With recent cyber attacks aimed at small to mid-size businesses and concerns about the potential for malicious Iranian cyber activity, organizations are taking a closer look at how they handle cybersecurity. Most organizations have a few basic measures in place, but oftentimes these are not enough to keep up with today’s emerging threats. Covering just a few of the bases but ignoring the rest can lead to a false sense of security. The most effective way an organization can protect itself is to build its foundational cybersecurity defenses in a structured, threat-focused manner. But in a market flooded with a seemingly infinite number of security products, how does one know which ones are truly needed, and which ones should be deployed first?
Ross Filipek, Chief Information Security Officer and Scott Shearouse, Director of Sales at Corsica Technologies recommends that organizations start by implementing foundational Security controls, and then progress to implementing Advanced Security controls. Approaching cybersecurity strategy in this manner allows your organization to avoid being low-hanging fruit from the get-go, and then to further harden its defenses over time.
Foundational Security refers to the basic controls that keep an organization’s information systems secure. Think of them as basic cyber hygiene. They are analogous to the locks on the doors and windows of your house: necessary, but by themselves not able to protect against every intrusion. Foundational Security controls include:
- Automated Patch Management—A critical component of any good network security strategy. Having a dedicated team that will evaluate which updates are critical (and which can be ignored), test them, and then apply them system-wide means you get peace of mind that you aren’t increasing your cyber risks by running outdated operating systems or software.
- Perimeter Security—A firewall is a network device that is designed to block certain kinds of network traffic. It’s the barrier between trusted sources and those that are known or suspected to be malicious or unauthorized. Use an enterprise-class firewall device to secure your network and keep out unwanted and unsafe traffic. Make sure it provides visibility into any intrusion attempts and gives you the ability to block access to undesirable websites and applications. Also make sure it supports remote-access VPN to securely accommodate your offsite employees.
- Data Backups Management—In today’s threat landscape, the only guarantee against data loss is having reliable, sound data backups in place. Be sure to capture both server- and desktop-level backups. Regularly test backups to ensure they are working properly. Data loss can occur through human error, a cyber attack, a local disaster such as a fire or flood, or even a weather event. Make sure the heart of your business (your data) is safe and sound no matter what.
- Antispam/Antivirus Software—This is still a vital piece of the network security puzzle. While you can no longer rely on just this one component to stay safe from cyber threats, it is essential for blocking known, wide-scale malware signatures. Be sure that your antispam and antivirus software is always kept up to date in order to protect your organization from sophisticated online threats.
Advanced Security builds upon these controls to counteract increasingly sophisticated, targeted cyber threats. Because an organization can’t block the threats it can’t see, Advanced Security solutions are designed to provide the enhanced visibility and control your organization needs in order to survive and thrive in today’s threat landscape. Advanced Security controls include:
- Managed Detection and Response (MDR)—Most organizations do not possess the resources they need in order to investigate and proactively hunt for abnormal behavior. They lack the ability to see beyond suspicious activity. An MDR is an advanced threat hunting and incident response solution that delivers continuous visibility. It provides immediate access to the most complete picture of an attack at all times, reducing lengthy investigations from days to minutes. This allows your organization to proactively hunt for threats, uncover suspicious behavior, disrupt active attacks, and address gaps in defenses before attackers can.
- DNS Security—Controlling your organization’s outbound traffic is every bit as important as controlling its inbound traffic. A DNS security service such as Cisco Umbrella will prevent your systems from being able to resolve and connect to malicious domains. Approximately 95% of known ransomware strains require the ability to resolve malicious names in order to take hold, so this control is a highly effective countermeasure in the fight against ransomware.
- Email Security—Email is far and away the most frequently used method attackers use to breach their targets. Ensure that all of your organization’s incoming and outgoing email is inspected to detect and block malicious links and attachments. Encrypt outbound messages that contain sensitive information. In addition, implement Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent your organization’s domain from being used in a phishing message’s spoofed “from” address. This will help to maintain the integrity of your organization’s brand and will reduce the likelihood of your employees falling prey to phishing attacks.
- Multifactor Authentication (MFA)—Protect publicly accessible systems (e.g., remote-access VPN portal, webmail, DNS administration portal and other cloud services, etc.) with MFA. Phishing attacks have become increasingly sophisticated, and many users still reuse the same password across multiple services. The combination of these factors increases the likelihood of compromise of credentials, which can result in unauthorized remote access and devastating loss. Incorporating MFA can render stolen credentials useless for accessing your organization’s systems, so it’s a critical control to have.
- Security Information Event Management (SIEM)—Nearly every organization has network-connected devices like firewalls, routers, switches, wireless access points, servers, and workstations. These things are all capable of providing very useful logging data—information that can be the key to uncovering a cyber threat hidden on the network. However, no organization possesses the manpower to manually review these logs in a timely, consistent manner. Use a SIEM to automatically collect and analyze systems’ logs and configure it to trigger alerts if suspicious events are found. Note that SIEM also helps to satisfy the monitoring provisions of regulatory requirements such as HIPAA, NIST 800-171, and PCI-DSS.
- Intrusion Detection—Host intrusion detection (HIDS), network intrusion detection (NIDS), and cloud intrusion detection help your organization to detect threats as they emerge in your critical cloud and on-premises infrastructure. Monitor IDS alerts about detected threats and use this information to make informed decisions about threat containment and eradication.
- Vulnerability Scanning—Helps an organization to find the weak spots in its systems and take corrective action before attackers exploit them. Automated, recurring scans meet security best-practices and regulatory requirements for frequent detection of vulnerabilities. This corroborates that automated patch-management efforts are working as intended, and highlights stragglers that are behind on patches. And knowing that all of your organization’s systems are up to date on patches can provide great peace of mind.
- Mobile Device Management—With the influx of mobile devices and the growth of mobile technology, many organizations are allowing employees to utilize their own devices to access corporate intranet, email, SharePoint, and more. Although this practice affords flexibility for the employee, it also poses significant security risks to the organization. If any crucial business data gets into the hands of unauthorized individuals—unintentionally or otherwise—there can be serious repercussions. To mitigate this risk, implement an MDM platform to extend organizational control to mobile devices that have access to company data. Make sure the MDM provides the ability to enforce security settings, restrict apps, and compartmentalize company data
- Security Awareness Training and Testing—All employees should receive security awareness training and testing on a frequent, recurring basis. As the human factor tends to be an organization’s weakest link in its defensive capabilities, ensuring that employees are working with (rather than against) the existing technical security controls is critical.
- Dark Web Monitoring—Identify, analyze and proactively monitor the Dark Web for your organization’s compromised or stolen employee and customer data. This is a great way to uncover evidence of stolen credentials, whether it be from a breached website, phishing attack, or other intrusion.
- Harden System Configurations—Harden the configurations on all infrastructure devices, servers, workstations, and other endpoints in accordance with best practices such as the Center for Internet Security (CIS) Configuration Benchmarks. This is a great way to complement your organization’s automated patching in the effort to protect its systems.
- Honeypots—Customized attack decoys that simulate your organization’s data and intellectual property including spreadsheets, docs, and files. A honeypot is “bait” for hackers who think they are looking at your organization’s real assets. It is intended to shine light on the techniques that attackers are using, which can then guide your organization in selecting the most effective countermeasures.
- Network Traffic Replay—Complements your organization’s IDS by acting as a surveillance camera for your network, allowing your security team to quickly and accurately report back the nature and extent of the attack. It allows you to document suspicious transactions between clients, employees, and hackers—from the inside out. Such a solution can isolate and document all threats happening on your organization’s servers in real time, including dangerously hidden macros in uploads and downloads, botnet software, and sensitive files such as client lists and payment data. Further, it can capture data in a forensically sound way that provides the full extent of data theft in a format that can be used legally for your protection and prosecution of theft by employees.
Cybersecurity is a process of continuous improvement, not a destination at which your organization can suddenly arrive. There’s no magic cyber bullet. To be sure, the Foundational and Advanced controls discussed above are great ways to secure your organization today, but there’s always more that can be done. Just as cyber threats continue to evolve, so must your cybersecurity strategy. If you’d like some help in determining the best way to move your organization forward on the cybersecurity front, or if you’d like more information about the solutions discussed above, give us a call today at (877) 367-9348 or schedule your call here.