By Christopher Camejo, Director of Threat and Vulnerability Analysis, NTT Com Security
Today, most companies have at least a basic awareness of the need to reduce their vulnerability to cybercrime. There is also increasing awareness of the need to be prepared for the possibility they will be the victim of an attack. These are good first steps, but there is a wide disparity of understanding about what exactly those actions and preparations should include, as well as how much emphasis and resources should be dedicated to them.
The finer details of the most effective security plan for each business vary, but we have developed 12 best practices to guide IT and security managers through the process, the first six of which we will examine in this first of a two-part series.
- Understand Your Risk
To make the most informed security decisions requires organizations be aware of their overall risks. This can be determined through a risk assessment that weighs the potential cost of an incident with the expected likelihood or frequency with which it may occur. Using this information, an organization can more accurately determine which security controls will effectively reduce the risk of a breach and which will just waste time and money. The results of the risk assessment can also be used to increase the effectiveness of regular internal and external vulnerability scans by tying systems that are out of policy and behind on patches to the organization’s overall risk on an ongoing basis. Budgetary concerns also require continued engagement of management and board members in the risk assessment process. Rather than re-inventing the wheel, organizations should use established risk assessment frameworks such as NIST SP800-30 or ISO 27005.
- Secure Configuration
Hackers are relentless in their attempts to breach networks, conducting almost constant campaigns to identify and exploit vulnerabilities to gain an initial foothold in systems or networks. Many companies focus on configuring and patching only when systems are deployed or on critical and public-facing servers, leaving hackers’ favored targets: end user and third-party applications that are less frequently patched or configured in a way that makes them vulnerable. Implementing an active, aggressive patch and configuration management program across all systems on the network can greatly reduce the risk of these common vulnerabilities being exploited to provide a foothold for an attacker.
- Home And Mobile Working
While data and access rights are distributed across users in today’s mobile workforce, these remote environments are poorly suited for centralized enforcement of consistent information security controls. Users are likely connected to a home or other network, which is typically less secure than the corporate network and may be subject to eavesdropping or other interference. The growing movement of connecting more and more embedded devices — each with its own vulnerabilities — to a network increases the potential entry points for hackers to access other systems. Companies must set and enforce strong policies for data access and apply all possible security measures to mobile networked devices — including user-owned devices — to shield them from attack.
- Education And Training
Even the most robust information security plan can easily be nullified if end users are not aware of or don’t understand your company’s security standards. A single user who installs unapproved software on a computer or networked device can open the door for hackers, and phishing is a common technique to gain access to otherwise well protected networks. Therefore, organizations must inform their users of security standards and make it clear that violation could result in disciplinary action. Education and training must also include incident management policies and procedures so users and administrators alike know how to react when they are confronted with a potential security issue. Awareness of the risks of violating information security standards makes users active participants in the process and increases compliance.
Patience is a common virtue among hackers, who often conduct long-term campaigns to avoid detection while gradually expanding their initial access to increase their control of the victim’s environment — this makes early detection and immediate action essential. Some breaches have actually been in progress for months before being discovered, long after the initial access and after data had already been compromised and even lost. Effective monitoring depends on system logs and alerts and ongoing network behavioral analysis to detect anomalies. For example, any network activity that typically only occurs during business hours but suddenly appears during off-hours should raise a red flag.
- Incident Management
In reality, companies’ awareness of risk doesn’t always translate into effective information security policies, particularly incident response. Multiple surveys have found many organizations have no formal or functional plan for responding to incidents. This lack of an actionable plan only serves to extend the duration and losses associated with an attack. This underscores the vital importance of preparing and implementing a plan that covers the most common points from post-incident evaluation, including the effectiveness of alerts at indicating an actual breach, who should respond, and what their priorities should be, and necessary communication with third-party vendors and service providers. Routine testing of incident response plans is essential for measuring the effectiveness of the plans and ensuring employees are aware of and follow the proper protocols.
Companies that implement these six best practices will significantly reduce their vulnerability to hackers and their ability to limit damages when a hacker is successful. In the next installment, we will discuss an additional six practices that will further boost information security and offer the highest level of protection from data breaches.