A Basic Guide to Reducing Cyber Risks.
This basic guide will provide managers and security auditor dealing and managing with cybersecurity risk to quickly help identify threats to their information and cyber estate along with the preparedness to not only mitigate attacks but also to deal with incidents that may occur around the compromise of the CIA of its data.
Senior Responsibility
Identify and communicate clearly who is/are the most senior personnel who are responsible for the overall security and risk tolerance within the business when it comes to accountability. This includes but may be separate to the individual who is responsible for the technical responsibility. This could be an architect for example. Furthermore, this may be separate from the information security.
Hardware & Systems
In this section I would recommend utilising a basic asset tracker/register. You would be surprised how many businesses I audit that have no idea what or where their assets are. Identify who supply the hardware and systems, typically businesses establish contracts with third party suppliers. Within these sections I would also recommend discussing who is responsible for the first line (may need to identify 2nd/3rd line) support to these systems such as a helpdesk for end users.
When it comes to the systems know where the systems are run from, for examples this may be from a data centre. Typically, businesses are migrating to cloud services such as Azure/AWS and or O365, as per above ensure a full hardware AND software asset management log is conducted, “ServiceNow” is a good start.
Mobile Phones
Similar to hardware, most businesses dependant on size will be most likely of been established a third-party supplier. Due diligence on these suppliers may be necessary. Ensure a mobile device management system is utilised. “Intune” is a common go to. On top of this dependant on the nature of the business you are going to want to enforce some security policy such as the use on PINs and VPN’s
Access Controls
Typically access controls will/should be done via Active Directory. Role based access control will need to be closely reviewed. This section could be overwhelmingly large if we spoke at a technical level, however, know to use and follow the least privilege model. If the business is cloud based and utilising AWS as an example, ensure IAM and is particularly inspected along with who has access to AWS secret key and KMS’s
SOC/SIEM/Log Monitoring
A security Operation Centre may not be necessary and goes past the scope of this very basic check list, that said depending on the talent of the IT team there are open-source products you may want to utilise. “Wazuh” has a good reputation. For web Z-scaler are a common interface. Logs should potentially be retained as per the policy. 12 months is common.
As you can imagine, all of these topics could go to great length from a technical perspective, that said this is guide is here to serve as a quick reference so you can quickly baseline your risks and exposures. Back to email security best practices. Enforce encrypted connections over TLS. When we refer to encrypting the email’s may not be perhaps the best option for every user this will provide additional layers of security and privacy. Clearly creating strong user passwords/phrases is important. It is highly recommended to enforce two-factor authentication on email apps. Keep in mind that your email client is potentially the kingdom to the crown jewels when it comes to resetting passwords for other applications that may be utilised in the business. Ensure policy and end user awareness is considered for employees/contractors and anyone else that may be involved in your infrastructure, for example employs know what the procedure is to highlight potential phishing emails. A more technical approach may be to use domain authentication protocols and techniques including domain-based message authentication, reporting and conformance. This can help reduce the risks of domain spoofing. Phishing campaigns really should be trialled and tested.
End Point Protection
There is a lot to discuss here with end point protection and detection. That said Windows Defender Advanced Threat Protection (ATP) is a highly regarded product that will suit small to medium sized businesses if they are cloud ready.
Encryption
A common theme still exists, this is a huuuge topic. That said O365 can be utilised for email encryption. Browser certificates should be managed by the IT admins ensuring SSL/TLS is served, incorporated across the entire domain and maintained. Data at rest should also be considered utilising products such as Bit locker. Where Apple products are used you may want to consider using FileVault, its free.
File Shares
I would say these days (or at least the standard will soon be) around cloud. Let's take Azure or AWS as an example. You should baseline your security audit around the CIS benchmark and in my opinion, you are really going to want to invest in external Cloud Penetration testers to analyse these security controls. However, if the Cybersecurity team are senior enough, I do recommend utilising Prowler or Scout Suite to benchmark the security audit.
Vulnerability & Patch Managment
Identify who is responsible for vulnerability management and produce a vulnerability Managment plan to deal with the identify risk from Critical to Low findings. Typically, Tennable’s Nessus is utilised on an automatic schedule. Updates within in a business should really be centrally managed via Microsoft SCCM
Secure build / Configuration
Laptops, end user devices, servers etc should have full build documentation available. They should also be based on a reputable framework such as the Centre for Information (CIS) templates for servers as an example.
Information Classifications
Depending on the nature of the business will depend how they classify documentation, retention and all the other policy. That said HMG Government Protective Marking Scheme is well known (GPMS)
Change Managment
All changes to the estate, infrastructure, updates etc should be directed the change advisory board (CAB) to where the key stakeholders will make decisions based on their area of risk and expertise. The CAB process also allows documentation of all changes to be recorded in the register which will only aid in future audits. Normally once week meetings do the job for all changes to be approved/denied.
Destruction & Disposal
Hardware such as laptops and hard drives are typically destroyed onsite via independent 3rd parties. Furthermore, HMG Infosec Standard 5, or IS5, is a data destruction standard used by the British government and highly utilised
Password Standards
The password policy should be dictated via the Active Directory. Single Sign On (SSO) will typically be utilised throughout the estate. I won't go into the basics here but ensure they enforced such as lock out times, re-uses and accounts disabled over a 90-day unused period etc
Due Diligence
When selecting partners, contractors or suppliers ensure this process is carried out and someone is identified for logging it in a register. Typically, anything over £10k should be looked into.
Incident Managment
A whopper of a topic! Ensure the process is tested, updated and owned! Remember, the idea here is Prevent, Detect and if necessary, respond. Incident management policy should be taken seriously. If you are a smaller end business my recommendation would be, to go and make a relationship with an independent specialist that can manage this for you.
Cyber Training
Just like health and safety, cybersecurity training has become the norm and should be processed to all joiners and redone on a set period. Cybersecurity is everyone's problem not just the IT dept. Internal certifications are great for individuals however that said I would highly recommend building or outsourcing specific bespoke training that fits the criteria of your IT/Cybersecurity team talent ability, maturity and internal tooling's. I am going to be biased here but at Cyber Coaching they build specific training for you work team based on the above, and repeat the process in 4 months' time, by utilising analytics you can identify where there are specific weak spots and education that need to be improved on.
Summary
As mentioned all of the above topic could go into far greater depth however if you get the above right it will certainly be a good starter. There are loads that I haven't bothered mentioning for now and realistically if you can work with an independent consultancy to really help you with the above its most likely going to save you a lot of pain and frustration
For more information on bespoke tailored cybersecurity training or outsourcing a cyber security operation consultancy plan please email admin@cybercoaching.co.uk
Thank for reading,
Tom Sinclair | CIO Cyber Coaching