The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks. The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below covers 10 essential recommended steps that should be taken to achieve a effective level of cybersecurity and is based on Guidance from NCSC.
Executive Risk Management
Because of the vital role that technology plays in most organisations today, information and their supporting systems need to properly categorised in the business risk profile. The impact of information and systems compromise could be more critical than many other types of business risks and result in reputational and financial damage.
It is important for the risks to be defined and communicated from executive level thus conveying the importance of information and systems.
Further essential steps that the Board should take include;
- Establish a governance framework
- Identify risks and approach to risk management
- Apply standards and best practices
- Educate users and maintain awareness
- Constantly review policies
Education and Awareness
Training and awareness can help to establish a security conscious culture in the organisation. This could help to reduce the number of people clicking links in phishing emails or writing down passwords on post-it notes. Lack of awareness could result in; users connecting personal removable media that is compromised, users being subjects of phishing attacks, users seeing security as prohibitive and therefore trying to circumvent it. User ignorance to handling sensitive information may result in legal and regulatory sanction as will failure to report certain breaches.
Effective management of the user awareness risk include some of the following;
- Create a user security policy as part of the overall corporate policy
- Include cyber security in the staff induction – making them aware of their personal responsibilities to comply with the security policy
- Security risk awareness – maintain awareness of ongoing security risks and guidance
- Formal training and assessment – staff in security roles should embark on ongoing formal training and certification to keep up to date with the challenges they face
- Incident reporting culture – enable staff to voice their concerns and report poor security practices
Systems that are not securely configured will be vulnerable to attack. A baseline secure configuration of all systems is essential to reduce risk of attacks and the potential for compromise. A lack of secure configurations and updated patching carries risks such as; unauthorised system changes occurring, exploitation of software bugs in unmatched systems and exploitation of insecure systems.
To avoid poor system configuration it is necessary for effective security controls be put in place such as the following;
- Use supported software
- Develop and implement policies to update and patch systems
- Maintain hardware and software inventory
- Maintain operating systems and software
- Conduct regular vulnerability scans and act on results in a timely manner
- Establish configuration and control management
- Implement white listing and positively identify software that can be executed
- Limit privileged user accounts and user’s ability to change configurations
Network connections could expose your systems and technologies to attack. A set of policies, architectural strategy and technical controls will help to reduce the chances of a successful attack which could include exploitation of systems, compromise of information in transit, propagation of malware, damage or illegal posting to corporate systems.
To effectively manage network security it is important to follow best practices and industry standard design principles at least.
All inbound and outbound traffic should be controlled, monitored and logged. This could be done with an advanced or next generation firewall, intrusion prevention techniques and anti-malware at the perimeter – in addition to endpoint anti-malware
Internal network protection is often ignored especially in the case of small networks. They should however include the following techniques
- Segregate networks into groups based on functions and security roles
- Secure wireless networks – only secure authorised devices should be allowed access to corporate networks
- Secure administration – ensure administrative access is secure and defaults are changed
- Monitor the network – monitor all traffic with intrusion prevention systems so that indications of attacks can be blocked and altered immediately
- Testing and assurance- conduct regular penetration testing and simulate cyber attack exercises to ensure controls work
Managing User Privileges
Controlling user privileges to the correct level is important to ensure they have what they need to work effectively. Users with unnecessary rights should be avoided and is generally a major risk. If these accounts are compromised it could have a severe impact on your cyber security. Some of the potential harm that could be caused by such a compromise include; users could accidently or deliberately misuse their privileges and cause unauthorised information access
Attackers could also exploit these privileges to gain administrative level access and even negate security controls to increase the scope of their attack.
Some sensible steps that should be taken to manage these risks include;
- Effective account management – manage the lifecycle of accounts from start to finish when staff leave, including temporary accounts
- User authentication and access control – issue and enforce an effective password policy and incorporate two factor authentication for secure systems
- Limit privileges – give users the minimum rights that they need
- Limit the use of privilege accounts – limit the access to privileged rights and ensure administrators use normal accounts for standard business use
- Monitor and logging – monitor user activity and log all events to an audit and accounting system for future analysis
- Education – educate users of their responsibilities to adhere to corporate security policies
A security incident is inevitable for all organisations. An effective systems of incident management policies and processes will reduce any likely impact, enable speedier recovery and improve business resilience. Without an effective management system in place, some of the possible risks of an attack include;
- Greater business impact of an attack through failure to realise the attack early enough and consequent slowness to respond resulting in more significant and ongoing impact
- Potential for continuous or repeated disruption due to failure to find the root cause
- Failure to conform with legal and regulatory standards which could result in financial penalties
It is important to manage the risk by taking some of the following steps;
- Establish an incident management capability using in-house or specialist external service provider, create a plan and test its effectiveness.
- Define reporting requirements
- Define roles and arrange specialist training to ensure the correct skill base
- Establish and regularly test a data recovery strategy including offsite recovery
- Collect and analyse post incident evidence for root cause analysis, lessons learned and evidence for crime and/or compliance reporting
Malware is the most common form of security compromise and it is a fact that all organisations interact with known malware sites. The risk of malware can include; email with malicious content or links to malicious sites, web browsing to sites containing malicious content, introduction of malware through uncontrolled devices such as USB media or smartphones.
Inadequate controls for protection against malware could result in business disruption and/or loss of access to critical data.
Malware risks can be managed effectively using some of the following techniques;
- Create and implement effective malware policies
- Control import and export of data and incorporate malware scanning
- Use blacklisting to block access to known malicious sites
- Establish a defence in depth approach which includes security controls for endpoints, anti-virus, content filtering to detect malicious code, disable browser plugins and auto run features, ensure baseline security configurations are in place
- Users should be educated regularly to understand the risk of malware, their role in preventing it and the procedure for incident reporting
Systems monitoring provides the ability to determine how systems are being used and whether they have been attacked or compromised. No or poor monitoring prevents organisations from; detecting attacks against infrastructure or services, slows reaction to an attack resulting in increased severity of an attack, cause non compliance with legal or regulatory requirements
Systems monitoring risks can be prevented by taking the following steps;
- Develop and implement a monitoring strategy based on the business risk assessment
- Ensure that all systems are monitored, should include the ability to detect known attacks as well as having heuristic capabilities
- Monitor network traffic to identify unusual traffic or large uncharacteristic data transfers
- Monitor user activity for unauthorised use of systems
- Fine tune monitoring systems to collect relevant events and alerts
- Deploy a centralised logging solution with collection and analysis capability, and automated anomaly and high priority alerts
- Align policies and processes to manage and respond to incidents detected by monitoring systems
Removable media such as USB memory devices are often involved in introduction of malware or removal of sensitive data. A comprehensive cyber security strategy must implement controls such as those listed below to effectively manage the risk posed.
- Devise and implement a policy to govern the use of removable media. A standard for information exchanged on corporate systems should use appropriate and protected measures
- If essential, the use of removable media should be limited only to designated devices
- Automatically scan removable media for malware before any data transfer
- Issue removable media formally to users and prohibit use of personal media sticks
- Encrypt information at rest on removable media
- Manage reuse and disposal of media to ensure data is effectively deleted or media destroyed and data retrieval prevented
Remote working for staff or remote support from suppliers is an effective and popular trend but can expose organisations to risk. Mobile working will necessitate the transfer of data across the Internet, sometimes to public spaces. These risks could lead to; loss or theft of data if mobile devices get stolen, compromise of credentials or data if screens are overlooked in public places, loss of user credentials if stored on a device, remote tampering through insertion of malware or monitoring of activity
Some of the recommended controls are listed below;
- Create a robust policy to address the risk, this should include identifying who is authorised, what kind of information they can access, increased monitoring for remote connections
- User training to include; awareness of the risks, securely storing and managing credentials, incident reporting
- Develop and apply a secure baseline for remote devices
- Encrypt data at rest and data in transit for remote/mobile devices