[BreachExchange] Cyber security need not cost a fortune, says researcher

[Audrey McNeil]

http://www.computerweekly.com/news/450414101/Cyber-security-
need-not-cost-a-fortune-says-researcher

There are many low-cost and no-cost things organisations can do to improve
their cyber security posture, according to Lancaster University cyber
security researcher Adrian Venables.

Cost is one of the main reasons organisations put off addressing cyber
security threats, he said, alongside perceptions that it is too complex to
tackle or that security suppliers are simply using fear to make money.
There is also the mistaken belief by organisations that they are unlikely
to be hit by a cyber attack.

“Many organisations are either putting their heads in the sand or
dismissing it as a non-issue,” Venables told Cybercon 2017 in Plymouth.

Venables, who is a former regular and now reservist British naval officer,
said organisations should be making use of the advice and best practice
guidelines that are available free of charge.

“Organisations can use these resources from academia and government to
ensure they are better informed about cyber security so that they can
allocate budget more wisely and effectively,” he said.

By being better informed, organisations can ensure they have the most
appropriate cyber security policies in place, which can also be done free
of charge, he said.

But at the same time, Venables said getting the workforce on board is
“absolutely essential” and also requires a good understanding of the topic.

Sources of free information include the Open University, the UK government
website, the National Cyber Security Centre (NCSC), industry associations
such as the international shipping association Bimco, and research or
guidelines published by security suppliers, he said.

The government also offers free online training for employees, for people
responsible for information security at small to medium-sized businesses
and some professionals, including HR professionals and procurement
professionals.

Cyber security posture

Venables said the IT department of any organisation is a good place to
start to get a basic understanding of its overall cyber security posture.

“The IT department should be able to provide details on controls, ports,
services, firewall rules and device configurations – how these things are
secured, how that is monitored, and how that could be changed to meet the
most likely cyber threats to your organisation,” he said.

IT departments should also be able to provide details about how the network
is sub-netted or segmented, said Venables, which can useful in ensuring
staff can access only areas appropriate for their roles.

“And if attackers are in your network, segmenting it can slow them down and
make it more difficult for them to move around,” he said.

Another important matter for organisations to consider is whether to allow
employees access to webmail and unrestricted web browsing from work IT
environments, he said.

“Not only is webmail a good way of getting bad stuff in, it is also a good
way for attackers or malicious insiders to get stolen data out,” said
Venables.

“Organisations should also consider blocking the major threat vectors used
in websites, such as JavaScript, Java, Flash Player, and macros.”

The lack of cyber security talent is a challenge for most organisations,
but Venables said they should take the time to find out if they have hidden
talent within their workforce.

“You may have all the skills you need without knowing it, like a cyber
security enthusiast or hobbyist with real skill and aptitude who may be
working in a non-security or even non-IT role,” he said.

Venables advised organisations to identify these people because while they
may be of great benefit, they may also be one of the biggest threats
because they are able to bypass security controls.

Organisations should also look at contingency plans for when things go
wrong, he said, which involves workshopping, looking at possible security
incidents and what action should be taken to limit the damage and keep the
business running. This should include testing the integrity of data if a
compromise is detected or suspected.

“It should be clear at what point you will call for external help, and you
should have already approached a company so they are ready to come in when
needed to ensure business continuity,” he said. “It is also a good idea to
establish a relationship with a cyber forensics company to capture evidence
that can be passed on to law enforcement.”

Venables emphasised the importance of testing incident response and
recovery procedures to ensure that all plans work in practice and that
there is a clear decision-making structure in place.

He also advised organisations to have printed copies of contingency plans
so they are accessible if IT systems go down, and to test that data backup
and recovery processes are working.

Venables also underlined the importance of carrying out investigations
after every incident to understand the threat, which vulnerability was
exploited and how any similar attack can be prevented in future.

“Also look at how well your response and recovery procedures worked to see
if any improvements are necessary,” he said.

Every organisation should remember that if it has a public-facing IP
address, it is never detached from cyber space, said Venables. “You are an
integral part of it and you are at risk, which needs to be considered,” he
said.

Get upgrades in sync

Organisations also need to look at how updates and upgrades to IT systems
are conducted and ensure that hardware and software upgrades are in sync,
so that the hardware supports the latest software.

Venables said organisations should not forget about their partners, who may
not have the same level of security in place.

“It is worth checking how secure and resilient they are because attackers
will always look for the weakest point, and in some cases that may be your
industry partners,” he said.

Next, he advised organisations to ensure they know all the devices on their
network that are connecting to the internet and to check that air-gapped
systems are still air-gapped and consider disabling USB ports on these
systems to prevent potentially infected devices being plugged into them.

Network monitoring is also worth considering to enable organisations to
know exactly what is on their network, what transactions are taking place
and what connections or attempted connections are being made, said Venables.

Organisations should think about separating company data, personnel data
and personal data, so that appropriate protections can be applied to each,
based on the data type and the most likely attackers and attack methods, he
said.

Finally, Venables said organisations have to consider the human factor in
security. This means requiring passwords to be changed regularly to ensure
only authorised and current personnel have access to systems, assigning
ownership of systems to individuals who are responsible for keeping them up
to date and secure, and continually educating and reminding staff about
cyber security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170302/1e97349d/attachment.html>