With massive data breaches regularly making headlines, it’s easy to throw your hands-up and submit to defeat. However, by following a few battle-tested strategies that incorporate decades of lessons learned and best practices, you can create an information security culture that will guide you through the rough waters of an attack and potential data breach.
a. Know thy system-- From Sun Tzu, it’s important to know what software, hardware, configurations, connections, integrations, and utilities (especially electric) are on or support your network. What’s even more important is the information—you must know what the information is (level of confidentiality) and where it is (mapping critical data). You have to know what/where you are trying to protect.
b. Know thy enemy -- If you have an understanding of your cyber threats, you will be able to make practical, defense-orientated decisions and eventual system implementations. You must stay informed by making yourself aware of security issues as well as any specific policies that may apply to data in your care.
c. Defense in depth --A system should employ multiple levels of defense such that a single breach of one sub-system does not expose the entire system to an attacker. Introducing this type of complexity doesn’t provide 100 percent protection against attacks, but it does reduce the chances of a successful attack. Defense in depth means that you must plan for failure by having backup systems. Criminals are constantly improving their craft, which means IT professionals should run frequent tests, conduct risk assessments, audit, exercise the disaster recovery plans in case of attack, and then do it all over again.
d. Least privilege access -- An individual, system, or process should be assigned the minimum privileges needed to carry out his or her job responsibilities. Similarly, the network version is segmentation, this is when you split a network into smaller network segments, essentially separating groups of users, traffic, data, systems or applications from each other. You’re limiting communication throughout your network, thereby limiting the attack surface area available. If an attacker can’t see it, they can’t attack it. You should also control physical access because all of the security measures are worthless if you allow physical access to the systems, hardware, and information. Finally, assume that external systems are insecure. External systems, such as an HVAC provider, likely have differing different security policies and postures than you do and you should treat them accordingly.
"IT security is as much about limiting the damage from breaches as it is about preventing them."
e. Prevention is ideal, but detection is a must-- It has been proven that no security system is perfect, so criminals will inevitably enter your network. Detecting intrusions requires three elements: the capability to log security-relevant events, procedures to ensure the logs are monitored regularly, and procedures to properly respond to an intrusion once detected. Logging provides a forensic function so you can trace the criminal and check what went wrong. It also provides accountability by tracking all actions to an initiating user, process and/or system. This highlights that everyone has a responsibility to protect information and individuals are held accountable. IT security is as much about limiting the damage from breaches as it is about preventing them.
f. Employ a risk-based approach to security --Risk is the chance of something happening that will have an impact on your objectives and an assessment of risk is the overall process of risk identification, analysis, evaluation, and mitigation. Taking a risk-based approach allows for the better identification of threats/weaknesses, more effective allocation and prioritization of resources to manage those risks, and improved Board confidence/trust. Proper risk assessment allows you to avoid lots of unpleasant things like fines for failing to comply with regulations, remediation costs for potential breaches, and the losses from missing or inefficient processes. Rather than trying to protect against all kinds of overwhelming threats, this approach allows you to balance protection with utility/costs by focusing the protection on the most vital systems first and then finding acceptable ways to protect the rest without making them useless. Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm. You should calculate the cost of damage against security measurements (e.g., you wouldn’t protect a $10 horse with a $100 fence). The approach also allows you to enforce security by design by implementing protections at the initial design of a project. Controls implemented at the end of a project are often less efficient and less integrated than those integrated within the core of the project. This also enables business ownership where information security is owned by all levels, from the top - down, not just IT. Senior managers are involved in determining and accepting information security risks.
g. System Configurations -- Simplicity is minimizing the complexity of systems to create fewer potential points of failure and reduce the surface area for attacks. Reuse is giving preference to existing security controls over custom solutions. Secure default is configuring the most secure setting as the default settings for any system. You can then decrease security based on business requirements/risk. Fail securely is designing your security system so that a failure will follow the same execution path as disallowing the operation. It's important that these exceptions do not enable behavior that the counter measure would normally not allow. Finally, use a positive security model (also known as "whitelist") to define what is allowed, and reject everything else. This should be contrasted with a "negative" (or "blacklist") security model, which defines what is disallowed, while implicitly allowing everything else.
Incorporating these information security guiding principles will lay the foundation for a successful information security program and create an appropriate organizational security posture to deter and detect criminals. I hope that you adopt these best practices to help your organization reduce unnecessary risk in 2020.