By Scott S. Smith
Security Practice Lead
Given the fact that many organizations experience near-continuous cyberattack attempts, if you have not already done so, getting a robust cybersecurity plan in place is a must. This plan needs to be tailored to address your organization’s business requirements, culture and risk tolerance around cybersecurity. It also will need to ensure compliance with applicable regulations and laws, and include plans for how to respond if, in spite of your best efforts, a security breach takes place. You don’t want to be in Equifax’s situation, where a hacker’s ability to exploit what was most likely a known weakness has now put millions of consumers’ identity and financial security at risk. The government, your customers and the general public are all losing their tolerance for disasters that happen when known problems are ignored.
Unfortunately, there’s no one-size-fits-all cybersecurity plan that you can just pull off the shelf and put into place, and the list of tactics to include in your cybersecurity plan must be customized based on your organization’s specific needs. However, our extensive client experience has shown that the following some basic cybersecurity tactics and building blocks can greatly reduce your risk profile. The following should be part of every organization’s cybersecurity plans:
- Identity and access management (IAM) – The vast majority of cybersecurity breaches—about 80 percent or more—involve a compromised credential in some way. As I explained in “An Introduction to Identity and Access Management,” IAM is what you need to have in place to avoid this problem.
IAM is the process of knowing who your system users are and what they can access. This includes having a way to determine that each person is indeed who they say they are (and not someone who has stolen their credential), knowing how and why they have received access to the system, and controlling what they are allowed to do with that access. IAM is at the core of a strong security program.
Common elements of an IAM plan include multi-factor authentication, privileged access management, segregation of duties, least privilege, periodic recertification campaigns, joiner/mover/leaver workflows, roles modeling and audit trails. To learn more about each of these items, see my article on “Some Leading Practices in IAM.”
- File encryption – Data must be protected both while it is at rest (in storage), and while it is in motion (in transit between systems, databases or physical locations).
As part of this effort it is important to understand and manage all of the encryption tools being used by your internal teams. Why? Because the bad guys will also use encryption to transport their malware right under your nose. If you can distinguish between your own encryption and an attacker’s encryption you’ll be able to see that that an exploit is either underway or in the planning phase.
- Effective monitoring and analysis of network traffic – While system monitoring is a vital part of any cybersecurity plan, not all monitoring approaches are created equal. A fairly new but effective and quickly growing approach to cybersecurity is to use machine learning systems that are both holistic and provide context-based analysis of network traffic. These provide a level of protection that rules-based monitoring systems cannot: They will help reduce the load on your overworked teams by reducing the number of “false-positives,” as well as providing more comprehensive information about network events.
Many monitoring systems look at events only from a network layer transaction viewpoint, without providing any contextual understanding of the business processes that they support. In contrast, context-based analysis is all about using learning systems that—through machine-learning—develop an understanding of the “normal” patterns associated with your organization’s business processes in order to spot network activities that do not fit these normal patterns.
A recent uptick in attacks such as NotPetya, which utilize the patching systems for known and trusted software packages to install a back-door, necessitates a new approach. This new approach should include context-based monitoring and be combined with a good threat intelligence service.
- Management of shadow IT – “Shadow IT” refers to the IT systems, services and solutions that are provisioned and used by individuals or teams within your organization without explicit IT department approval. Because it’s not being managed by the IT department with an appropriate level of governance, Shadow IT often poses considerable cybersecurity risks.
For example, say your Marketing Department decides to get an AWS storage account for sharing data with business partners. Without involving IT in the process, they then upload a large number of files that are to be shared with a contractor. Eventually a contractor duplicates some of this information for legitimate purposes, but in creating the new files, mis-configures the Amazon storage, so that the public can now view this data. This is the exact scenario that allowed for the compromise of PII for over 198 million voters by a contractor who was working with the Republican National Committee.
While the IT department should avoid becoming the “business prevention department” and should allow as much flexibility as possible for business users, they should also provide oversight (or at a minimum, guidelines) to prevent these types of occurrences.
- End user training – There are two main types of end user training that should be included in your cybersecurity plan. First, there’s end user training on any new processes and procedures that were created as part of putting cybersecurity in place, plus assistance with the change management aspect of this as well.
Second, there’s training to ensure your people don’t unwittingly “open the door” to a cyberattack by responding to a phishing email. Recognize that your people are probably the most vulnerable part of your cybersecurity system. Help your end users understand the stakes involved, and provide them with regular training on how to recognize the latest phishing tactics, why they shouldn’t open attachments from unknown sources, how to put mobile device security measures in place (if their devices are used to access the organization’s IT systems), and so forth.
Note that phishing prevention requires a thoughtful combination of user training as well as technical tools.
- Management of third parties – Do you provide partners or vendors with access to your network? For most organizations, whether that access is available to cloud-based solutions providers, business partners (supply chain, distribution chain, contractors, etc.) or IT suppliers, the answer is yes.
A robust cybersecurity program should include a focus on understanding and managing the risks that these third-party relationships pose. This access should be part of a robust identity and access management (IAM) governance system. The owners of all data should be carefully managing those who have access to their systems.
Start by understanding who has access to what data, and what are the risks associated with this access. Next, determine what measures you’ll use to mitigate these risks (including access control and periodic reviews), and then ensure that these measures are applied to all of your third party suppliers who have access to your systems.
- System management and testing – Your plan should include continuous vulnerability management and an on-going update/test/update cycle. You’ll need to stay informed. Keep your eye on what’s happening in the industry, use a combination of threat intelligence and an up-to-date monitoring system, then watch your own systems with open eyes. If there’s a radical new threat happening, test to see if you can get through your system’s defenses using that type of attack.
Conclusion
If you’re finding the task of getting cybersecurity in place overwhelming, some of the various Security as a Service options may be helpful for you. Sometimes it makes more sense to have cybersecurity experts create and manage your system than to do it all yourself.
For example, cybersecurity is one of CIOPS’ areas of expertise. We can help you assess your risks and create a plan, and then manage the implementation process for you. Other firms and cloud-based systems can handle other aspects of your cybersecurity system, such as threat intelligence services. Give us a call to discuss your needs.
About Scott S. Smith
Scott is an experienced cyber security executive with more than 25 years of technology strategy, management and advisory experience. With an emphasis on driving technology success through effective business stakeholder engagement, he has strong project leadership experience on IT security strategy, governance and transformation projects.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.