Is your company getting the IT security basics right? And if it isn’t, why not?
A blunt question perhaps but alongside people and product, it’s one of the fundamental building blocks that enables your business. IT security is no longer an optional extra.
We’re at a turning point in the evolution of IT security and cyber defence. Every day we hear reports of huge data breaches, theft of intellectual property, credit card numbers and even identities. Not forgetting malware, DDOS attacks, hacking and myriad other threats, these have become a way of life for those of us who dwell in cyberspace.
But There’s Never Been More Help…
A valid point. Today, IT professionals and business owners have access to an incredibly broad and sophisticated array of tools to use – industry standards, training, best practice, checklists, software, alert services, compliance, regulation, the list goes on – but with so much technology, information and oversight, people are getting lost in what the Center for Internet Security – CIS – calls a ‘Fog of More.’
Everyone’s got an opinion and with so much information competing for the same space, it’s easy for a business or organisation to become paralysed or distracted from getting the job done.
But it’s a double-edged sword. New technology brings us incredible benefits and opportunities but with more and more of our data and applications disparately located it’s more vital than ever that everyone – from one-man bands to multinationals – gets the IT security basics right.
Can’t Argue With That, But What Are The IT Security Basics?
Actually, the question really needs to be flipped from ‘what does my business need to do?’ to ‘what should EVERY business be doing?’
The CIS have devised a list of 20 basic controls that they believe would protect companies against 85% of common attacks. The first six are basic, 7-16 are foundational and 17-20 are organisational and if you can tick these off your list you will be able to say that you’ve mastered the basics of IT security.
Then it’s onto the more complex elements but we’ll leave that for another time!
Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorised devices are given access, and unauthorised and unmanaged devices are found and prevented from gaining access.
Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution.
Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimise the window of opportunity for attackers.
Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyse audit logs of events that could help detect, understand, or recover from an attack.
Email and Web Browser Protections
Minimise the attack surface and the opportunities for attackers to manipulate human behaviour through their interaction with web browsers and email systems.
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defence, data gathering, and corrective action.
Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
Data Recovery Capabilities
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.
Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimise opportunities for attackers to leverage them.
Implement a Security Awareness and Training Programme
For all functional roles in the organisation (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defence of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organisational planning, training, and awareness programmes.
Application Software Security
Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
Penetration Tests and Red Team Exercises
Test the overall strength of an organisation’s defence (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
Take a look at the list again. How many can you check off as ‘covered?’ How many are you planning and how many aren’t covered by your in-house IT guys?
Be honest now…
For all things cloud and to talk to us in more detail about IT security and what your business needs to do, email firstname.lastname@example.org or call +44 (0) 20 7078 0789 and don’t forget to follow us on Twitter and LinkedIn.
Have a good week.