News of brazen hacking attacks have become commonplace in today’s business environment. As business leaders, how can we understand the cause of these attacks, and how can we protect our company’s most valuable assets? This blog post breaks down the concept of Cybersecurity (also referred to as Information Security) as an introduction for professionals new to this discipline.
Cybersecurity is the protection of all of a company’s IT systems and data. This includes every single nook and cranny of your IT ecosystem, no matter how small or innocuous. If protecting all aspects of our professional IT lives doesn’t sound daunting, it should. The available avenues of attack are near endless and hackers becoming increasingly creative. Attacks can range from a hacker manipulating your company’s website into revealing internal data, hijacking your customer’s PC when they visit your site, or using an employee’s personal cellphone to gain back door access to your company. Other well-known attacks include email phishing, web-based viruses, and Distributed Denial-of-Service (DDoS) attacks where hackers crash your systems through an intentional overload of traffic. With hundreds to thousands of pieces in your IT environment, it’s little wonder that the conventional wisdom is that it’s all but impossible to fully protect yourself.
The good news is that industry experts have been working together for years to share and formalize best practices for managing cybersecurity; one example being (ISC)2’s CISSP foundational security certification. These frameworks can be used to understand current state, define target state, prioritize activities, and communicate overall approach to stakeholders. Common domain areas covered by these industry frameworks include:
- Security and Risk Management – Ensures the overall structure of your Security approach aligns to your business drives. A key step includes thoughtfully assessing risks, impacts, and costs to mitigate. Some examples of these models are:
- Attack Tree analysis which starts with a hacking objective from which you create branches made up of possible attacks and corresponding defenses.
- Identifying possible states of an asset and vulnerabilities enabling state changes.
- Attack “Surface” analysis allows you to classify the risks based on the size or surface of the attack area and the depth of defense.
Costs can include not just loss of business but also reputational, regulatory, legal, and cost of recovery such as reinforcing your security and rebuilding your systems. When assessing cost/benefits you can apply formulas such as risk exposure prior, minus the risk exposure after the control, divided by cost of control. Knowing that perfect security is impossible, a great starting point is to set an initial goal to deter.
- Identity and Access Management – Ensures users are correctly identified and authenticated to access your company resources. Key steps involve careful consideration of access control policies. This include sound security principles, such as role based permissions and minimum privilege by default. You can increase your assurance level of identifying “who’s who” by increasing password complexity and adding “multifactor authentication”. Multifactor authentication not only checks what a user knows, but also something the user has (like a token) or who the user is. Security is about systems, process, and people.
It’s important to understand there is always a social balance for each new policy implemented. For example: as password complexity increases, usability suffers. To increase acceptance and adoption, consider social activities to supplement technical considerations, such as user education on attacks.
- Communications and Network Security – Ensures the network transmitting information is monitored and secure. Including not just the points your company connects to the outside world but also how users connect remotely. Examples of protecting include: Turning off entry points that are not needed (such as ITunes Music Sharing).
- Configuring your network to not respond to general requests of identifying information helpful to hackers.
- Setting up multiple layers of “firewalls” to monitor and prevent unauthorized access.
- Software Development Security – Ensures the development of internal systems and databases include sound design principles and addresses known security vulnerabilities. Examples of defensive development:
- Least privilege
- Simple and open design
- Complete mediation
- Fail-safe defaults
- Ease of use
- Putting filters in place to prevent hackers from “injecting” commands into your company website
- Encrypting data
- Using up-to-date components when creating applications.
- Strong design includes principles such as:
- Security Assessment and Testing – Ensures that your initial security measures are continuously validated and secure against possible attacks. Once your company’s defenses are in place, continued vigilance is needed. As you address each weakness and vulnerability, a new exploit will likely be found by creative hackers. As such, monitoring for attempted and successful attacks is critical.
- Security Operations – Ensures that the daily tasks are performed in implementing the Security approach. This can include asset management, logging, monitoring, incident management, patching, and related operations tasks. While an average company protects, an excellent company plans to contain, address, respond, and recovery from successful attacks.
Within each domain of the cybersecurity frameworks, there are several vendor based and homegrown solutions available to close vulnerabilities. However, prior to investing in any given solution, business leaders would be smart to first complete a holistic review of their Cybersecurity environment to prioritize vulnerabilities. By first assessing your risks and internal capabilities you can select the vendor products and services that provide the needed complement to your company’s resources and needs. SEI recently embarked on this journey with one of our clients after a security assessment was performed. Several products were selected and implemented after careful consideration.
To paraphrase FBI Director Robert Mueller, there are two kinds of companies – those that have been hacked and know it, and those that have been hacked and don’t know it. Information Security is broad and deep and this article only touches on a few of the basic topics within. In today’s hostile environment there is no excuse for not having implemented a well thought through Security approach that addresses your company’s needs.