Getting Cybersecurity in Place On a Tight Budget

Cybersecurity On A BudgetBy Christopher Barron
Associate

As the CIO you’ve been tasked with ensuring that your organization’s IT systems are more secure. You’ve got a budget (although it’s tight). You’ve got mandates (“Don’t let us get hacked!” “Increase our perimeter strength!” “Make it a ‘Top 3’ initiative for the year!”). But if you’re like many CIOs, what you don’t have is an understanding of the basic premises and precepts of cybersecurity.

To get appropriate cybersecurity controls in place, where in the world should you start?

You don’t have to reinvent the wheel

If you feel like you’re floundering, I’ve got good news for you. There is a well-established framework that covers nearly all of the common information security risks. The Center for Internet Security (CIS), a non-profit organization that has been around for over two decades, has created a list of 20 Critical Security Controls. These Controls represent a consensus from a group of cybersecurity experts located throughout both government and private industry. This list is the roadmap that you need.

Start with the first five Critical Security Controls

Here’s even better news: If you implement the first five Critical Security Controls you’ll mitigate an estimated 87% of your risk (based on quantitative measures). These first five knock off the “low hanging fruit” by addressing the most common information security issues. As it turns out, many of the activities taken against your network are automated and easy to stop.

To get cybersecurity in place, start with these five Critical Security Controls:

1. Inventory of Authorized and Unauthorized Devices

You need to ensure that all devices connected to your network are understood and documented, whether they are authorized or unauthorized. This knowledge will help you take steps to harden your network perimeter.

2. Inventory of Authorized and Unauthorized Software

This is just like Control #1, but for software. You need to have a complete inventory of all of the software that’s running on your network, whether it is authorized or unauthorized.

Keep in mind that unauthorized software represents a significant threat. Unauthorized software includes both software that has been intentionally installed by users without following your organization’s policies, and software that has been unintentionally installed, such as through phishing schemes.

3. Secure Configurations for Hardware and Software

Every piece of equipment you buy should be validated against a set of pre-determined standards before it is purchased. To make this happen you must develop these standards for your organization—and then apply these standards to all the hardware and software run within your environment, including mobile devices and servers.

4. Continuous Vulnerability Assessment and Remediation

You need to continuously monitor your system and run vulnerability assessments to watch for anything new that has been installed, whether it is software or hardware, and then address whatever issues are discovered.

If your permissions and Identity and Access Management system doesn’t catch it first, your basic networking monitoring tools will usually catch most things that have been installed. Whatever these tools don’t catch should be caught by your vulnerability assessments. I recommend that you use security scanning tools to continuously run vulnerability assessments, and then augment this with periodically-scheduled “audit” type assessments.

Why is this so important? Because you can put all the advanced security systems in place that you want, but if someone comes in and installs an unauthorized wireless router on your system, you immediately have an uncontrolled vulnerability. By having an understanding of all of the hardware connected to your network, including an ability to find vulnerabilities in real time, and then quickly remediating vulnerabilities when they are discovered, you can pretty much stop most active hacking attacks.

5. Controlled Use of Administrative Privileges

Administrators who have the highest level of access to resources must be monitored, and every action they take must be logged. After all, when someone has the highest level of access they can do just about anything they want within your network. Someone must watch them to verify that their actions are always in the organization’s best interests.

What about the other 15 Critical Security Controls?

These first five Critical Security Controls represent 20 years of consensus on where the most basic-level information security competencies start. After you have implemented these you can focus on the other 15. These controls address the remaining 13% of your vulnerabilities, which are typically the more complex issues.

Conclusion

There is a lot of talk about the importance of information security. Coupled with that talk are the significant budget allocations being carved out specifically for cybersecurity projects. By focusing on these first five Critical Security Controls you will get the most bang for your buck. These are the places to start because these controls address the vast majority of your architectural vulnerabilities. Once you have these things in place you can move on to implementing other security measures.

Remember, hackers are like water…they tend to flow through the easiest possible path. When a hacker encounters an organization that has implemented the best practices of the first five controls, they will typically pass by and find a target that has not.

Need help getting cybersecurity in place? Give us a call. Security Strategy is one of our areas of expertise.

 

About Christopher Barron

As a strategic and innovative leader, Christopher is known for the ability to help clients realize how to leverage technology to outperform competitors. He has led clients through some of their toughest challenges, including departmental and project rescues, embracing and integrating new digital solutions, and developing hybrid organizations that can fully utilize the best and most cost-effective IT solutions.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

Ignore These 7 Key Cybersecurity Tactics at Your Peril

7 Key Cybersecurity TacticsBy Scott S. Smith
Security Practice Lead

Given the fact that many organizations experience near-continuous cyberattack attempts, if you have not already done so, getting a robust cybersecurity plan in place is a must. This plan needs to be tailored to address your organization’s business requirements, culture and risk tolerance around cybersecurity. It also will need to ensure compliance with applicable regulations and laws, and include plans for how to respond if, in spite of your best efforts, a security breach takes place. You don’t want to be in Equifax’s situation, where a hacker’s ability to exploit what was most likely a known weakness has now put millions of consumers’ identity and financial security at risk. The government, your customers and the general public are all losing their tolerance for disasters that happen when known problems are ignored.

Unfortunately, there’s no one-size-fits-all cybersecurity plan that you can just pull off the shelf and put into place, and the list of tactics to include in your cybersecurity plan must be customized based on your organization’s specific needs. However, our extensive client experience has shown that the following some basic cybersecurity tactics and building blocks can greatly reduce your risk profile. The following should be part of every organization’s cybersecurity plans:

  • Identity and access management (IAM) – The vast majority of cybersecurity breaches—about 80 percent or more—involve a compromised credential in some way. As I explained in “An Introduction to Identity and Access Management,” IAM is what you need to have in place to avoid this problem.

IAM is the process of knowing who your system users are and what they can access. This includes having a way to determine that each person is indeed who they say they are (and not someone who has stolen their credential), knowing how and why they have received access to the system, and controlling what they are allowed to do with that access. IAM is at the core of a strong security program.

Common elements of an IAM plan include multi-factor authentication, privileged access management, segregation of duties, least privilege, periodic recertification campaigns, joiner/mover/leaver workflows, roles modeling and audit trails. To learn more about each of these items, see my article on “Some Leading Practices in IAM.”

  • File encryption – Data must be protected both while it is at rest (in storage), and while it is in motion (in transit between systems, databases or physical locations).

As part of this effort it is important to understand and manage all of the encryption tools being used by your internal teams. Why? Because the bad guys will also use encryption to transport their malware right under your nose. If you can distinguish between your own encryption and an attacker’s encryption you’ll be able to see that that an exploit is either underway or in the planning phase.

  • Effective monitoring and analysis of network traffic – While system monitoring is a vital part of any cybersecurity plan, not all monitoring approaches are created equal. A fairly new but effective and quickly growing approach to cybersecurity is to use machine learning systems that are both holistic and provide context-based analysis of network traffic. These provide a level of protection that rules-based monitoring systems cannot: They will help reduce the load on your overworked teams by reducing the number of “false-positives,” as well as providing more comprehensive information about network events.

Many monitoring systems look at events only from a network layer transaction viewpoint, without providing any contextual understanding of the business processes that they support. In contrast, context-based analysis is all about using learning systems that—through machine-learning—develop an understanding of the “normal” patterns associated with your organization’s business processes in order to spot network activities that do not fit these normal patterns.

A recent uptick in attacks such as NotPetya, which utilize the patching systems for known and trusted software packages to install a back-door, necessitates a new approach. This new approach should include context-based monitoring and be combined with a good threat intelligence service.

  • Management of shadow IT – “Shadow IT” refers to the IT systems, services and solutions that are provisioned and used by individuals or teams within your organization without explicit IT department approval. Because it’s not being managed by the IT department with an appropriate level of governance, Shadow IT often poses considerable cybersecurity risks.

For example, say your Marketing Department decides to get an AWS storage account for sharing data with business partners. Without involving IT in the process, they then upload a large number of files that are to be shared with a contractor. Eventually a contractor duplicates some of this information for legitimate purposes, but in creating the new files, mis-configures the Amazon storage, so that the public can now view this data. This is the exact scenario that allowed for the compromise of PII for over 198 million voters by a contractor who was working with the Republican National Committee.

While the IT department should avoid becoming the “business prevention department” and should allow as much flexibility as possible for business users, they should also provide oversight (or at a minimum, guidelines) to prevent these types of occurrences.

  • End user training – There are two main types of end user training that should be included in your cybersecurity plan. First, there’s end user training on any new processes and procedures that were created as part of putting cybersecurity in place, plus assistance with the change management aspect of this as well.

Second, there’s training to ensure your people don’t unwittingly “open the door” to a cyberattack by responding to a phishing email. Recognize that your people are probably the most vulnerable part of your cybersecurity system. Help your end users understand the stakes involved, and provide them with regular training on how to recognize the latest phishing tactics, why they shouldn’t open attachments from unknown sources, how to put mobile device security measures in place (if their devices are used to access the organization’s IT systems), and so forth.

Note that phishing prevention requires a thoughtful combination of user training as well as technical tools.

  • Management of third parties – Do you provide partners or vendors with access to your network? For most organizations, whether that access is available to cloud-based solutions providers, business partners (supply chain, distribution chain, contractors, etc.) or IT suppliers, the answer is yes.

A robust cybersecurity program should include a focus on understanding and managing the risks that these third-party relationships pose. This access should be part of a robust identity and access management (IAM) governance system. The owners of all data should be carefully managing those who have access to their systems.

Start by understanding who has access to what data, and what are the risks associated with this access. Next, determine what measures you’ll use to mitigate these risks (including access control and periodic reviews), and then ensure that these measures are applied to all of your third party suppliers who have access to your systems.

  • System management and testing – Your plan should include continuous vulnerability management and an on-going update/test/update cycle. You’ll need to stay informed. Keep your eye on what’s happening in the industry, use a combination of threat intelligence and an up-to-date monitoring system, then watch your own systems with open eyes. If there’s a radical new threat happening, test to see if you can get through your system’s defenses using that type of attack.

Conclusion

If you’re finding the task of getting cybersecurity in place overwhelming, some of the various Security as a Service options may be helpful for you. Sometimes it makes more sense to have cybersecurity experts create and manage your system than to do it all yourself.

For example, cybersecurity is one of CIOPS’ areas of expertise. We can help you assess your risks and create a plan, and then manage the implementation process for you. Other firms and cloud-based systems can handle other aspects of your cybersecurity system, such as threat intelligence services. Give us a call to discuss your needs.

 

About Scott S. Smith

Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

Getting a Cybersecurity Plan in Place

Cybersecurity PlanBy Scott S. Smith
Security Practice Lead

Given the dramatically negative impact that a cybersecurity failure can have on your business, implementing a cybersecurity plan is mission critical. In my last article I talked about some of the business-driven needs that might drive your cybersecurity plan. Today I will address some of the steps you need to take to get a cybersecurity plan in place.

Here are the initial steps I recommend:

  • Assess your risks – It is absolutely critical to understand what your data assets are and where they reside. You can then prioritize these data assets based on the likely negative impact on your business if these assets were to be compromised.

Start by taking a complete inventory of your data assets—a task that’s often easier said than done. Look in every corner: What data resides in major databases? Is there sensitive, unstructured data in drive shares (such as key Excel files), or even in the cloud? What data resides in shadow IT? How about email archives? It doesn’t hurt to reach out to key business stakeholders to ask them where they think their data is! Remember, if you don’t know where a data asset is located (or even if it exists), that lack of knowledge is a security risk in and of itself.

Once you have identified your data assets, the next step is to complete a risk analysis of each of them. Develop a risk-based taxonomy, and assign a priority level to each asset. From this, you will be able to drive an informed plan of defense.

  • Pick a cybersecurity framework – There are a number of different cybersecurity frameworks available. These frameworks provide a set of checklists to help you create your cybersecurity plan, and help ensure that you cover all your bases. Two of the more popular are the CIS (Center for Internet Security) cybersecurity framework and the NIST (National Institute of Standards and Technology) cybersecurity framework.

Review these frameworks within the context of how your business, culture and IT systems work. Select the cybersecurity framework that is the best match, and then modify (or simplify) it as necessary for your needs.

  • Keep end user needs in mind – Understand what business processes will be impacted by your cybersecurity measures, and exactly how they will be impacted by these changes.

Some cybersecurity measures, such as in the Identity and Access Management (IAM) arena, can actually boost employee productivity and make business processes more efficient. Other times this is not the case. Your goal should be to meet your cybersecurity needs with the least possible negative impact. If there are choices to be made, evaluate them from the standpoint of how they will affect the people who must implement these processes.

Remember that for many people change is always difficult. Be sensitive to this, and manage people through the change. Whether your new cybersecurity measures will make processes more or less efficient, you should provide training on the new procedures and assistance with change management.

When it comes to end user needs, you should also ensure that your cybersecurity policies don’t become your “business prevention” policies. For example, you do not just say “no” to any tools that are not already sanctioned by the IT department, or shut down any rogue “shadow IT” installations when you discover them. Business users need to be able to get the tools they need, and your cybersecurity plan needs to provide guidelines for how these tools can be safely used. Consider standing up a steering group of end users who can help guide this process.

  • Stay adaptable – In the world of cybersecurity it’s important that you don’t “drive with your eye on the rearview mirror.” While the cybersecurity measures you put in place will generally be based on the experience you’ve had and/or the security breaches that others have experienced, cybersecurity threats are always evolving. Your approach needs to be flexible.

Many organizations make the mistake of rigidly basing all of their cybersecurity efforts on audits and frameworks, only to get tripped up when an attacker comes up with a new methodology that’s not addressed by these audits and frameworks. Security and IT organizations must feel that they can push back on an audit if the results of the audit will be used in a way that excludes this agility. Be ready to show that an audit for yesterday’s threats may not serve your organization today.

  • Be prepared for a cybersecurity breach – Build resilience into your cybersecurity system. If all of your cybersecurity measures fail to prevent a security breach, how will you respond? What should IT do? What should management do? What should legal, marketing and any other affected departments do?

Think through the various types of breaches that might occur—such as distributed denial of service (DDoS), ransomware, etc.—and have plans in place to deal with each. For a discussion of how to respond to ransomware attacks, see my colleague’s article on “What’s New & Frightening in the World of Ransomware & Business Continuity Planning.”

Conclusion

If you’re feeling overwhelmed by all of this, consider taking advantage of the various Security as a Service options. For example, CIOPS can handle all of the strategy pieces, and then manage the implementation process. There are other firms that can handle other aspects of your cybersecurity system, such as managing your perimeter security. There are cloud-based systems for managing governance, identity and access management, and more. Depending on your needs, it may be more cost-effective to utilize these options than to grow your own system from scratch.

 

About Scott S. Smith

Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.

About CIO Professional Services

Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.

Contact CIO Professional Services

CIO Professional Services is a member of:

IAOP logo


Churchill Club Logo


2016 SVTC Proud Sponsor Logo


The CFO Alliance


Council of Supply Chain Management Professionals logo

CIO Professional Services LLC is a top-rated IT consulting firm, based in the San Francisco Bay Area, specializing in strategic IT consulting and business / IT alignment. Companies come to us seeking assistance with their information technology strategy as well as to source interim CIO / CTO employees or fractional CIO / CTO's. Our IT experts can assist with integrating IT into your business processes - better - up to and including 'project rescue' in areas such as ITSM / ITIL, IT service strategy, and IT outsourcing. Business / IT strategy projects we have worked on include upgrading ERP systems, cybersecurity and IT consulting, IT assessment and organizational change. Cloud computing and business IT remain critical in today's business systems, and beyond that to the migration to the cloud of business IT. Our IT consultants can assist with all aspects of business / information technology alignment. Contact us today for a free phone consultation - we service clients not only in San Francisco or San Jose, but throughout the United States.

Copyright 2017. CIO Professional Services, LLC. All Rights Reserved.