People often tend to think of cybersecurity as only an IT function, such as network security, or like a firewall or having antivirus on a computer. Cybersecurity is driven at the organization level. It is composed of culture, behavior, goals, priorities and then protections, procedures and verification. Cybersecurity best practices are much more than at the IT level.
Cybersecurity starts at the top with the executives and trickle down to management. Management needs to articulate plans to the technical architects, engineers, analysts and tools. On the executive level, cybersecurity needs to be a business strategy. In the IT ranks, cybersecurity needs to take on a technical approach.
Step 1: Set Goals
The first step towards best practices is engagement in cybersecurity by the executives. It is the role of upper management to set the goals and operational objectives and incorporate them into corporate culture.
Using the Department of Homeland Cybersecurity Strategy pillar model, upper management might set goals that look something like:
- RISK IDENTIFICATION: Assess vulnerability to evolving cybersecurity risks
- VULNERABILITY REDUCTION: Protect critical information systems
- THREAT REDUCTION: Prevent and disrupt criminal access to corporate systems
- CONSEQUENCE MITIGATION: Detect faster, reduce lateral migration and recover faster
- ENABLE CYBERSECURITY OUTCOMES: Strengthen posture and improve cybersecurity activities
Once upper management has set the goals it is up to Leadership to build a cybersecurity program.
Read More: Cybersecurity Trends you Need to Know >>
Read More: 6 Questions to Ask a Potential Cyber Security Hire >>
Read More: 5 Recent Cyber Security Threats in 2018 >>
Read More: Download Our Cyber Security Self Assessment >>
Step 2: Choose a Framework, Set Expectations and Measures
There are several common frameworks, and each have their own controls and approach. You may of heard of ISO 27001 or ISO 27005. With the Obama Executive Order in May, 2012, the National Institute of Standards and Technology (NIST) framework family has become the new industry standard for Federal, State and private entities.
NIST frameworks span Control, Program and Risk.
- Control frameworks identify the basic foundations for security controls that should be present in any organization. REF: NIST 800-53(Rev 4)
- Program frameworks set the form that a security program should take, set targets for evaluation and creates a common way to communicate about the program. REF: NIST CSF
- Risk frameworks provide an industry standard way to understand, approach and manage risk. REF: NIST 800-39, 800-37 and 800-30
The NIST Cybersecurity Framework (CSF) are:
- IDENTIFY: Identify what you need to protect
- PROTECT: Put defenses in place
- DETECT: Install ways to detect malicious activity
- RESPOND: Have plan and personnel in place to react to detections
- RECOVER: Determine extent of the incident or breach and mitigate the impact
The entire NIST family of frameworks are built around the CSF. Many other models around the world use that as their high-level building blocks.
Leadership has additional tools to drive direction using policy, procedures and guidelines. Examples include:
- Acceptable Use Policy
- Data Retention Policy
- Guidelines for when to use your corporate VPN connection when traveling
Once a framework is chosen middle Management must:
- ASSESS AND MANAGE RISK: Risk = Probability x Harm. What is at risk and what are the risks?
- MEASURE MATURITY AND PROGRESS: Develop a roadmap and determine current state and target goals.
- MONITOR AND MEASURE SECURITY: Establish meaningful metrics and monitor for progress towards goals.
Step 3: Set Priorities and Assess Maturity
It is then up to direct managers to set a list of priorities in top-down order for the technical staff to implement. When setting individual discrete goals compare the list against what is known as the CIA Triad:
- CONFIDENTIALITY: The ability to protect data from unauthorized view or release, including data at rest and data in motion encryption.
- INTEGRITY: The ability to ensure against unauthorized modification or corruption such as Ransomware, for example.
- AVAILABILTY: The ability to deliver applications and services to both internal and external clients including and through disaster recovery.
Each of the goals should fall under at least one of the three legs of the triad. Each leg of the triad should be represented by the final list. The Center for Internet Security has broken out an excellent list of priorities. Priorities should be divided into three categories: Basic, Foundational and Organizational. The list below is a good starting point:
- Take inventory and exercise control over hardware assets
- Take inventory and exercise control over software assets and licenses
- Perform continuous vulnerability management for new and emerging threats
- Limit the use of Administrative privileges
- Create role-based, hardened configurations for mobile devices, laptops, desktops and servers
- Ensure logging is enabled and that log files are monitored for alerts and integrity and that they are maintained.
- Centralize delivery and monitoring of malware defenses
- Implement E-mail and web browsing protections over and above basic malware
- Use smart switches to limit port traffic and protocols
- Implement hardened configurations for switches and routers and review firewall rulesets and ensure IOS are regularly patched.
- Set up layers of defense within the network architecture using concepts like network segregation
- Implement wireless network segregation, limits and controls over access and monitoring
- Review data recovery capabilities and perform regular mock testing at the file, server and data center level
- Implement Data Leakage Protection controls to monitor for access and egress of sensitive IP and PII and controls to protect printed media against unauthorized viewing and disclosure
- Use the practice of role-based, security groups and least privilege to control access to data as tightly as possible.
- The User ID is the new security perimeter. Implement strong account monitoring of what is accessed, when, from where and at what rate.
- Require Security and Awareness training for all new hires and as part of an annual skills recertification program.
- Create a list of approved software and prohibit loading of unvetted, unapproved or unlicensed packages.
- Create an incidence response and management team
- Perform regular penetration testing and Red Team exercises.
The list above is heavy on technical and network security, other additions might include policies around data handling or physical security.
The item not discussed in this article is that reducing risk costs money and creates operational friction. Each new policy, procedure, human resource and tool will add burden to the bottom line. It will be necessary to constantly evaluate value to the organization by the release of funds to achieve the goals. Cybersecurity is not about eliminating risk, it is about reducing the impact and being able to recover quickly and as completely as possible with the least amount of damage to business continuity and brand integrity. Keeping that in mind will help create a realistic plan and budget for an organization.
Decide Consulting offers cybersecurity assessments and staffing for cybersecurity roles. Contact us to learn more.