Cyber Hygiene: Getting the Basics Right

Posted on May 9, 2017 by Admin

If your organization takes cyber security seriously, you’ve probably been looking at all sorts of ways to keep the bad guys out.

The trouble is, there are so many different things to think about. A quick walk around a security conference like BlackHat or Infosec will have your mind reeling at the sheer range of options, from advanced threat intelligence and malware analysis to next generation firewalls and endpoint security.

But here’s the thing. The single most damaging thing most organizations do from a security standpoint is to try and run before they can walk. They invest thousands (or even tens of thousands) of dollars in fancy security products… but don’t do the basics well.

But the fact is a huge proportion of breaches are initiated by attacks that exploit known vulnerabilities, which could easily have been patched. Equally, many breaches are greatly exacerbated by poorly constructed network architecture and lack of sensible user access controls.

And if your organization is one of the many that doesn’t do the basics of cyber security well, no amount of spending on more advanced controls will keep your assets safe.


Be Deliberate from the Start

One of the most overlooked aspects of effective cyber security is network and asset hygiene.

In many cases small business networks grow haphazardly over time. They may spread over several sites, and include a wide variety of machines, each running different versions of key software, or even different operating systems. Unsurprisingly, securing such a network is extremely difficult.

But in attempting to secure a network that hasn't been constructed thoughtfully, you’re making a serious mistake right from the start. As we’ve already mentioned, a large proportion of successful cyber attacks exploit known vulnerabilities, and if you have different software versions installed on each machine it’s going to be extremely difficult to implement a sensible patch management process.

Instead, your first step should be to redesign your organization’s network from the ground up, ensuring software and firmware versions are consistent throughout.

And while you’re at it, there’s something else to consider: Network segmentation.

In simple terms, network segmentation is the process of dividing a network into a series of sub-networks, each known as a segment. Typically each segment will contain only the applications, files, and other assets required by an individual group of users, for example the sales department, or a trusted third party organization.

This approach to network architecture is vital from a security standpoint, because it drastically reduces the damage that could occur if an individual terminal or user account were compromised.

Remember the Target breach back in 2013? That all happened because a hacker was able to gain access to a third party vendor’s login credentials. If the company’s network had been properly segmented, it would have been much more difficult for the hacker to use those details to reach their end goal: 40 million customer records.


Expect the Best, Plan for the Worst

Network hygiene may be one of the most overlooked aspects of cyber security, but user access levels are right at the top of the list.

And the trouble is, most organizations want to put trust in their employees. After all, the vast majority of employees just want to do a good job, so why not trust them with a high level of access?

And it’s such a nuisance when people have to keep requesting additional access, surely it would be easier to just let them have access to everything so they can get on with their work?

If you’ve found yourself asking these questions, don’t feel bad. Organizations all over the world have fallen into the same trap.

The trouble is, most organizations only consider user access levels from the perspective of an insider, (intentionally or otherwise) causing damage to the organization or its assets. And that’s understandable. Human error is a leading cause of data breach, and limiting access levels can help to mitigate the potential damage caused by an incident.

But insider threats aren't the only reason to limit user access levels.

When a threat actor attempts to gain access to an organization’s network, a common first step is to compromise an individual’s user account. From there, they will seek to expand their access progressively until they reach their desired objective.

Now, if your organizations has wisely adopted a least privilege model, where each user has access only to the files, folders, and applications they need on a daily basis, you’ll have an opportunity to identify and lock down suspicious activity before too much damage is done.

But if your user access levels are out of control, as they are in a significant proportion of organizations worldwide, there’s a good chance that an average threat actor will have access to much of what they need right from the start. Unsurprisingly, this is a recipe for a major breach.

Yes, implementing a lead privilege model will take some time and effort, particularly for an established organization. The alternative, though, is a security risk you just shouldn’t be willing to take.


Patch, Patch, Patch

Once you have a well constructed network and a sensible approach to user access levels, it’s finally time to tackle an issue that almost everybody would consider to fall within the realms of security: Vulnerability management.

And there’s a reason why vulnerability management comes after network setup and UACs. Simply put, if you don’t have the real basics down first, VM is not only much harder to do, it’s most likely a total waste of time.

Assuming you do have these fundamentals down, then, VM is the next priority. As we’ve already mentioned, a large proportion of cyber attacks target known vulnerabilities. As a result, if your VM program is doing its job, most cyber attacks can be blocked before they ever get started.

But if you think high quality VM is simply a case of installing a vulnerability scanner and haphazardly applying patches, think again. In order to be truly effective, you’ll need to allocate the necessary time and resources to ensure vulnerabilities are identified, triaged, and remediated in a timely fashion without causing a substantial disruption to business as usual.

Thankfully, we’ve got you covered there. Last year, we wrote an entire series on how to plan, develop, and implement a high quality vulnerability management program - You can read the first article (with links to the rest of the series) by clicking here.


Stop Wasting Your Security Resources

Unless you’ve been living under a rock for the past decade, you’ve no doubt already realized that successfully securing your organization against cyber attack is going to require a significant investment.

But unless you lay the proper groundwork for your cyber security initiative, all the money you spend on fancy technology might as well be wasted. Target, TalkTalk, and many other major profile organizations have suffered high profile breaches despite significant investment in security, and in almost every case it’s because they failed to do the basics well.

Simply put, spending money on security products without getting the basics right is like spending thousands of dollars on a home security system and then leaving your front door open.

Posted in Cybersecurity