Cybersecurity becomes even more complicated in the context of today’s threat landscape, which is not only constantly changing, but is also expanding at an increasingly fast rate. This is the most problematic element of Cybersecurity; its evolution is so fast and unpredictable while the nature of the risks involved are constantly changing.
Managing security by diverting resources to the most crucial system components in order to reduce the likelihood of a successful breach, is now considered to be an insufficient approach in the current environment of advanced cyber threats. Threats are changing faster than traditional risk management approaches can deal with, and a more proactive, focused and adaptive approach is needed to manage an effective Cybersecurity strategy.
Good security management is a continuous effort with preparation, readiness, and good planning being the best approach. To achieve this, there are some basic best practices that can be considered essential to organisations that need to protect their assets from the most common and opportunistic cyber-attacks.
- User awareness is key in any Cybersecurity strategy. It really doesn’t matter how much money is spend on hardware, resources, and state-of-the-art solutions, if users are not aware of their responsibilities towards corporate security. Security awareness training improves employees understanding of security risks, and how they can avoid them. Spear Phishing emails, spoofed emails, spam, malware campaigns, social engineering, etc., all target people first and then systems.
- Patch management is fundamental to the ongoing process of a good Cybersecurity strategy. All systems should be patched as soon as possible after updates are released. New vulnerabilities and zero-day (0day) threats surface daily, and the ability to be able to update systems within small time-frames is essential. Once systems reach their end-of-life and are no longer supported by the vendor, they present a significant risk to the holistic security of the organisation. Compensating controls for legacy and out-of-date systems should only be used under certain circumstances and for a small period of time. It is best to focus efforts on finding new forward-looking solutions that have been built with security in mind.
- Perform regular security testing. Vulnerability scanning and penetration testing should regularly be performed to identify weaknesses in network and application security. Going a step further, engaging in Red Team assessments allows for a better understanding of the holistic security posture of the organisation. Penetration testing is not only a requirement for PCI-DSS and ISO 27001 compliance. There is a wide range of different types of penetration testing assessments to choose from, depending on which part of the organisation’s systems is assessed. Having penetration testing assessments as a core requirement of the Cybersecurity strategy will not only highlight potential security issues but it will also justify the need for the costs associated with any necessary steps towards a certified Cybersecurity status.
- Identify the high-value targets among the systems publicly available and the ones only accessible internally. Cyber criminals tend to focus on these systems as they usually contain not only corporate data and intellectual property but also personally identifiable information that can be used for fraud. As an example, in the banking industry customer identifying information along with account details and numbers is what cyber-attacks focus upon.
- Segregate systems. Where possible systems should be segregated and the need for blocking outbound traffic need to be assessed. Placing all critical systems on one network segment without separating critical systems from less vital ones is not advised. Additionally a review of high-value targets should been undertaken with segregation done as necessary. Backup systems should also be kept separated from production systems. If possible, services should be run on different hosts and use strong encryption.
It is important that a clear picture of the infrastructure and network traffic is obtained ensuring that irregular network activity is identified such as; deceiving DDoS attacks, changes which require immediate attention, below-the-radar intrusion attempts and potential inside threats by correlating data in real-time.
Review the information security policy. Reviewing and justifying the user’s level of access, ensuring that password policies are adequate is crucial. Logs should be kept, both internal and external network traffic monitored in real-time, and that antivirus software is performing as expected. System hardening practices should be introduced, build reviews and break-out assessments should not only restrict the impact in the unfortunate event of a breach but to also contain it as much as possible. Lastly, it is essential that an incident response plan and a backup plan is in place.