Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Don’t Leave Security to Luck – 5 Security Controls to Implement in 2017

Like burglars looking for the soft target in the neighborhood, such as the house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities.

Like burglars looking for the soft target in the neighborhood, such as the house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities.

Whether or not you avoid a breach sometimes comes down to “luck.”  Maybe attackers won’t notice you haven’t patched OpenSSL with the Heartbleed vulnerability. More likely, that’s just wishful thinking.

Few, if any, organizations have all the security resources necessary to absolutely prevent a successful attack. But by analyzing the trends from many of the top industry surveys and reports, we can prioritize the security investments needed to harden our environments against the opportunistic attackers and perhaps make a bit of our own luck. 

Cyber Security Controls If there are only five controls that a security organization can reasonably tackle this year, what should they be?

Harden credentials used to access sensitive information and beyond

The latest Verizon Data Breach Investigation Report indicated that in the previous year, “63 percent of confirmed data breaches involved weak, default or stolen passwords.” While phishing and other social engineering attacks are typically the vector, the goal is to obtain insider credentials that can then be used to circumvent data loss prevention and detection. 

Safeguarding credentials is increasingly important as more and more sensitive information is becoming toxic. In this case, the solution is two-fold. First, consider expanding two-factor authentication to a broader set of services, accessed via single-sign on to reduce user frustration and avoid their instinct for working around authentication. Once that is in place, establish a comprehensive policy for classifying data to determine what information needs additional security layers. Without this ranking in place, you may not be aware of when to implement two-factor authentication.

Reduce the attack surface of credentials

One of the basic tenets of security is to reduce the attack surface. This has traditionally been accomplished by reducing the entry points on a network or turning off unused software features, but consider credential reduction as well. 

Advertisement. Scroll to continue reading.

As uncovered in the Ponemon Global Trends in Identity Governance & Access Management report, 57 percent of respondents acknowledge that end users have more access than is required to do their jobs. While identity governance is typically seen as fulfilling a compliance requirement, given the way attackers exploit stolen credentials, it makes sense to better use identity governance policies to reduce the threat from attacks originating both inside and outside the organization. That means getting past the rubber-stamping problem. 

Isolate – and monitor – the problem children

There’s a reason why teachers put misbehaving kids out in the hall – they can’t allow the one to disrupt the education of the many. While vulnerability scanning and remediation is a key pillar of any good security program, there will always be those problem systems that cannot be patched or updated, leaving them exposed to a known vulnerability. These vulnerable systems, as well as BYOD systems, deserve to be isolated from the rest of the network.

The Verizon Data Breach Digest tells the story of a financial company whose customers started reporting that their customer website was blocked due to security concerns. This was the result of a data breach involving an employee’s personal laptop, which was infected with malware. While the organization had isolated BYOD from the corporate network, the BYOD network was not monitored and had minimal controls. Worse, the BYOD network was sharing the same network equipment and using the same Network Address Translation (NAT) as the corporate traffic, causing the corporate network’s reputation to fall. The moral is, isolate those systems, but don’t assume it is enough on its own. 

Concentrate encryption on the crown jewels – and everything else

Your organization’s jewels are most likely data. As stated in the HPE Cyber Risk Report, “if surveillance manages time and again to seem like a white knight after terrorist incidents, encryption is often the dragon.” The implication being that even terrorists know how to protect their data with encryption.

Most organizations encrypt sensitive data, but if encryption is applied sparingly, then it can act as an attractant to attackers. Better to encrypt all data to avoid tipping off the importance of it, and slow down or even dissuade attackers who will have to spend resources differentiating between information they want and that which is useless to them.

Trust, but verify

The US Army, in preparing an operations plan, looks at preparing for two courses of enemy action – the most likely and the most dangerous. While the most likely attacks are effectively confidence attacks against gullible users, the most dangerous is the malicious administrator. While we would all like to believe our employees are honest and follow company policies, the old Russian proverb, made famous by Ronald Reagan while negotiating strategic arms limitations, “trust, but verify” is applicable her
e as well.

For security leaders, that means leveraging privileged account management to limit, monitor and record what administrators can do or are doing. The Cyberthreat Defense Report showed that “only 30 percent of respondents are confident that their organization has made adequate investments to monitor the activities of privileged users.” That number is too low for what can be the most devastating of attacks. Consider how leaks by Edward Snowden or the anonymous administrator at Mossack Fonseca have impacted those organizations.

Priorities will vary by organization, depending on the types of threats they are facing and where investments have already been made. But if you’ve fallen behind in any of these five categories, consider what can be done to raise visibility before your luck runs out.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...