by Mike Davis, alliantgroup Chief Information Security Officer
October 19, 2018 | published in SIIA
Any cyber risk posture really does depend on your environment and business. The way to minimize the fog of cyber security complexity is to quantify it for your company, ideally based on risk value. We all know that cyber risk is in the “eyes of the beholder” (CISO versus C-Suite versus Board) and finding a common vernacular therein – like risk.
Short answer; use a Risk Based Security Strategy (RBSS). One that focuses on cyber hygiene, access management, encryption and monitoring (along with an effective third party/vendor risk management effort). Risk is a combination of threat, vulnerability, likelihood and impact/consequences along with asset values. Next, we provide the rationale and ‘cyber story’ that goes with that RBSS assertion.
Cyber security is a wide capability area with complex technical and business interactions, and must work in conjunction with a variety of other security measures: Physical Security, Personnel Security, Contingency Planning & Disaster Recovery, Operational Security and Privacy
Typically, the highest impact from inadequate cyber security is a data breach; whereas most realize those damages can be extensive and expensive both in reputation and actual costs incurred (e.g. $3.8 million average company – Ponemon).
A well-known framework for improving cyber security is the National Institute of Standards and Technology (NIST)Framework for Improving Critical Infrastructure Cybersecurity which has five phases: Identify, Protect, Detect, Respond and Recover. NIST has a small business (SMB) version of this framework and processes therein called NIST-IR 7621 Rev1.This publication is a highly recommended authoritative source to use as your framework (in fact it’s the basis of a new SMB law the President recently signed).
What are the key threats (and associated vulnerabilities) to worry about?
We used a ‘best of breed’ sampling approach from the many sources that report threats and we distilled those results into the following risk areas to include in your RBSS:
- Phishing – Around 95% of all security incidents start here (someone will always ‘click!”)
- Ransomware / morphing malware / crypto-mining – it’s easy and profitable
- Poor cyber hygiene – known vulnerabilities not patched (98% of exploits use these)
- Ineffective access controls – as identity is the new perimeter (e.g., we need MFA everywhere!)
- Hostile intruders – hackers, insider threats, careless users, any malicious user
- Crime as a service (as now anyone can be a hacker, just pay the criminals)
- “IoT” – Internet of Things (the many atypical computing devices connected to your network)
- Third party / vendor access and risks – this is a major threat all by itself (1/2 of all breaches)
- Regulation / compliance (e.g., in EU GDPR, SOX, PCI DSS, etc.) – fines, loss of competitiveness
How can anyone can mitigate the vast majority of these threats and vulnerabilities?
There are a number of common mitigations and protection measures that can help minimize the data breach risk, mapped to the highest threat levels and prioritized within your RBSS:
Anti-Phishing – Next generation anti-virus (NGAV); end-to-end email security, URL / IP filtering (e.g., known infected sites), and cyber security training (e.g., most security incidents start with phishing).
Ransomware – Secure backup, phishing training, cyber hygiene, whitelisting (IPs & APPs), effective access controls (lock down local admin, control admin accounts), and email security.
Cyber hygiene – Identify and manage all devices, proactive vulnerability management (patching and settings), focused effort on the CIS CSC top six controls – the cyber security basics!
Identity and Access Management (IAM) – focused on PAM, MFA, and of course passwords (as they are not dead yet). Implement an IAM quality program (especially for service accounts, etc.).
Data protection – enterprise and targeted encryption, data leak/loss protection (DLP) and IAM.
Compliance – Collate the regulations you are under (e.g., SOX, PCI DSS, GDPR, etc.) and develop a compliance requirement list that you map to your RBSS and implement a cyber audit process.
What should you undertake to get to the state where you are comfortable that you have done all that matters to be adequately protected and be able to prove a due diligence level security posture?
Your RBSS should be based around assuming the hackers are inside and you’ve likely already been breached. This means you must have a well-practiced incident response plan to minimize damage and strictly control internal and external communications. The six activities needed in what really matters are:
- Cyber Education and Awareness Training Program – educate users, periodic training courses, email notes on security topics, posters, frequent phishing exercises, etc.
- Tightly manage access controls – use multi-factor authentication (MFA) everywhere, strictly control privileged account management (PAM), monitor access changes (active directory, etc.)
- Excel at cyber hygiene – go beyond just patching (yet that must be a top priority!), assess your status in the CIS item 1 – 6 (Note – now called the Risk Assessment Method for Implementation Class 1), then fix the gaps
- Data protection approach – endeavor to encrypt everywhere (it’s easiest in the long run), control data and classify it, use a tailored IAM… Combine with privacy elements as you can. Get Cyber insurance.
- Third Party / vendor risk management – go beyond the paper drill (NDAs, Ts&Cs, SLAs, etc.) actually have a risk assessment – start with a detailed questionnaire at least, then what certs do they have?
- Partner with a managed detection and response (MDR) provider – 24/7 coverage, gain extensive threat intel reach back, enhance your threat hunting, reduce the alert fatigue of the security folks.
Your goal should be to effectively minimize the company risk posture, based on enabling the business success factors. Using a RBSS accounting for the above recommendations with prioritized projects and processes will go a long way towards being secure enough and being able to demonstrate a due diligence security postureenvironment. Then distil your key RBSS efforts into C-Suite / Board risk vernacular and gain their confidence (and resources!).
About the Author
As Chief Information Security Officer (CISO) for alliantgroup, Mike Davis operationalizes Data Security, Privacy, & Risk Management while advising leadership on protecting critical information resources and managing an enterprise cyber security portfolio. As CISO, his mission includes executing a risk based security strategy that supports enabling the company’s success objectives by securing and protecting both sensitive company and client information.