Hardly a day passes that we don’t hear of a new security breach or learn details of a cyber attack and how it succeeded. The task of keeping abreast of breach reports and notifications can be daunting for those responsible for information security. To be effective, an Information Security Officer must understand what caused a breach in other organizations, the lessons learned from the investigation and what if anything could have prevented the breach. This is Security 101, yet it seems that many do not keep up with breaches.
How can you protect your organization and prevent a potential attack from succeeding?
Here is an approach I take as a former intelligence officer whose assignment was to work against foreign espionage within the United States. The lesson is simple: stay in the game. Let me explain.
One of my assignments dating back to the early 1980s was to infiltrate a foreign-backed organization that aimed to recruit US Citizens with the purported aim of promoting a better understanding of the socialist way of life. Once enlisted, the recruits naively would serve and support the group’s goals.
I changed my appearance and made a point of frequently passing by the bookstore where they held meetings and allowed myself to be recruited. Six months after I had penetrated their organization, a US Counter intelligence Officer who had been monitoring the group told me I had been “made” and that I was not to return to the organization again. My supervisor then said to me “The Name of the Game is to Stay in the Game.”
I was out, but the greater operation remained. In the spy world, there is no finite end point. You keep the operation going so that with time you keep on learning more and more.
Here is how I apply this to Information Security. Your goal is to keep the game going and keep on learning. So what must you do to keep the game going?
First and most important, think like a hacker does and identify what and where you have weaknesses. The four magic words to remember are: Identify, Protect, Detect, and Respond!
Identify:all of your physical assets – servers, switches, routers and endpoints, and of course, your topography network layout and fire wall.
Conduct an assessment to strengthen the internal and external perimeter security. Run an external penetration test and an internal vulnerability assessment to identify all of the vulnerabilities that can be exploited and any missing patches.
"Apply the continued process of Identify, Protect, Detect and Respond and you should be in good shape to prevent a breach"
Protect: The following assessments need to be conducted at least quarterly, but preferably monthly. Resolve all vulnerabilities, apply all patches and develop a patch management policy with specific timeline to ensure it is followed. First, segment your network, so should there be an intrusion, it would be of limited scope and would not affect your entire network or expose all of your “crown jewels” data. Secondly, apply hardware encryption of at least AES 256 bit to all databases and critical assets. This protects you in case of an attempt to extract your data.
Protect all of administrative accounts and develop an ironclad policy that they could only be used for internal work and communication. Administrators should be assigned a second account that would be used for all other purposes and web interfacing. If those accounts are compromised, the exposure would be minimal in nature.
Protect third-party access with a solid privilege access control program that allows you to configure their access, deny data extraction and permit only the minimum necessary access for the job. All attachments in outgoing email should be encrypted and time-restricted. The program should also have the capability to record all sessions for forensics and investigative work, should it be needed.
Detect: Make sure your Security Incident & Event Management (SIEM) tool allows you to monitor all of your critical assets, data and administrative accounts with specific alerts. Configure your firewall, restrict all outgoing traffic, eliminate unnecessary ports and apply a Geographical Block Rule for doing business with customers inhigh-risk countries. Apply a “best in industry” endpoint protection that detects malware, viruses, ransomware and suspicious software that have no licenses. Disable local Admin for those that do not need it. Apply auto-shutdown of employee devices during times of no use, such as nights and weekends.
Firewall traffic needs to be monitored 24 X 7 with specific policies for blocking and for listing notifications.
Hackers now have a saying “Fake it till you make it” meaning use phishing email to gain access to the network. The weakest point of any network is the human element. 43 percent of breaches come as a result of a successful email containing a malware in the attachment or bad links. Having a front-end defense such as an advanced email threat protection “Sandbox” is key to detecting and blocking most of them. For the few that sometimes get through, having a good end point protection should do the job of blocking, containment and preventing its spread.
Respond: Security training for employees, senior management and board members is a must.
Lastly, having a good ongoing incident response program that is well tested and with continued improvement is a must. The key to success is to think like a spy and remember “The Name of The Game Is To Stay In The Game” and when you assess your assets, remember to look at them from a hacker’s perspective. Then apply the continued process of Identify, Protect, Detect and Respond and you should be in good shape to prevent a breach. Don’t stop playing or you will lose.