Holly Grace Williams, Managing Director, AkimboCore
Each aspect of cybersecurity is simple in isolation. Installing updates? Easy. Strong passwords? Easy! This is not the case when you’re trying to cover all risks simultaneously, with a security team that’s outnumbered by assets and significant technical debt.
Many people call passwords, patches and perimeters ‘security basics,’ but this glosses over a range of real-world technical and organizational challenges. If, instead, you think of these as ‘foundations,’ you’ll see the difficulty of building the foundations after everything else.
So if you’re looking to improve your security foundations, here are some things to consider:
Perimeters
Firewalls get a lot of attention when companies are looking to improve their security, but don’t forget that many companies have some staff working from home – so locking down your network perimeter might not be protecting all your staff. If you’re relying on a VPN to protect remote working staff, you’re potentially only protecting their network traffic and not the device itself.
Threat modeling can help here if you consider how the device might be targeted. This could be either by another device on the network being compromised by malware that spreads to the company device, or a threat actor specifically aiming to break the user’s home wireless network.
A monitorable and straightforward mechanism for reducing risk is enforcing a host-based firewall. If you’re set up so that all traffic routes over the company VPN, you’ll be protecting network traffic. Adding a host firewall, however, reduces the risk of network-based attacks too.
While you’re looking at locking down work-from-home devices: they all have full-disk encryption enabled, right?
Patches
Updates are made difficult by administrators who have previously been burned by updates breaking things. Some still hold off for weeks on updates. However, a more secure approach would be to take a risk-based approach to updates.
If you instead reduce the time-to-install for updates that fix a critical security update that is known as being exploited in the wild, you reduce your risk while balancing the likelihood of something breaking.
Passwords
Passwords suck, and users suck at choosing them.
There are options for addressing this issue, such as deploying password managers or using multi-factor authentication. Google teamed up with New York University and the University of California San Diego to look at how effectively multi-factor authentication prevented account takeover. It showed that on-device security prompts prevented 100% of automated bot attacks, 99% of bulk phishing attacks and approximately 90% of targeted attacks. Finally, security keys blocked 100% of assessed account takeover attacks.
The Take-Home Message
With staff working remotely, it’s critical to ensure that devices are encrypted in case of loss or theft. Not all software updates are the same, and updates that address critical vulnerabilities should be applied faster than others. Passwords suck, and the data shows that OTP and hardware tokens are incredibly effective,
Holly Grace’s early career was spent in the military working in roles such as site security officer. She is the founder and technical lead for Akimbo Core, leading both the development of the software platform as well as the security testing team capability.
@HollyGraceful
Brad LaPorte, Partner, High Tide Advisors
After interviewing thousands of organizations on cybersecurity preparedness over the past two decades, I have determined that over 90% of cybersecurity attacks are preventable. Cybersecurity leaders can significantly mitigate their risk exposure by following basic security fundamentals. Although it will not happen overnight, you can implement things today to build a more secure tomorrow.
First, you have to assess your current state of cyber-maturity. Next, you have to work with your key stakeholders to identify your desired state. The gap between these two then gets transformed into your action plan. From there, a project team can be assembled to execute on continuously improving your maturity.
Here is an initial list of basics to prioritize:
- Conduct an initial assessment of your critical asset inventory (if budget allows, conduct a full penetration test)
- Establish a baseline for all critical systems and utilize all existing network and cybersecurity tools to alert against anomalous activity or any departure from this baseline
- Implement an immediate plan to remediate or isolate any non-compliant or unprotected systems that do not match your ideal baseline
- Have visibility of all of your internet connectivity points and third-party connections and ensure these can be isolated/disconnected in the event of a serious incident
- Lockdown the network perimeter by using a DMZ, restricting outbound traffic and, if possible, implement a zero trust approach to external and remote access to systems and applications
- Implement network and identity segmentation to eliminate flat architectures
- Adopt the principle of least privilege and zero trust throughout all facets of your digital ecosystem
- Enforce strict access and authorization best practices – multi-factor authentication (MFA), password manager use and privilege access management (PAM) at a minimum
- Utilize vulnerability and patch management systems to remove vulnerabilities in your system
- Configure email hygiene and secure web gateways or firewalls to filter suspicious email, executable objects and URL/IP addresses. Scan all incoming emails and their attachments and apply controls to remove unsafe links and attachments
- Leverage modernized endpoint security products that can prevent, detect and respond to attacks on workstations and servers
- Legacy or vulnerable servers that cannot be hardened or patched should be removed from domains and made into stand-alone servers. They should be isolated at the network-level with the highest level of attack surface reduction possible
- Operationalize an incident response plan along with a disaster recovery and business continuity plan
- Implement threat exposure management (TEM) systems like attack surface management (ASM), continuous automated red teams (CART), automated pen testing and related security validation tools to continually assess risk exposure and make immediate countermeasures to mitigate the impact of attacks
- Maintain consistent operational readiness through continuous crisis preparation and readiness scenario exercises to assess the effectiveness of your action plan
To conclude, never stop improving. Once one phase of an action plan is achieved, reassess, reprioritize and improve. Only by using this methodology can you truly stay on top of your cybersecurity hygiene and mitigate your risk exposure from attackers.
Brad is a strategic advisor for Ordr and a former top-rated Gartner research analyst for cybersecurity. He has held senior positions in US Cyber Intelligence, Dell, IBM and several start-ups.
@LaporteBrad
Many organizations have significantly changed how their staff and third-party contractors work and interact with their infrastructure. Much of this is due to home working, stretching how users access data, the devices used and where it is stored. Now is an excellent time to look at an organization’s security posture. Here are my five top tips.
1) Run a breach detection scan on all endpoint devices attached to the network
These scans will quickly pinpoint poorly configured or out-of-date patched devices. If the device belongs to an employee, it is easier to remove it entirely and supply a new one. If it is a third-party device, it should be immediately removed and only allowed a reconnection when it passes a scan.
2) Deploy a reputable endpoint management and detection system to constantly monitor the device for unusual behavior, both from the device and the user
Check all updates have been installed, handle regular scans to detect malware and enforce device controls, such as screen lock and VPN. This monitoring will ensure a user’s device is within the organization’s security framework.
3) Use a discovery tool to seek out sensitive data, classify it and move it to a secure area
With shadow IT becoming so common, data is likely shared and stored in many areas, some within the organization’s control, but many outside, such as cloud storage sites. This increases the risk of data leakage theft and could trigger cyber blackmail.
Wrestling back the data means any duplication can be detected and data removed as part of the process. Applications, such as email, should also be searched, as they often hold many copies of the same data and are generally unsecured.
4) Use a cyber-risk tool to assess the overall security profile benchmarked against similar organizations
A security rating platform applies sophisticated algorithms taken from the network and devices to produce a daily security rating. Organizations use these to manage security performance and deploy IT resources to the most critical areas of weakness. Also, the platform is dynamic, so should something change quickly, the system can detect it and deploy resources to triage the situation.
5) Deploy an automated cyber hack simulator
With more of us working from home, it’s easy to forget about cybersecurity. Training has proved difficult, but by deploying an automated cyber hack simulator, the organization can deliver ongoing training to users, making them aware of good password policy, how to spot rogue emails and providing reminders of company policy on sharing data.
To sum up, the security of data and networks needs to be built in layers, but it is hard to buy a solution to fix the holes until you know where they are. A high-level view of what’s going on is critical to claw back the cybersecurity posture and strengthen our post-COVID-19 networks.
Colin has over 30 years of experience within the IT industry. He has established several US companies within the European market, such as Axent, Whittman, Aventail Europe, LogRythm and Vormetric.
@DPDataSecurity