fit for purpose, and an organization must have in place the capacity to manage the technology. Don't just buy loads of shiny new technology without consideration given to how you will maintain and analyze the output from the technology or solution. Consider MSP's and what capacity and additional benefits they may be able to bring to your organization. Often MSP's can ease the burden on unnecessary technological spending by provided their client with services which can expand and flex with their need.
Organizations should consider a 'defense in depth' approach to cyber security, where the most valuable assets sit within a ring of protection. Technology can be used to increase limitations on access to the most valued critical resources while providing the availability needed. Businesses and IT department may also wish to consider the use of cloud-based solutions which can give defensive technologies and strategies which are far beyond the means and capabilities of most organizations. Cloud technology, when implemented correctly through a reputable third party, can provide the confidentiality, integrity, and availability of a business's needs.
Organizations must also be able to ensure that the software and applications it has installed on its networks are configured to their most secure settings. Technology should be configured to the least privileged setting required for them to perform the functions they are needed for. Commercial off the shelf technology should always have the default usernames, and passwords changed.
Unique passwords must also exist for all users within your organization. Passwords should be long and strong and difficult to guess. The most recent advice from the ENISA on password management states that it may be more secure to roll out the use of passphrases, which are more difficult to crack than passwords, these types of passphrase required changing much less frequently. It is also recommended that the organization put in place multi-factor authentication, specifically two-factor authentication whereby code is needed alongside a password to allows access to resources.
Alongside a secure password, security organizations must also ensure that users and applications are only provided with the access they need to perform the roles that have been assigned to them. This encompasses the concept of least privilege; the user only has the rights they require to perform a function. Companies may also consider rolling out role-based access controls for an organization with many users. A role profile is created for a group of users, and that user group is assigned access permissions based on their job functions.
Access management controls must also consider Privileged users or Administrative users. These users often have elevated privilege accounts, which, if misused or compromised, can provide unfettered access to organizations' devices and data. Administrative users should have separate user profiles for business-as-usual work and their administrative work. Access to administrative accounts should be provided by specific permission only, and care should be taken to ensure that when an administrator leaves the organization, the account permissions are revoked.
One of the most common threats for organizations comes via malware and viruses. As a minimum, a good anti-virus and malware solution must be in place. Technologies such as email filtering allow businesses to reduce the risk of recipients receiving and opening malware. IT departments can utilize firewalls and device whitelisting to ensure that only permitted and known users within their network are allowed access to trusted online resources, reducing the risk of infection from malicious websites or preventing rogue applications and devices from connecting to their network.
Hand in hand with anti-virus and anti-malware is ensuring that there exists a rigorous patching schedule. Where possible device and applications which are flagged as vulnerable should have patches applied as soon as is practically possible, organizations can achieve this through regular vulnerability scanning, using solutions such as Qualys. Scanning helps to identify devices and application which require attention. Obsolete technologies or applications and devices which are no longer supported by manufacturers should be given special care, and consideration should be given to replacing these with newer solutions as soon as time and resources required.
There are several other technological controls that a CISO should consider as a core component of any cyber strategy to ensure the health of an organization's network. They include encryption of data at rest and in transit. At the minimum, this should be the critical organizational data. Back-ups, back up of essential data can save an organization that has been hit by a destructive cyber attack such as ransomware.
CISO and IT security managers are operating in a rapidly changing technological landscape; within the past five years, there have been a variety of emerging technological advancements that provide more effective security protection. CISO's and IT managers may wish to explore whether MDR (Managed Detection and Response), EDR (Endpoint Detection and Response), or SOAR (Security Orchestration, Automation, and Response) solutions are the right fit for their organizations.
For any solution to be the most effective, the business must also ensure that they have in place the correct people and resources to deal with any results. Often this may mean that the most appropriate solution is one that is outsourced to a specialist organization with the skills and technical capacity to offer the correct security solution for your organization. Outsourcing to providers often means that businesses can leverage next-generation technology, such as EDR and MDR, without having the associated overheads for maintenance and upskilling.
We've discussed above some of the most common technological threats that organizations are presented with, namely phishing attacks and malware. One of the other most common attack vectors for an organization is through its supply chain. Suppliers and trusted partners are often provided with access to networks and resources far beyond what is required to provide the services for which they are contracted.
For cyber security concerns, CISO's should consider a zero-trust approach. This approach uses a risk-based approach to the principle that a supplier or external party to the organization is not allowed to connect to the network or resources until a set of pre-existing security conditions have been met. Once the organization is satisfied that the supplier has reached the correct security standard, then the supplier can be provided with access to the specific resources required to be able to perform its function.
A strategy may wish to consider engaging an external auditor to perform a risk assessment on a supplier to see where improvements can be made. Recent advancements in technological solutions now mean the new noninvasive technologies are available and cost-effective for managing the supply chain risks.
This zero-trust approach supports the concepts of defense in depth and security by design, baking in security control to the environment which you are building or managing. Suppliers should support these concepts through the use of contractual agreements and SLA's. This may include insisting that any suppliers adhere to a specific security standard based on the level of the potential threat that they pose to the organization.
For example, you may wish to make sure that an organization whose service printing devices is only provided with access to these devices (and these devices are segregated from the network through the use of firewalls. You may wish a supplier such as this to adhere to a quality standard and a cyber security standard such as the UK's Government-backed Cyber Security Essentials Scheme or the global Cloud Security Alliance. For a supplier who has much higher integration into an organization structure, such as a managed service provider (providing SOC or SIEM solutions), you may wish them to adhere to a higher standard of security such as ISO27001 or NIST.
All suppliers should be recorded, and their performance and contracts monitored. Within the contractual relationships that you have with your suppliers, there must be a provision for a supplier to notify you immediately if they are subject to a breach or sustained cyber-attack. We only have to look at recent examples of supply chain security failures with WannaCry to see how quickly malware can spread through an organization. Cases in the US, such as the infamous Target card data hack, illustrate how attackers can leverage the supply chain and unsegregated networks to gain access to and organization critical data and cause untold reputational and financial damages.
In conclusion, an excellent cyber security strategy should focus on four core areas, governance, people, technology, and supply chain. For any plan to succeed, it must first identify its aims and its scope. A successful CISO builds trust and relationships across the business, so a cyber security strategy can be rollout from the management down and embedded within the organization.
For a cyber strategy to succeed, it must follow a rigorous and defined standard or best practice guidance, and a risk framework must be in place and controls applied to the environment to mitigate the most pressing risks. Controls must be configured securely, fit for purpose, and managed by experienced individuals.
The most significant challenge any CISO will have will be to change the culture of an organization to meet the aims of a cyber strategy. Improving the knowledge and behaviors of individuals can be a slow process, but once underway, will determine the success or failure of any business strategy. Training and awareness should be at the core of any strategy, empowering individuals to embrace cyber security and embedding it in the core practices of the business.
Cyber security must now be a core function of any business, and CISO's must be provided with the resources support required to build, roll out and run a strategy that ultimately keeps a business safe, its customers happy and the ability to able to innovate and operate in the digital economy.
Below you can download all articles of the series as one document. We hope that it will help you to start the conversation in your company about the importance of building cyber strategy.
Advantio’s team of experts helped many companies around the globe to build their cyber strategies. If you want to evolve the cyber maturity of your organization, get in touch with us and our experts will take you through this process.