[BreachExchange] Organisations must wake up and ensure they actively manage cyber-security

[Audrey McNeil]

https://www.scmagazineuk.com/organisations-must-wake-up-
and-ensure-they-actively-manage-cyber-security/article/678173/

In the past few weeks and months we have seen a massive increase in public
hacks and threats hitting the news. Organisations around the world were
impacted by WannaCry ransomware which encrypted files, resulting in UK
hospitals being immobilised, causing outages of Deutsche Bahn display
panels, forcing Honda to take production plants offline and resulting in
hundreds of speeding fines have become invalid caused by infected speed
cameras.

Shortly after this, cyber-threats were again in the news when the UK' s
Parliament was hit by an attack in which malicious actors tried to gain
access to e-mails. As a first response, the government informed those
affected, disabled remote access and liaised with the UK's National Cyber
Security Centre (NCSC) to take further measures to secure their computer
network. This was followed by yet another hack, named Petya, which had a
massive impact in the Ukraine, bringing down monitoring systems around the
former nuclear power plant in Chernobyl, as well as many cash machines.

These examples demonstrate that IT or digital security can no longer be
just an IT-Security System Admin problem, focused on installing and
configuring new network firewalls, deploying endpoint protection solutions
and next generation spam filters. For example, the organisations effected
by WannaCry that “simply” kept their systems up to date with the latest
patches were resilient against it. In the case of the British parliament, a
business decision had to be made to disconnect a critical digital
communication service for security reasons, heavily interrupting
parliamentary operations. This is beyond the usual remit of an IT Security
System Admin, and shows that security has to be approached from a business
perspective.

What should organisations be doing?

- Maintain basic security hygiene
- Proactively monitor access to critical services
- Define an incident response process and team

Establishing a data driven security strategy underpinned by machine data is
the foundation required to support all of the above initiatives. To monitor
whether basic security hygiene is being maintained and to identify weak
areas that no one is looking after, a security information and event
management (SIEM) solution is a good choice. It will aggregate information
and let businesses run regular reports such as which systems are patched,
provide information from vulnerability scanners, update them on the status
of endpoint protection solutions as well as alert to any notable security
anomaly happening, such as a virus event or a new service being installed
on a system.

If we look at user authentication, it's no longer enough to simply rely on
the in-built security of Microsoft Active Directory and its lockout
policies. Organisations need to dive into each digital service, figure out
how that service is exposed externally, understand how people log on, how
they reset their passwords, how new users are created and then identify the
machine-generated data required to get those insights. They can then learn
the specifics of that data and set up monitoring to proactively detect any
outliers. By maintaining basic security hygiene and proactive monitoring
companies can reduce risks to a minimum and during the process identify
white spaces in their environment.

However, nothing in life is 100 percent secure – so businesses need to
think ahead to a potential breach/hack. What's the organisational process?
Which people need to take immediate action? Who can help answer questions
about what happened?  What do we need to do to stop it?  Who was impacted,
and who takes the important decisions such as taking services offline,
notifying the authorities or communicating to the media?

This exercise goes beyond the IT-Security System Admin role with more
mature organisations already having crisis and risk planning for
“cyber-risks” included within operational planning. The people involved in
this are required to find answers to the above questions regarding the
breach and must think about which systems they can find their answers in
and how long it would take. This information can mostly be found in
machine-generated data/log data, which should be stored in a centralised
platform where they can ask any question in a flexible way. This makes the
process scalable and efficient as technical security investigations can
often become a bottleneck during a crisis. Even in the British Parliament
example the ability to collaborate and work with others to answer questions
was a core requirement. In an instance such as this, a centralised platform
with all your machine data is a real strength.

The upcoming European General Data Protection Regulation (GDPR - focusing
on personal data) or the NIS Directive (focusing on network and system
protection) will force organisations to apply those concepts sooner rather
than later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170822/43e3ea36/attachment.html>