As I’ve said already cyber hygiene must have primacy in any programme. Without good cyber hygiene you are always going to have unstable foundations. We can argue all we like about perimeters et al, but the simple premise is that good hygiene will always serve you well and allow you to build a strong capability on top of it.
There are some very good resources out there to help you understand what good cyber hygiene is, for example the 20 critical cyber security controls or the 10 steps to cyber security. These are really valuable in building that sound foundation of good cyber hygiene. There is a lot of information in there and in general it is broken down well into understandable chunks, rather than being wholly theoretical and no use to man or boy.
Read through them and build an understanding of what is required in each aspect and how they couple together. You can summarise a lot of the hygiene elements into some simple concepts:
- Inventory of authorised and unauthorised devices;
- Inventory authorised and unauthorised software;
- Develop and manage secure configurations for all devices;
- Conduct continuous (automated) vulnerability assessment and remediation;
- Understand what assets and systems have the highest value to the profitability of your business;
- Actively manage and control the use of administrative privileges; and
- Develop an ongoing programme of user awareness.
When you break it down you see it’s about knowing what is connected to and running on your network; What state it is in, How controlled it is, What privileges you have, both user and software, What vulnerabilities or weakness you have, and acting upon these to close them down, and of course having a clued up workforce as all of the above cannot control the user themselves.
Coupled together you should hopefully see how this gives you a solid foundation to work from; A thorough understanding of your estate, its general health, protection and your users. Knowing what, or who, is connecting to what, when, from where and for what purpose is extremely valuable in determining when something may be going awry. Keeping your core critical systems and assets secure in terms of how they are accessed (multi-factor authentication for example), used and audited. Who has access to what and why and that that access is appropriate to their business need.
So let’s break it down a little further and explain a little more about what is meant in each of these themes.
To start, a little reminder that as with all aspects of InfoSec it’s all about risk; when I say risk I mean true risk not perceived risk. It is a framework for determining the actual risk to the organisation, continual measurement thereof and informing key stakeholders in order to facilitate pragmatic, risk aware, decisions. Without truly understanding your risks you can never really establish a coherent risk appetite. How can you decide how much risk you as an organisation are willing to tolerate if you don’t actually know what your current risks are? Without an understanding of your risks you are simply putting a finger in the air and using that to inform decisions. Any risk appetite you set will frankly be arbitrary, as you do not know what factor of risk you are already tolerating, albeit unbeknownst to you.
So what risks are you obviously open to? Well there is of course external compromise of any aspect of the CIA triangle, and then the same risk from an internal perspective. In a nut shell that is it at its most basic form. One note here is that these two could easily be conjoined in how they are actually undertaken by a threat actor(s).
We’ll start with the perimeter, if there is such a thing these days. At least we can state that there are routes in and out of the organisation. Ideally these should be kept to a low number for ease of management and monitoring. These routes in and out can be used for a variety of nefarious activities; simply flooding them to prevent availability of services, leaking information out of the organisation and delivering malware or exploitation mechanisms into the organisation. Again these can be combined in any manner of ways, but boil down to preventing the availability of services, compromising the confidentiality of information assets or compromising the integrity of said assets. All of which have a sliding scale of impact upon the organisation depending on the nature of the threat.
In terms of risks mitigation here you have all the usual suspects in terms of firewalls, AV, IDS etc. as well as aspects such as segregation of networks, especially administrative access, protecting IP address space with NATing, ensuring access is established through trusted and secured networks, VPNs etc. and of course monitoring therein. Where possible prevent the bad stuff / guys from getting in, limit the damage that can be caused, and monitor holistically as you’ll never truly be able to do the first part to 100% accuracy. These aspects should be configured wisely, and iterated as your monitoring develops greater understanding of what is not working as well as you would like in terms of preventing delivery of exploit mechanisms.
As I’ve said you will not be 100% accurate, and as such you need to layer in controls further down the intrusion line. If you cannot prevent 100% of the intrusion attempts you will need fall-back mechanisms to prevent, or rather reduce, the potential for the threat actor to achieve their success, in terms of gaining access, preventing system use, stealing information or causing mayhem!
In this realm you need to establish and implement policies to patch, update and maintain systems, ideally automated to reduce the window between patch development and deployment. This is a window of opportunity for any attacker. Of course there are vulnerabilities or weaknesses that exist prior to a patch being released. You should limit the exposure of your end devices by removing non business related functionality, limiting user and application access in terms of being able to make changes to the base build profile, prevent software execution, except where it is approved and known, remove any unnecessary I/O access and deploy a consistent build profile across your estate. There may be several build standards, but they should all start from a minimum access required standpoint. Each standard should be documented and maintained, as well as any deviation from such. This aspect is a careful balancing act as you do not want to interrupt ease of use, whilst equally limiting the leverage a threat actor has on any device.
Of course that looks at the device itself, though ideally, as above; you want to prevent any exposure of that device prior to executing these control measures. Defence against malware is the obvious draw here. You should hopefully recognise the limitation of pure signature based detection and prevention. You should already have basic AV protection, both inline and scanning across the estate at the device layer and for any media introduction. You should also be deploying content filtering and code checking for all inbound objects. In terms of this you want to check to see what the code aspects are actually trying to do, not just what they appear to be on the outside.
Your people are a very serious, and oft overlooked aspect in terms of both threat and detection / prevention capabilities. Your users have access already. They need to in order for your business to function. All the external protection in the world will be effectively be rendered useless if the threat is from a legitimate user on the inside. You’ll need a comprehensive education and awareness campaign, which I will come to shortly, but before then you need to consider your approach to access management. Access should be granted on a least privileged basis. That is to say that access should be granted at the lowest level to enable a user to undertake their business activity. Before that though you should really be screening your employees prior to their actual employment, and then establish a solid account / access creation method providing the basic access required. Anything above that should be agreed by their line management and should be aligned to their actual business need. Equally their accesses will need to be reviewed as their time and duty in employment changes. People move within a business; new roles, new teams, new work. Accesses should be managed throughout, especially when it comes to removing redundant privileges. Redundant because that access is no longer required for the employee to undertake their business workload. This is an aspect that traditionally gets missed. When any user changes job functionality their accesses should be reviewed to ensure appropriate access is granted and now inappropriate accesses removed.
It goes without saying that everyone does not need to be an administrator. Even in an organisation of 1 person the administrative account should be separated from the day-to-day account. Privileged users should be kept to a minimum, undertake advanced screening and additional monitoring. These access are arguably the most important to manage in terms of move, add, change.
In terms of monitoring you should be monitoring all user and system access, especially where access is granted to key information assets or systems. You should also restrict access to audit / monitoring logs and systems. There is nothing worse than investigating a compromise and finding all your audit logs have miraculously disappeared.
Access is not only about what, but also where. Most organisations will have mobility as a key driver, and as such you need to factor in control for home and mobile working. This brings control of the assets themselves, the data on the assets and the mechanisms for accessing in to centre. Remote access should be controlled through secure routes, e.g. VPNs, data should be protected at rest on the devices, where possible and when transferred to and from devices. You should have clear processes in place to deal with loss or theft of any mobile related device, including authentication tokens. When considering theft or loss you should also ensure any process includes understanding what non digital information was also potentially stolen or lost, e.g. printed documents.
Underpinning this should be a set of clear and concise policies explaining expected business behaviour, systems usage, monitoring regimes as well as outlining potential action as a result of a breach of these policies. Remember policies are not a choice. They are mandate! They may be backed by guidance and standards, but your policies are effectively law within your organisation. As such they need policing, and any breaches therein addressed swiftly. Your policies need to be written in a clear business language as your end users need to actually understand them. If your policies are pages and pages long and written in a technical language they are worthless.
The education and awareness of your end users is something that many people get wrong. You should be using all means possible to ensure your users are aware of threats, how to spot them and importantly how to report them. You will never be able to spot everything in real-time, but your users, who are your eyes and ears on the ground, will. Your awareness programmes should be tailored towards teaching your users to protect their personal cyber space, and by proxy they will bring that knowledge into the organisation and protect their corporate cyber space. You should use all available resources to deliver this programme; videos, blogs, seminars, coaching, presentations, alerts, testing etc. Your programme needs to be informative and pertinent in order to build an affinity with it and engender a culture of security, or risk, savvy users.
And finally, though you can take each of these facets of cyber hygiene to several lower levels, you should have a robust and thoroughly tested incident management process. This process should be backed at the highest level of the organisation and be designed to cover the full gambit of potential incidents, from minor breaches and events to full blown crises. The people undertaking this role should be specifically trained and have clearly defined roles and responsibilities.
Needless to say, for something that is vital to any security regime these plans and processes should be continually tested, both in daily operation and through regular major incident sessions. Bear in mind the need to collect and analyse incident data, including storage and review both during and post incident, and the potential for sharing with other parties, especially law enforcement where the nature of the incident dictates such. As such incident data should be maintained in a segregated area, clearly labelled including how the data was gathered and processed, and also used to inform future detection and prevention decisions. This will also be a key source in identifying gaps in visibility, for example logging.
Again Rome wasn’t built in a day, and nobody said this was easy, or we’d all be really good at it, but this is where your prime focus needs to be. I would strongly recommend taking time over this. Looking at the core aspects and understanding how good you are today and what gaps you have. I cannot stress enough the importance of getting this right from the outset.