Small and medium size businesses do not typically have IT Security departments to manage their cyber-security. In fact, even firms with IT staff often exhibit a glaring lack of security expertise. This can lead to a fatalistic attitude towards cyber-security and a kind of paralysis in which even modest initiatives that would dramatically improve the organization’s defensive posture are not undertaken.
There are, of course, activities that every organization can do to dramatically reduce their cyber-security risk. We explain what we consider to be the “top ten” most important in this article. It can be viewed as the minimalist approach to cyber-security. Before we do so, however, it will be illustrative to lay some ground work for our list by elaborating some facts about improving cyber-security:
Cyber-Security “Facts of Life”
There Is No “Safe By Default”
Most security experts agree that the typical network is too complex and too volatile to effectively protect. The situation is aggravated by the fact that most network devices and computing platforms do not come “pre-hardened” right out of the box. In fact, historically, it has been just the opposite. Vendors like to ship their devices pre-configured for the maximum convenience of the maximum number of customers. This means that, by default, devices exhibit a “greatest common denominator” configuration that is far from secure. This has changed in recent years as companies have become more security-conscious, but many products still feature default accounts and passwords and run unnecessary services.
There Is No Such Thing as “100% Secure”
Cyber-security is about reducing risk to IT resources, and the traditional approaches to risk management are applicable. Indeed, as with other domains of risk-reduction, there are diminishing returns as one continues to attempt to reduce risk. Stated plainly, the cost of reducing risk rises as additional, increasingly less effective and more burdensome tactics are implemented to further reduce risk. Vendors will have you believe that the right combination of products will eliminate the risk of breach or loss, but history dictates otherwise.
The correct strategy is to identify your risks, analyze them for probability and impact, and prioritize them accordingly. Then, working in priority order, devise one or more strategies for addressing each risk. Finally, choose which strategies to implement and when, based on a cost/benefit analysis of your options. The result should be a multi-year practical and cost-effective risk-reduction plan.
As a final point, consider that you cannot ever prove that you are secure, only that you are not. Security is a state of not having been breached yet. You don’t know what you don’t know, so there can never be a guarantee of invulnerability.
Security Is A Continuous Process
Reflect for a moment on the complexity and rate of change of your organization and its infrastructure. Is it reasonable to think that it is possible to detect and address every potential vulnerability that emerges? As the organization and infrastructure change, does that aid or detract from your overall security?
Our point is that managing an organization’s Information Security represents a journey toward a goal that can never be fully realized. The goal is risk-reduction – not risk-elimination – and that is an ongoing, never-ending challenge.
Security Is Achieved Through Overlapping Defenses
Security is multi-dimensional and requires specialized tools to properly address different challenges. There is, however, no magic combination of tools or policies that will render your organization completely safe. Security is the product of cooperating countermeasures, in which each reduces risk in its own way, but in which it is also true that the whole is greater than the sum of the parts. The most effective strategy is to deploy overlapping, partially redundant defenses that are more effective than isolated solutions. Note that this article is not titled, “The Cybersecurity Silver Bullet,” because there is no such thing. Instead, we recommend a set of cooperating activities and defenses that will collectively reduce the overall risk of compromise.
OK, let’s get specific about what you can do to address your cyber-security. The following are presented in priority order, but you will be well served to implement all of them.
It is simple. Whether you are a business or an individual, you cannot afford not to be doing regular backups. There are two kinds of people in the world: those who have lost critical work as the result of hard-disk failure, and those who will. Hard disks have become so reliable and can last so long that is easy to forget that they are mechanical devices that not only can but also will, eventually fail. It is only a matter of time. Backups are often your only recourse when a drive fails. From a security point of view, if your critical information is stolen, corrupted, or held hostage by ransomware, the only recourse may be your backups. Learn how to backup your system, create a realistic schedule for backing up your systems and do it diligently. Store the media off site in a safe, secure location. Periodically test recovery of selected files going back in time. You should also store the original installation media or purchase/download details for all application software in a safe location. Remember: backups contain your data, not your applications. In the event of a re-build being necessary, it may be necessary to reinstall your applications; be prepared.
Bottom line: Backups can be the only thing that saves you in certain circumstances.
2) You Must Have A (Properly Configured) Firewall
A Firewall is a network appliance (or in some cases software) that filters network traffic based on criteria that you control. Even the simplest WiFi router now comes with what was previously considered powerful Firewall features. The purpose of a Firewall is to protect a network (or portion of) by restricting traffic to what is essential and discarding the rest. The filter criteria is expressed as two rule sets that restrict inbound and outbound traffic respectively.
Firewall rulesets are technical in nature, and this is not the forum to explain them, but suffice it to say that a properly configured Firewall will limit traffic to precisely what is needed by the network it is protecting. Of course, large organizations have many network segments, and thus, many firewalls.
Note that consumer targeted WiFi products are more likely to suffer the “greatest common denominator” problem mentioned above and be overly permissive by default.
Bottom line: You must have a Firewall in place to protect each network segment, and it is essential that the configuration of your Firewall(s) be periodically examined to ensure that it is properly restricting traffic. This is an essential “Layer of Defense.” If your organization does not have the expertise to do this, then hire someone qualified to do it.
3) You Must Have Anti-Virus Software
The term “malware” is used in the industry to refer to the malicious software of any variety. Anti-virus (A/V) software solutions, also known as Endpoint Security solutions, protect your desktop or laptop by scanning all data and applications for known malware. In the event malware is detected, it is prevented from running and typically deleted. “Known malware” is a loaded phrase. “Known” means that the malware has been encountered before and can be recognized using unique patterns it contains (i.e. its “signature”). The anti-virus companies track malware and analyze it to distill “signatures” that can be used to identify each variation, and then propagate known signatures to all users of the A/V software. This means that it is essential that the signatures be kept updated, and that malware that has NOT been previously encountered will not be recognized as such, and will get past your anti-virus software.
Sadly, the last few years have featured new and powerful malware generators that can create new viruses on demand that are not recognized by anti-virus software. This has led to the slow decline of successful malware recognition by anti-virus solutions. However, something is better than nothing, and there is still a lot of old malware in the world that can hurt you if you are not looking for it.
Bottom line: Use an effective anti-malware software, and keep it updated using whatever option is available for automatic updates.
4) Adopt and Enforce a Strong Password Policy
One means by which we control access to our systems and data is through “authentication,” the process by which a system extends trust to a user based on some furnished proof of identity. The most common means of authentication is through a password. This is not a problem in and of itself, but “weak” passwords definitely are a vulnerability because they can be easily guessed or programmatically generated. Let’s consider some problems that make a password “weak”:
- It is only a few characters long, so the full set of possibilities can be programmatically attempted in a timeframe acceptable to attackers.
- It is known or potentially exposed to individuals other than the owner.
- It is has been in use (i.e. not been changed) for a long time.
- It is a commonly used password.
- It is a word found in a dictionary.
- If we design rules to specifically to avoid these problems, we find ourselves with a Strong Password Policy that will increase the strength of the authentication process:
An Example of Strong Password Policy
A password must:
• Be no less than 8 characters in length
• Must contain at least 1 upper-case letter, lower-case letter, digit, and punctuation character
• Must not be a dictionary word
• Must not appear in a (given) list of commonly used passwords
• Must be periodically changed
• Must not be reused for some given time-frame
Bottom line: You should define, adopt, and enforce a strong password policy for your organization. It may be the difference between a future breach and security.
5) Protect Sensitive Information in Storage and in Transit
An organization that manages sensitive information has the obligation to protect it. In some scenarios, it is the law. One of the ways that information can be protected is through encryption. Encryption translates data into gibberish that is irreversible without the decryption key. At a minimum, laptops should be configured so that their hard-disks are encrypted, reducing the risk of information exposure if the device is lost or stolen. On servers, database contents should also be encrypted, as should any files containing sensitive information. Depending on the perceived risk and security of system backups, you should consider encrypting backup media.
Sensitive information must also be protected as it is communicated between systems. Employees that access corporate IT resources remotely should do so through a Virtual Private Network (VPN). Most routers and all laptops can be configured to establish a secure remote link between the laptop and local business network. This will protect any sensitive information as it is transferred. To generalize, any data communication between the business network that uses public networks (such as the internet) should be similarly protected.
Bottom line: Protect the confidentiality of sensitive data and provide the means for employees to connect securely to business IT resources.
6) Recognize that Employees Are The Weakest Link
Phishing, the use of misleading and fraudulent email to trick recipients into facilitating a breach, is now the most common means by which breaches occur. This means that unless you have taken steps to ensure otherwise, your employees are the primary targets for hackers to gain access to your corporate resources. Note that there are two types of targets: selected targets and targets of opportunity. Massive generic email phishing campaigns seek targets of opportunity. The attackers are not targeting anyone specifically, just as many devices as they can get. Compromised machines are aggregated into “zombie robot networks” that are managed collectively and used to send spam, perform additional phishing, and/or host malware that will detect and report sensitive information like credit cards, bank account numbers, and passwords.
Attackers seeking to breach a specific company will use “spear phishing” emails in which the message is carefully crafted to appear credible and relevant to the organization and its operations. Such emails may appear to originate from known individuals within the organization.
Employees must be trained to be on guard against not only phishing attacks, but also other social engineering exploits that can be used to breach security. Cyber-security awareness training and effective Information Security (IS) Policies and Procedures are the means by which this can be done.
Bottom line: You can transform employees from being the weakest link in your defenses into assets through effective IS Policies and Procedures, Governance, and training. Employee cyber-security awareness is a key part of your defense.
7) Do Security Testing
The only way that you will know that you have taken reasonable cyber-security precautions is to test them. Stated more simply, if you do not test them, you have no assurance that they work. Cyber-security testing includes any or all of the following:
Perform a Network Vulnerability Assessment (NVA)
This measures the degree to which your firewalls, routers, and other publicly exposed (i.e. internet-connected) servers and devices are running current and operationally necessary software. Commercial tools are used to scan the network from outside to detect and report what devices and services can be detected. The information gathered includes insight into whether the operating systems and services are running the latest software, whether they contain known vulnerabilities, and upon analysis, whether the services running are necessary.
Perform a Server Vulnerability Assessments (SVA)
Whereas the NVA provides a view from the outside, a SVA provides a view from the inside. The critical difference is that SVAs are “credentialed scans” in which the scanner logs into each server and examines the installed OS and software. This type of assessment provides an internal view into the software and applications running on servers and can provide assurance that they have not already been breached.
This is a security assessment of all desktop and laptop devices within the organization, ensuring that none have been compromised and that all are running an anti-malware solution and the latest available versions of required software.
Websites exposed to the internet represent a potential portal for hackers to enter your network. Website Security Testing detects vulnerabilities within web-applications that are accessible from outside the organization, or from within the organization, or both. It reports on potential security problems within websites, and what developers must do to fix them. It is an especially important exercise for older (i.e. legacy) websites.
Operational Security Assessment
This is an examination of all ongoing operations, policies, and configurations to detect behaviors or practices that represent security vulnerabilities. In encompasses physical security, operational security, governance, and awareness. It is very broad in scope and can be used to prioritize subsequent security initiatives.
This describes authorized and contracted exercises by ethical hackers to attempt to breach the security of the organization. It can be limited in scope (for example, to a website) or unlimited to seek any breach possible. Penetration testing becomes an appropriate initiative after other security assessment work and associated remediations have been completed. The goal is to engage qualified individuals to behave as attackers and try to breach your security. As such, it is the ultimate test of your defenses and can yield valuable insights, but only after you have done your best to secure your operations.
8) Inventory Your Hardware and Software
The older the software, the more likely it is to contain security vulnerabilities. Thus, one way to minimize vulnerabilities is to ensure that all software and applications used within the enterprise are the latest versions available. This is called “Patch Management,” and is the next item we discuss in our list. However, the prerequisite for Patch Management is Asset Management, because you can’t ensure everything is up to date if you don’t know what “everything” is. Clearly this becomes more of a challenge as the size of the enterprise grows.
Bottom line: You must maintain an accurate inventory of all IT Resources along with their location, OS or software version, and who is responsible for administration. Periodically check it to ensure it is being kept up to date.
9) Patch Everything
This refers to the task of recognizing that new software has emerged for devices in the Asset Inventory (see above) and ensuring that timely updates to the relevant devices occur. The Asset Inventory must be updated such that it always accurately reflects the software versions currently in use. A Patch Log should be maintained that documents when patches were applied and to which devices.
Bottom line: You can significantly reduce your cyber-risk by running the latest software and applications on all devices. Make Patch Management an explicit responsibility of one or more individuals, and periodically conduct audits to ensure it is being performed.
10) Document Your Expectations
Most of the above can and should be formalized as Information Security (IS) Policies. Effective IS policies go a long way toward communicating expectations, achieving common understanding, and standardizing desired operational behavior throughout the organization. This is true even for small and medium businesses.
Good IS Policies will be:
- Clear: Policies must clearly and simply state what is expected and which roles are responsible for the activities defined.
- Practical: The responsibilities defined by the Policy must be achievable by the qualified roles that must implement them, and be reasonable in terms of overhead so that they will actually be carried out.
- Universally Understood: All personnel must be familiar with their specific responsibilities as defined by IS Policies.
- Effective: The responsibilities defined by the Policy must directly improve one or more aspects of cyber-security.
- Governed: The Policy must define behaviors and deliverables that can be audited for proof of compliance.
- IS Policies should be aggregated into a handbook, and all staff should sign off on those portions relevant to their roles. IS Policies should be “Governed,” meaning that compliance with IS Policies is routinely verified and evidence of compliance is collected and archived.
The “top ten” list presented above is a good starting point for IS Policies. Other candidates for expression as IS Policy include:
- Acceptable Use
- Social Media Use
- Information Classification
- Information Handling and Disposal
- Incident Response
Your Cyber-security “To Do” List
Securing your enterprise requires a steadfast commitment to iteratively improving your security through ongoing risk assessment and remediation. It takes time, technology, and expertise. The good news is that every business can do the things we have presented in this article to the scope and scale that is practical for their organization.
Bottom line: If you are serious about reducing your online risk, assign cyber-security the budget and attention that is justified by the value of the assets at risk, and put a multi-year plan in place to increase your security. If you do not have the expertise in-house, then find qualified consulting partners and vendors to help. In addition to reducing your risk of breach, a risk-reduction plan demonstrates your commitment to protecting your customer’s and their information.
This is now something that clients, customers, service providers, and insurers are demanding.