THE BLOG
-
Jun 15, 2021Going Back to Basics
Attacks today seem to follow the same playbook: crack the perimeter, exploit bad internal fundamentals, deploy ransomware, profit. The playbook is the same each time because it continues to work. How do you stay ahead of it?
Organizational response to external breaches is mostly reactive. Wait until a breach makes the news cycle, then dig into intel feeds hoping for a meaty bundle of IOCs to explore. Later, speculate for a few days over how sophisticated the attack was, only to find out that the root cause of the breach was phishing, patching, or a bad password. Finally, internally search out and fix the specific patch or block the phishing email subject line and wait until the cycle repeats. These steps are indeed important, but each time the prevention bulletins come out, they seem to be based more on good security practices than any other element.
What are good security practices? Good (tested) backups, two factor authentication, patching, logging, monitoring, etc. Basically, all the areas covered in a solid cybersecurity plan. Unfortunately, the basics are not always easy, and they are certainly not the coolest technology everyone wants to play with. Instead of diligent patching, configuration management, and a solid monitoring program, many organizations rely on expensive EDR. Instead of good coding practices, organizations deploy application firewalls. Security has always been about layers, and as attacks have continued to become more complex, layers are what is needed. However, these layers must be built on the implementation of good foundational security practices.
Organizational focus on cleaning things up and getting the basics right will stop many attacks up front. Assessment of your current gaps and setting a plan for filling them in will also pay dividends. If you are looking for a framework to follow, using the NIST CSF is something that most organizations can easily align to. Start small, be realistic, and keep re-assessing as you work towards a goal. Risks will shift, threats will shift, but if you have a good foundation, adjusting to meet them will not be difficult.
-
May 16, 2021Cybersecurity Plan Must Haves
We work with organizations large and small. Something they all have in common? – A need to protect themselves against cyber threats. Budgets and security layers come in all shapes and sizes, but no matter what, there are two items needed at the base of any robust cybersecurity program. 1) Security Awareness and Education, and 2) IT Security Policies and Standards. We will go into detail in later posts, but here are some high-level thoughts on these areas of focus.
Security Awareness and Education. Like it or not, attackers will continue to use email, social engineering, and phishing campaigns to target users. Ensuring your workforce is educated regularly on cybersecurity issues is a cornerstone to combating these threats – not to mention it is also a standard regulatory requirement. Additional education on regulatory requirements, password management, data protection and other key security components will help to teach all users that cybersecurity is the responsibility of everyone in the organization. When your employees know better, they will do better. Understanding the fundamentals to staying safe online and protecting organizational data will bolster your cybersecurity program on day one. And remember, education comes in many forms – emails, videos, meetings, formal trainings, etc. Make it part of the culture and it will pay off.
Policies and Standards. This is a huge topic – the more policies and standards we write, the more pop up that need to be written. Security policies will help you to outline the beliefs of the organization. What are the tenants that are put in place that the organization will live by? How will data be protected? Will data be encrypted at rest, in storage? Will multi-factor authentication be required? How will data on mobile devices be protected? Will security training be required? If so, how often? On a tight budget, you can skim the Internet (safe sites of course) for sample policies and use internal resources to customize them to your environment. On a looser budget, you can hire someone to solely work to create and ratify this documentation or outsource its creation. No matter how you go about it, we would urge you to get them in place to layout the framework for your organization's approach to cybersecurity. From there, get the details documented within your standards so the organization is clear on the methods you are using to secure your environment.
