Ah the rise of the cybersecurity industry. So many tools, so many ‘silver bullets’. Don’t get me wrong this is not necessarily a bad thing. There are gaps and problems and tools are built to solve these problems and address these gaps. The issue is when a security program is built around these products, but no one has done the basics. Why buy a SIEM if you don’t have a password policy, or a next-gen advanced endpoint security product if you don’t patch well. Don’t spend money on pen tests if you still use WINS or allow LAN Manager password hashes.
Back to basics
In sports, the most talented individual is not always on the best team. What does the best team do that often highly talented individuals miss? Fundamentals. What are the cybersecurity fundamentals? The NIST Cyber Security Framework (CSF) helps us here as it flows from first steps to maturity. We start by identifying what we have, systems, hardware, software, data, and people. Then what are the common threats to these particular types of assets? Next, how do we protect them, again based on the common risks to these types of assets. Finally, if the protections are not effective, how do we detect, respond and recover?
Based on the above, it makes sense to do these things in the order presented. Identify doesn’t require spending, just resources and effort. Often what we see in reality is that protect is the focus, but identify is not. What sense does it make to detect that the threat actor made off with your ‘death star plans’ if you didn’t try to protect them properly? “I am here to report that our secret sauce was stolen….again”. We have seen examples of organizations who spend far more repeatedly cleaning up messes than they would if they took the CSF approach.
Where to begin
A third-party assessment is a good start, but make sure it will review your cybersecurity based on priority. For example, a list of recommendations is useful, but more useful if the risk is ranked and even better if listed top to bottom most critical to lower criticality. Some of the recommendations fold together so it’s good to understand the bad thing that could happen and how the recommendation would minimize the effect of the bad thing. Budgets are not infinite so we need to find where to put our money and effort to get the most bang for the buck.
Here are a few things that you can check for yourself:
- Are your users local administrators on their workstations?
- Do you use the same local administrator account on all your computers?
- Do you know what is exposed to the internet through the firewall?
- Do you require multi-factor authentication (MFA) for remote access?
- Do you know if any outside vendors can access the network remotely without notice?
- Are all your systems patched and can you prove that no critical patches are missed on any systems?
- Do your IT folks use admin credentials as their normal sign in?
- Are admin credentials limited and use stricter protections? (longer passwords, MFA, etc.)
- Are you sure no one is saving passwords in clear text documents on the network?
- Do users only have access to what they need to do their job?
- Is your network segmented (in other words, can every machine talk to each other on any port)
The common thing you may note from that quick list, most cost nothing except time. Your firewall probably can do MFA if you license it. The bottom line is there are great tools out there to mature our cyber security programs once we have done the basics. Once you have the basics covered, then start looking into detection like SIEM and MDR, MSSP, and so forth. Test your protections with penetration tests. Investments in advanced protections if you aren’t doing the basics will not be money well spent.