Are you following the basics of security?
- 04 April, 2017 01:57
Every year, cyber security scenario is perky with new technologies, trends and vendors and yet year after year, hackers are still ahead of the game. Why is this so? Are we following the basics of security? Instead of talking about new technologies and trends, lets focus on the very basics of the security and chalk out a sound strategy. I believe a focus on the following ten areas is important for you to keep your organizations secure.
Integrated Approach to Security: Choose an integrated approach to security. Specialised and costly products working in silos are creating more harm than solving the problem of security. Use integrated product suites that talk to one another. Having an integrated strategy where your end-points, network, email, DLP, encryption, DRM and application security work together sharing a common fabric and intelligence works out much better and can prevent a lot of attacks. Choose products that combine multiple functions and are best in breed.
Privilege Account security:History has shown that most of the attacks involved misuse of privilege Ids. Use a strategy and product that covers detection, prevention as well as response as part of your privilege account strategy. Do you have admins who login to their laptops with accounts having domain admin and power user rights? If so, stop it. It’s very easy for a hacker to steal these passwords from the RAM. Keep your most powerful privilege users in a separate segment (DMZ), Yes that’s a new approach that is going to work wonders for you. Don’t let an attacker inside your network reach your administrators through a flat network. Remove admin rights from your end users’ computers. There are products to manage this gracefully. As per a report, admin rights are to be blamed for 97 per cent of critical Microsoft flaws.
Know and protect your crown jewels:Know your data and where it resides. Know your crown jewels and spend more money and energy to protect them first. Keep track of where your data is moving. Do you know who is making changes to the data or who is abusing your data? Encrypt the data with strongest of the encryption and secure your encryption keys.
Security is in simplicity:Anything that is complex, cannot be secure. Complexity will force you to make mistakes. Keep your designs and implementations simple. Don’t create complexity in security. Look at Apple products, they are so powerful yet simple. Talk to your board in simple language and you will attain success with them. Can a child understand what you are talking? This is the easiest way to know if you are keeping things simple.
Measure your security:Do you know what is your current state of security? Unless you don’t know your weaknesses, you cannot resolve them. Access your people, process and technology by way of network and application penetration tests, Red team simulations, control modelling and security risk assessments based on industry standards. Create a security roadmap and define a phased approach based on risk to achieve the objectives. Cover all entry points like network, internet, lease line, USB ports, CD/DVD drives, email, end- points, third parties and have a strategy to mitigate risks across all entry and exit points specially around your crown jewels. Create a security matrix. If you ask a CIO, five nines SLA is the most important matrix to measure the effectiveness of IT. Unfortunately, we don’t have any such global matrix for security. It’s worth your time to create a matrix as per your organisation’s risk profile and needs and use it to measure the effectiveness of your security controls on an ongoing basis.
The 8th layer: Humans are what I refer to as the 8th layer. Humans are the weakest link and will always remain the weakest link in security. Cover humans using both training as well as technology. Focus on phishing and ransomware protections. Test your human firewall by phishing simulations, ransomware simulations and social engineering attacks. Test your incident response plan from time to time.
Focus on the end-point: More and more attacks are shifting away from the network and servers to the end-user computers because of the inherent weakness of human firewall as well as workspaces moving from offices to coffee shops and home where you don’t have any perimeter security to protect you. Application whitelisting and patching are the two of the most effective strategies to take your end-point security to the next level. Invest in a sound technology to protect your end points beyond a traditional antivirus. Focus on preventing memory based attacks. More and more attacks and malwares are spreading using memory based exploits and programs which don’t need any execution.
IoT and SCADA: IoT and SCADA can become your weakest link since they are designed using old programing logics not focused on security. Air gap security is a myth (Stuxnet is an example). So raise your game before a smart refrigerator in your office kitchen becomes the reason for your next breach.
Third party security:No matter how secure you are, if a third party connecting to your network is insecure, the game is over. You are as secure as your third party. Don’t limit your third party security to an annual questionnaire, take a holistic approach and use technology to detect and prevent attacks in real time.
Application security: As per Forbes many organizations have significant network security in place but it’s not enough as 84% of all attacks are happening on the application layer. Nevertheless, organizations allocate ~ 80 per cent of the security budget to network security to mitigate ~ 16 % network based attacks surface. Is that a sound strategy? This trend needs to change. Application security deserves more focus