In a time of changing and ever-present cyber-attacks, it’s crucial for every business to know where its risks lie. If you’re an IT security professional, you need to understand your potential cyber enemy and the current threat landscape so you can anticipate risk, determine your likelihood of being hacked, and the resulting impact when (not if) it happens.
Here is a step-by-step approach to upping your cyber security game:
Align your budget to your threat landscape
As much as 90 percent of today’s IT security budgets are still spent on everything but protecting applications and user identities, yet these are today’s primary targets of attack. Security breaches will continue to rise in size and severity until enterprises realise they’re spending the bulk of their security dollars in the wrong place.
Don’t overlook cyber insurance as part of your security budget. A dip in consumer confidence might not ruin your business after getting hacked, but data breach costs will.
Security is everyone’s responsibility, and awareness training makes everyone more alert. Aggressively train your users to recognise and curtail spear phishing attempts. Help them understand the importance of proper password management (and the risk of not doing so), and provide tools like Password Safes. For developers, train them in secure coding. Your best bet in combatting web application attacks is to not code vulnerabilities to begin with.
Properly control access
Start by managing your volume of user identities. Enable single sign-on to reduce the number of passwords that are stored insecurely or repeated across multiple critical systems. It’s also important to implement multifactor authentication (MFA) for accessing your network and applications, because identities get compromised. One or more of your users will get phished, and without MFA, your network, applications, and data will be breached.
Don’t use weak or default username and password combinations (admin: password) and prevent brute force exploits by implementing account lockouts after six failed login attempts. Hashed passwords provide virtually no protection at all. Implement stronger encryption methods on password databases, at a minimum of a hash plus salt. Lastly remember that access is a privilege. Stringently manage what your user identities are authorised to access so that when an identity is compromised, a threat actor doesn’t have unlimited access within the network.
Manage your vulnerabilities
Start by knowing what they are. Have a scanning solution for every network, system, and software type; don’t limit yourself to externally facing IPs. Scan inside your network, and do black box and static code analysis of your apps. Layer your tools, because no single tool finds everything. If there’s a specific scanning tool for a specific piece of software, chances are there’s a reason. Run it. Scan, test, and scan again. Vulnerabilities are never a point-in-time occurrence; you must have a continual testing process aligned to your development cycles and patch releases of your vendors. Nine different tools that produce nine different reports becomes hard to manage at volume. Don’t expect system owners to manage them. Implement a consolidated reporting platform that tracks all vulnerabilities by system and can produce valuable improvement metrics over time (hackers typically leverage several vulnerabilities per exploit, so it’s important to see them all as a whole).
Prioritise web application vulnerability management. Get intimately familiar with the OWASP Top 10, which describes today’s most critical web application security risks and provides guidance on how to mitigate specific types of attacks. Automate web application vulnerability management. No matter how good you think you are at vulnerability management, there’s always time between detection and mitigation in which a web app firewall (WAF) can patch a vulnerability automatically.
Patch everything – desktops, laptops, servers, – monthly, especially if you are running Windows and don’t allow end-of-life software or hardware in your network.
Lastly, force updates to Adobe Flash, Oracles Java, and don’t allow old versions of internet browsers to run on company computer assets.
Ensure you have visibility
Intrusion detection/prevention systems (IDS/IPS), Security Information Event Managers (SIEM), data loss prevention (DLP) systems, and others need to be properly architected, implemented, and continually managed. These systems need to have access to all parts of your network, systems, data, and data centres, encrypted and non-encrypted traffic, both east–west and north–south. Your management needs to be aware of any gaps. Don’t get caught missing a network segment, system, or log type, or missing alerts because the system wasn’t tuned.
Pay special attention to visibility within new virtualisation software as some solutions don’t provide for east–west visibility within a hypervisor.
Hire a hacker
If you have an application that could cause significant harm to your business if it were compromised, it’s worth hiring an engineer to try to hack it. If that’s not feasible, offer up a public bounty programme and let the white hats do it for you.
Security as a service is a great option when it comes to effectively managing high risk controls that require 24×7 rapid response by highly skilled engineers.
Test the effectiveness of your controls and control operators. Your SOX and PCI auditors are already doing this because many companies are getting hacked while seemingly compliant, and it’s undermining the integrity of the control frameworks. Poorly designed controls or inadequate operators are often the culprit rather than the framework itself.
If you don’t deal with incident response regularly, get help in the event of a breach.
Have a DDoS Strategy
The DDoS attack landscape has shifted rapidly from complex, expensive attacks launched only at high-value targets, to cheap-to-rent bots with plug-and-play attacks, to the new reality of IoT botnets that are easy to make and capable of launching terabyte-per-second attacks. If you don’t already have a plan in place for a DDoS attack, do it quickly.
Communicate with your stakeholders
Prep your board of directors, audit committee, and senior management with the likelihood and potential impact of an exploit. The worst thing you can do is surprise them with a breach they never knew was possible.
Ensuring that you have these measures in place is a great way to enhance your cyber security game plan.
By Martin Walshaw