The perception of cybersecurity is one filled with mysterious hackers in their jeans and hoodies, sitting in a dark room, combating one another in digital cyberspace. While this perception may not be entirely untrue, cybersecurity doesn’t have to be that dark, veiled, and incomprehensible. And it’s really not.
Cybersecurity is a business process, not just a technology one.
It is a business process of keeping your assets secure from threats. It is a cost vs. benefit decision on how to optimize – not maximize – security. Large organizations can often afford to throw money at their IT infrastructure just to be secure and comply with laws and regulations. But many smaller organizations don’t have this capital. Therefore, it’s important to stay true to what cybersecurity is: a management process to identify your assets, figure out how to protect them, and, in case of a breach, how to detect, respond, and timely recover.
It’s impossible to protect an organization from every threat out there. As an analogy, applying all the preventative care, vitamins, supplements, and exercise does not ensure that you will be disease-free. But this discipline will sure make you healthier. So, the question is, in the context of cybersecurity, how do you know that you’re healthy? How do you know that you’re doing a reasonably good job at protecting your data? And if you get breached, how do you know that your organization has documented rules, processes, roles, and responsibilities in how to respond?
Identifying Important Assets
The first step towards this journey is to identify the most important assets to an organization. These assets should be identified (through a security risk assessment) and be prioritized, classified, and inventoried based on their value to the organization. Most assets will come in the form of some type of data, device, application, system, the network, or communication channels (i.e., data integrations). But the most important asset of them all is the people. On one hand, a breach could expose very sensitive information about people within your organization. On the other, there’s new code being developed every day designed to actually injure people. As an example, a piece of code called Triton was discovered at a chemical plant in Saudi Arabia in 2017. The code could have caused explosions or released poisonous gases.
Next, once the most critical assets are identified, organizations need to figure out how to protect them. The first way is through physical security. Nobody should be able to walk into your organization, make copies of social security numbers, and casually walk out the door (this happens more often than imagined). Next comes the technical processes, and this is where I lose a lot of my audience. But to summarize, good technical processes will always involve some or all of the following:
- Anti-malware/virus: These tools will constantly scan for known vulnerabilities or bad code that could get an organization breached.
- Firewalls: A system to prevent unauthorized access from the outside. For example, access to an organization’s intranet site may be blocked from the outside.
- Intrusion Detection Systems: A system to analyze communication to find dangerous content.
- Intrusion Prevention Systems: Once dangerous content is found, this system will automatically reject and prevent the content from gaining access to an organization.
- Data Loss Prevention: This is a strategy and collection of systems to prevent information from being sent outside of an organization. After all, no matter how sophisticated and impactful the breach is, if the attacker can’t leave with the information they stole, then their ability to cause true damage may be limited.
- Encryption at-rest: Sensitive data that resides in a database, file, or even a USB should be encrypted. For example, employee social security numbers should be encrypted so that even HR/Payroll personnel can’t see it.
- Encryption in-transit: Sensitive data that is being transmitted should also be encrypted. As an example, when logging into your bank account, sensitive data (i.e., password) is being transmitted over the internet. This should be encrypted.
- Identity and access controls: This is a discipline of preventing inappropriate access; for example, to ensure that only authorized users gain access to mission-critical systems, access may only be granted through a combination of user ID, password, and authorization token.
The definitions above are simplified versions, and there are many other technical processes and controls, such as virtualization and containerization. The focus of this article isn’t to go through these technical controls. However, the point is to raise awareness that the most important activity to secure assets is through documented processes. For example, a firewall and intrusion detection systems could produce very useful information but if they are not monitored, what’s the use? And even if they are monitored, what is the escalation path? Are roles and responsibilities documented to filter through these logs? And if these logs reveal a weakness in an environment, who’s responsible to fix it? These processes are often the weakest link in any organization’s cybersecurity posture.
The examples above also apply to the next steps in any good cybersecurity process, which are processes to detect, recover, and respond. When organizations get breached, the problem is, they don’t even know it. This not only applies to small organizations, but to the big enterprise breaches that we see on the news. Most systems and tools, such as firewalls and intrusion detection systems, will produce some form of logs. They should be monitored by the internal IT department or an outsourced managed service provider. There are many systems and tools out in the marketplace that are designed to raise the right level of alerts based on intelligence. Some intelligence feeds are even free. The key takeaway is to understand that detecting a breach is critical, because, without it, the breach will never get fixed. And fixing something may be as easy as deleting a file or even restoring a fresh copy.
Next Steps for Securing Your Organization
There are many use cases in securing an organization. The most common ways are through compliance regulations, but the right thing to do is execute a healthy, disciplined cybersecurity management program. When implementing a new IT system for example, it’s always cheaper and more effective to embed “security by design” earlier on in the process, rather than to secure it after the system is built. And when it comes to security requirements, there are many leading frameworks and standards that not only address compliance requirements but can also help implement good security controls and processes.
For smaller organizations that are interested in doing the right thing to secure themselves (outside of any compliance requirement), I recommend, at least, an annual penetration test and a quarterly vulnerability scan. A penetration test will reveal your security weaknesses and show the path an attacker took to gain access to your asset. A vulnerability scan tells you what/where those weaknesses are. Awareness as to what these weaknesses are and how your asset can be exploited may be the very first step in your journey to creating a disciplined cybersecurity program: which is to identify your most critical assets.
For assistance with developing and enhancing your cybersecurity measures, contact Clark Nuber.
© Clark Nuber PS, 2019. All Rights Reserved