Part 1 of this series, “The Business Perspective,” examined how to build a cybersecurity capability from the ground up by starting with the basic governance aspects of information security. It explained how cybersecurity relates to organizational goals and how those goals dictate the organization’s approach to cyber risk management. Setting this overarching tone is important, but it needs to be reflected through effective technology management.
While cybersecurity is a business issue, it is one that is inextricably linked to technology. Part 2 of this blog series looks at the IT tools and methods that provide a basic foundation for a cybersecurity program.
Basic Administrative Management
While the processes discussed in Part 1 all have to do with organizational governance around cybersecurity, these tactical and administrative processes can help provide a defensive baseline:Disable Local Administrative Privileges
In most organizations, there is no need for employees to have administrative rights over their workstations. Revoking these rights prevents employees from changing security configurations or downloading unapproved or unsafe software. It also helps limit the amount of harm an attacker can cause should they gain access to an employee’s computer. This recommendation is easier to implement during the early days of an organization, because it can occur before employees get accustomed to having elevated permissions, however, it can be accomplished at any time with the right internal messaging campaign.Segment Administrative Accounts
Employees who require administrative privileges should have separate accounts that only they can use for performing administrative functions. Taking this a step further, administrative accounts should be segmented by device type — domain admins should only have access to domain controllers, workstation admins should only have access to workstations, etc. Additionally, all administrators should have a separate, non-privileged account for all other non-privileged business activities.Identify Third-Party Support
Few organizations can handle a cybersecurity incident entirely on their own, especially when they are just beginning to build their security capabilities. In these early stages, contingency plans should focus on identifying whom to call for help. In addition to a technical incident response firm such as CrowdStrike® Services, some organizations will also want to have outside legal counsel and public relations support on retainer.Change Default Passwords
While most software or online services force users to reset the default password during setup, this is often not the case with hardware. Small organizations or startups frequently fail to change the default passwords on their routers, security cameras and other online hardware. Changing the passwords is a simple step that can spare an organization considerable grief and embarrassment.Technologies
Even for organizations with mature cybersecurity programs, the number of cybersecurity tools and technologies available can be overwhelming. While most tools provide some benefits, organizations just starting their cybersecurity program need not buy everything. The following technologies are some good initial purchases that provide considerable return on investment.Two-Factor Authentication
Few security measures provide as much bang for the buck as two-factor authentication. Even without additional security tools, two-factor authentication can go a long way toward preventing unauthorized access to company resources. The most obvious places to use two-factor authentication are on company email, VPN services, and any other tools or applications that employees use to access resources remotely. But it is also good practice to enable two-factor authentication on every service that will allow it. Examples include cloud-based document storage and backups, customer relationship management software, web-hosting and content management platforms, etc.VPN for Remote Access
Requiring users to authenticate to a secure VPN (with multi-factor authentication, of course!) to remotely access company information provides an additional layer of security around network resources. By configuring firewalls to block all other types of remote connections, an organization can reduce the attack surface that adversaries may target. As organizations mature, they can layer additional security around their VPN by logging connections and blocking suspicious connection attempts.Firewalls
Deploying firewalls at the network perimeter is a common initial step in building out a security capability; one that immature organizations frequently fail to do effectively. Prior to setting up firewalls, an organization should carefully consider exactly what type of inbound and outbound traffic is necessary to conduct its operations. It should then block all other connections. Some firewalls come with pre-configured rule sets that can help with this process. Once deployed, firewalls should do more than simply block unwanted incoming connections —they should also block unnecessary outbound connections, log all inbound and outbound connections, and potentially serve as a network intrusion detection system (IDS). Organizations with highly sensitive network segments, such as a production environment, also should consider inserting internal firewalls at the perimeter of that environment. Firewalls are not “set it and forget it” tools. Once implemented, they require management. For instance, it is common for organizations to make exceptions to their firewall rules to allow for specific tools or functions to operate. But formal processes should exist for approving those exceptions, periodically reviewing how the exceptions in place affect the organization’s security posture, and renewing exception approvals where appropriate or closing the gaps if they are no longer required. Firewall logs are a frequent source of information about suspicious network activity. While organizations with immature security programs may not have the tools or manpower to actively monitor firewall logs, ensuring that those logs are retained and periodically reviewed for anomalies is a good first step.