[BreachExchange] How to step up your cyber security game

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 19 15:05:57 EDT 2017


In a time of changing and ever-present cyber-attacks, it’s crucial for
every business to know where its risks lie. If you’re an IT security
professional, you need to understand your potential cyber enemy and the
current threat landscape so you can anticipate risk, determine your
likelihood of being hacked, and the resulting impact when (not if) it

Here is a step-by-step approach to upping your cyber security game:

Align your budget to your threat landscape

As much as 90 percent of today’s IT security budgets are still spent on
everything but protecting applications and user identities, yet these are
today’s primary targets of attack. Security breaches will continue to rise
in size and severity until enterprises realise they’re spending the bulk of
their security dollars in the wrong place.

Don’t overlook cyber insurance as part of your security budget. A dip in
consumer confidence might not ruin your business after getting hacked, but
data breach costs will.

Train everyone

Security is everyone’s responsibility, and awareness training makes
everyone more alert. Aggressively train your users to recognise and curtail
spear phishing attempts. Help them understand the importance of proper
password management (and the risk of not doing so), and provide tools like
Password Safes. For developers, train them in secure coding. Your best bet
in combatting web application attacks is to not code vulnerabilities to
begin with.

Properly control access

Start by managing your volume of user identities. Enable single sign-on to
reduce the number of passwords that are stored insecurely or repeated
across multiple critical systems. It’s also important to implement
multifactor authentication (MFA) for accessing your network and
applications, because identities get compromised. One or more of your users
will get phished, and without MFA, your network, applications, and data
will be breached.

Don’t use weak or default username and password combinations (admin:
password) and prevent brute force exploits by implementing account lockouts
after six failed login attempts. Hashed passwords provide virtually no
protection at all. Implement stronger encryption methods on password
databases, at a minimum of a hash plus salt. Lastly remember that access is
a privilege. Stringently manage what your user identities are authorised to
access so that when an identity is compromised, a threat actor doesn’t have
unlimited access within the network.

Manage your vulnerabilities

Start by knowing what they are. Have a scanning solution for every network,
system, and software type; don’t limit yourself to externally facing IPs.
Scan inside your network, and do black box and static code analysis of your
apps. Layer your tools, because no single tool finds everything. If there’s
a specific scanning tool for a specific piece of software, chances are
there’s a reason. Run it. Scan, test, and scan again. Vulnerabilities are
never a point-in-time occurrence; you must have a continual testing process
aligned to your development cycles and patch releases of your vendors. Nine
different tools that produce nine different reports becomes hard to manage
at volume. Don’t expect system owners to manage them. Implement a
consolidated reporting platform that tracks all vulnerabilities by system
and can produce valuable improvement metrics over time (hackers typically
leverage several vulnerabilities per exploit, so it’s important to see them
all as a whole).

Prioritise web application vulnerability management. Get intimately
familiar with the OWASP Top 10, which describes today’s most critical web
application security risks and provides guidance on how to mitigate
specific types of attacks. Automate web application vulnerability
management. No matter how good you think you are at vulnerability
management, there’s always time between detection and mitigation in which a
web app firewall (WAF) can patch a vulnerability automatically.

Patch everything – desktops, laptops, servers, – monthly, especially if you
are running Windows and don’t allow end-of-life software or hardware in
your network.

Lastly, force updates to Adobe Flash, Oracles Java, and don’t allow old
versions of internet browsers to run on company computer assets.

Ensure you have visibility

Intrusion detection/prevention systems (IDS/IPS), Security Information
Event Managers (SIEM), data loss prevention (DLP) systems, and others need
to be properly architected, implemented, and continually managed. These
systems need to have access to all parts of your network, systems, data,
and data centres, encrypted and non-encrypted traffic, both east–west and
north–south. Your management needs to be aware of any gaps. Don’t get
caught missing a network segment, system, or log type, or missing alerts
because the system wasn’t tuned.

Pay special attention to visibility within new virtualisation software as
some solutions don’t provide for east–west visibility within a hypervisor.

Hire a hacker

If you have an application that could cause significant harm to your
business if it were compromised, it’s worth hiring an engineer to try to
hack it. If that’s not feasible, offer up a public bounty programme and let
the white hats do it for you.

Leverage experts

Security as a service is a great option when it comes to effectively
managing high risk controls that require 24×7 rapid response by highly
skilled engineers.

Test the effectiveness of your controls and control operators. Your SOX and
PCI auditors are already doing this because many companies are getting
hacked while seemingly compliant, and it’s undermining the integrity of the
control frameworks. Poorly designed controls or inadequate operators are
often the culprit rather than the framework itself.

If you don’t deal with incident response regularly, get help in the event
of a breach.

Have a DDoS Strategy

The DDoS attack landscape has shifted rapidly from complex, expensive
attacks launched only at high-value targets, to cheap-to-rent bots with
plug-and-play attacks, to the new reality of IoT botnets that are easy to
make and capable of launching terabyte-per-second attacks. If you don’t
already have a plan in place for a DDoS attack, do it quickly.

Communicate with your stakeholders

Prep your board of directors, audit committee, and senior management with
the likelihood and potential impact of an exploit. The worst thing you can
do is surprise them with a breach they never knew was possible.

Ensuring that you have these measures in place is a great way to enhance
your cyber security game plan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170519/83379984/attachment.html>

More information about the BreachExchange mailing list