Getting Ready for Cyber Security

advertisement
Getting Ready for Cyber Security
The use of Internet has affected almost all parts of life of an individual. Internet has grown from
just a tool to obtain information for a school project to stimulate social and political changes in
many parts of the world. The rising growth of social media, online Governance models and
Internet of Things clearly indicate that it is just a matter of time before all information is
available online in some form or the other.
However, over the time it has been proven that the Internet is vulnerable, vulnerable to human
errors, vulnerable to malicious individuals and vulnerable to natural disasters. Focussing on
malicious individuals, who are working to improve their skills, scale and determination, it has
been realized that something more comprehensive, more than installing firewall and IPS, is
required to tackle the challenges posed in front of the society in the manner how the Internet and
related services are used.
Cyber security has taken a prominent place in the security world. Cyber security, as per
definition from ITU-T, is defined as:
[Cyber security is the collection of tools, policies, security concepts, security safeguards,
guidelines, risk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and user’s
assets. Organization and user’s assets include connected computing devices, personnel,
infrastructure, applications, services, telecommunications systems, and the totality of transmitted
and/or stored information in the cyber environment.]
Given the nature of how broad the term is, different organizations may associate a slightly
different meaning with the term, certain level of flexibility in term’s use is expected.
Guiding principles for Cyber Security:
When moving towards cyber security, the approach should be supported with defined set of
principles that can help in management of risks right from identification to mitigation in a
manner that is in tune with cost and privacy considerations. The setting of right tune is important
due to tightening regulations and cost as any control put in place generating excess data would
turn out be drainer in terms of resources and can lead to fines.
The recommended set of guiding principles can be:
Risk based approach: Risk assessment to identify the threats, vulnerabilities and impact to the
organization and then coming together to manage the risk by effective set of controls.
Result focussed: Focus must be on the final outcome, irrespective of the means used to reach it,
and progress must be measured based on achievement of the desired outcome.
Prioritization: Priority matrix must be developed to prioritize the events and assets. The
management approach must be based on priority, handling high priority activities first.
The increase in mobility, interoperability, population, complexity and distribution of components
has given the attackers a plethora of surface to play with.
Adaptability: The approach or the controls developed as part of cyber security must be
applicable to large set of assets and should be adaptable to wide array of sectors.
Privacy and regulatory compliance: The approach to cyber security must respect the privacy of
individuals and should support the regulatory requirements.
Internationally influenced: The approach must be influenced with international standards so as
to maintain maximum possible acceptability.
Taking a Risk based approach to Cyber Security:
In the current scenario the cyber security guidance available are mostly voluntary but the
industry is moving to mandatory compliance at least for critical infrastructure, if not end-to-end.
A risk based approach can help address the complexities faced during rollout of the strategy.
Risk based approach starts with identifying, analysing and evaluating the risks which require
attention. The approach must be holistic in nature to the maximum extent possible to enable all
business units take advantage of changing landscape. Let us go through some of the critical areas
which need to be made part of cyber security initiative right from the beginning:
Information Risk Management Leadership:
It is important that Board and senior managers support the information security and risk
management and may wish to communicate their risk appetite and risk management policy to
people associated with the organization to ensure they are aware of organization’s risk
boundaries. A lack of effective risk management can lead to increased exposure to risk, missed
options, poor return on investment, etc. In order to manage the risks following can be done to
promote a risk aware culture:


A governance framework should be developed which consistently supports the risk
management culture across the organization and is owned by the Board or senior
management.
A major task would be determining the risk appetite of the organization so that the
business decisions are guided within risk boundaries.


Board discussions agenda should include information risk to the organization. Risk
assessment reports must be regularly reviewed and contacts with outside authorities
should be maintained in order to get better insight on emerging risks.
Appropriate standards must be referred to build a life cycle approach to risk management,
which can help in continual improvement, along with roll out of corporate risk
management policy.
Network Security:
Internet and other untrusted networks expose corporate networks threats that aim to compromise
CIA of the systems and the information. It is to be noted that protection is required against
internal threats as well. Failing to secure the network properly can lead to leakage of sensitive
information, malware infection, exploitation of vulnerable applications and systems, etc.
Following activities can help to reduce the risk:


ll the traffic should be inspected and filtered at the network perimeter to ensure only
business supporting traffic is being allowed. Firewall must be installed between untrusted
network and internal network with only authorized ports and protocol allowed and default
deny-all setting in place.
Direct connectivity between internal network and untrusted network should not be
allowed. Network isolation must be employed to isolate critical assets and easily manage
the large environment. Wireless networks must be secured and Network Address
Translation must be used to protect internal IP addresses from exposure.
Secure Configuration:
Creating and enforcing secure baselines for all types of system components and applications can
vastly improve the security posture of the IT systems. As a best practice all not necessary
functionalities should be disabled or removed which can reduce the exposure of IT systems to
variety of threats. Applications and systems which are not hardened will be vulnerable and can
result in unauthorized access to systems, exploitation of insecure configuration, increase in
security incidents, etc. In order to reduce the incidents due to insecure configuration following
steps can be taken:



Policies related to patch management must be enforced to make sure patches are applied
within established time frame. Along with patching updated inventories of hardware and
software must be in place. Automated tools can be used to capture the details.
Hardening guidelines must be available for all types of systems components, router,
firewall, server, workstations or any other. Unnecessary ports and services must be
disabled. Change control must be in place for any changes to be effected in any system or
application. User rights must be limited with respect to the ability to make changes in the
components.
Regular vulnerability scans and penetration testing must be conducted and any loop holes
identified must be fixed in within a defined time frame. The team must maintain
awareness regarding recent threat landscape as well.
Identity and Access Management:
Organizations need to understand the privileges required by the users, and whether it is at all
required, to carry out their daily tasks. The principle of granting only privileges that are required
to carry out daily jobs is termed as ‘Least Privilege’. Failure to manage privileges effectively can
result in misuse of privileges, increased attacker capability and privilege creep, etc. Following
methods can help in reducing the number of incidents due privilege misuse:




Policies and procedures for identification and access control must be established
providing guidance on password selection, complexity and life cycle along with roles and
responsibilities.
Procedure must be established for review of user accounts right from creation till
deletion. Also, periodic reconciliation process must be set up to identify any dormant or
test accounts and should be removed.
The number of privilege accounts must be controlled in the system components. Privilege
accounts should not be used for day to day activities. Normal users should be provided
privileges based on the Principle of Least Privilege.
Access to audit logs must be controlled and users must be monitored during their daily
activities, specifically while carrying out sensitive tasks.
Incident Management:
At some point in time all organizations have faced certain types of incidents and will continue to
face new incidents. Therefore, it is worthwhile investing in an efficient incident management
procedure to better manage the incidents and reduce any financial impact. Failure to implement
incident management procedure can lead to major and long term disruptions and legal and
regulatory non-compliance. The type of incidents will vary based on the type of business and a
risk based approach will be more suitable considering the following points:





Organization should establish and maintain organization-wide incident management plan
approved and supported by senior management. The plan must be mature enough to be
able to manage a wide variety of incidents.
Roles and responsibilities must be clearly outlined and appropriate training must be
provided to the personnel so as to handle wide variety of incidents efficiently.
The incident management plan should be tested on a regular basis and learning must be
incorporated to improve the plans. Business continuity and Disaster recovery should also
be included and appropriate back-ups must be maintained to counter any incident which
results in loss of data.
In case of incidents it might be required to inform large number of people including
clients, vendors, law enforcement, etc. Appropriate responsibilities must be documented
as to who, what and how to inform the interested parties about the incident.
Root cause analysis must be performed for all incidents and learning should be used to
enhance the plan for future. If required the incidents should be reported to law
enforcements and user awareness should be carried out to eliminate the possibilities of reoccurrences.
Virus and Malware Prevention:
Connecting to untrusted networks exposes the systems to viruses and malware. Such infections
can lead to business disruptions, information leakage and even legal sanctions. Common
mediums of such infection include E-mail, uncontrolled Internet access and removable media.
Following can be considered to reduce virus and malware risks:



Relevant policies and procedures addressing viruses and malware must be established
and communicated within the organization. Users must be educated regarding the use of
e-mail attachments and removable media on the corporate systems.
Anti-virus and Anti-malware defence must be established and all systems must
be regularly scanned. All electronic data exchange must be scanned for malicious
content.
Content filtering should be carried out by firewalls to prevent movement of malicious
code from untrusted network to internal network. If possible, suspected content should be
quarantined for further analysis.
Logging and Monitoring:
Logging and monitoring allow timely detection of attacks and can help in incorporating
procedures that can help prevent future attacks. Monitoring ensures that systems are being used
in conformation with established policies. It is to be documented as to what actions are to be
logged and what will be the monitoring procedure. Failure to monitor the systems can lead to
non-compliance as well as diminished ability to detect and react to the attacks. A consistent and
documented approach needs to be put in place, which can include the following:



Appropriate policies must be put in place and should be aligned with incident
management policy. It should be ensured that all network and host systems are monitored
by some automated solution and should have the capability to detect attacks through the
use of signatures or heuristics.
All network traffic movement, inside or outside, must be monitored for any malicious
activity. Along with it should be able to identify the subject, the activity that triggered the
alert and the object.
The monitoring solution should be customized to capture appropriate logs and events that
fulfil the requirement of monitoring. Inappropriate collection could result in legal and
regulatory breach and could turn out to be costly in terms of management.
To the extent possible it should be ensured that all logs and events are collected and stored at a
central repository and enough space is available for the storage for a certain period. Above all it
must be ensured that all devices are synced to central time source so that all logs and events are
accurately time stamped to support investigations or legal actions.
Removable Media Controls:
Lack of removable media controls can lead information theft, malware infection and above all
loss of reputation. It is better to disable any usage of removable media unless some business
requires it specifically and the approval should be based on risk assessment. In order to manage
the risks from removable media following can be considered:




Policies and procedures should be implemented to control the usage of removable media.
The usage should be limited to users, systems and type of data that can be moved on to
removable media.
All removable media should be inventoried and users should not be allowed to their own
media. All removable media should be scanned before it is used for data transfer and antivirus solution must be deployed on all hosts.
Removable media reuse and disposal procedures must be put in place to ensure that older
data is not accessible. Industry accepted deletion and wiping techniques should be
employed for securely deleting the data.
The removable media must be hardened as per hardening guidelines and appropriate
monitoring should be in place to detect any unauthorized use. If required, encryption can
be used to protect the information present in the removable media.
Home and Mobile Working:
Mobile technology has made huge strides in the daily life of individuals. More and more people
are using mobile devices for work related activities. It has resulted in the extension of corporate
security boundaries. It is required that organizations maintain relevant policies and procedures to
control the usage of mobile devices and layout plans for management of any compromise that
might occur. The risks can be like theft of mobile device, shoulder surfing in public, insecure
configuration leading to loss of data, etc. Following can be implemented to reduce the risks
associated with mobile devices:



If the organization allows the use mobile devices then secure baseline must be
documented and implemented on all devices. Also, all users must be trained in the
manner as to how to use their devices securely in public areas or any other place.
The amount of corporate data present in the mobile devices should be kept at minimum to
what is required to complete the activity. Also, the connectivity to corporate network
from untrusted networks, like public Wi-Fi, must be protected by use of VPN to protect
the data transmitted.
Users must be instructed to report any or all incidents related to mobile devices at the
earliest and corporate incident management plan must be extended to mobile device
incidents.
User Education and Awareness:
It is evident that large numbers of incidents are caused by unintentional acts of users. It is
important that the users are aware of their responsibilities towards the usage of corporate
resources. Lack of awareness can result in unacceptable usage of company resources, use of
removable media and personal devices can introduce malware, users not reporting incidents on
time or not at all, etc. To reduce the risks following steps can be taken:

An acceptable usage policy shall be present and must be communicated to all the users.


All new joiners should go through security training at the time of joining and annual
training sessions must be held for all the users, informing them of the new trends in the
security field.
Organization should promote incident reporting culture along with the security culture,
users must be confident while reporting the incident without any fear. In – addition,
disciplinary process must be in place for users misusing the resources.
Source: https://www.sisainfosec.com/americas/blogs/getting-ready-for-cyber-security/
Download