We are squarely footed in 2017, with 2016 leaving many lessons to learn. The outbreak of hacks, including the one that impacted the presidential election, IoT devices, and others have companies trying to strengthen their defenses against intrusions. To mitigate these risks, should they strengthen their corporate governance efforts, including disclosures and board committees, to focus on cyber security? The simple answer is yes, but the reasons are not obvious.
Adhere to Best Practices
Teams from the board of directors down to security engineers do not need to invent anything new (yet) to mitigate the effects of modern security risks plaguing our government, the cloud, or to our personal computers. We do not need to necessarily purchase new technology (of course some do if they are not doing anything already) to mitigate the risks. We just need to do a much better job at the security best practices we already know. Sometimes a product is needed but most of the time it’s just doing the basics and doing them very well.
Ensure These Areas are Addressed in Revised Board Reporting
Here a few areas that if every company did them backed by solid service level agreements, and leveraging existing or new tools, the vast majority of risk and attacks could be mitigated:
Vulnerability Assessment, Patch Management and Penetration Testing
If you can document your known risks, patch them or apply configuration changes, and ultimately test them like a hacker, you are removing the low hanging fruit attackers use to gain access. This is effective against web application threats to drive-by browser attacks. Keep all systems – from desktops to servers – fully up to date and do it well.
The crown jewels in every company should be protected from unauthorized users. This includes databases, servers, infrastructure, middleware and workstations authorized to access the information. Users should never be running as administrators anywhere, at any time, unless they absolutely need to. So remove admin rights, control access when needed, and document all privileged transactions so you know when the crown jewels are being inappropriately accessed.
Whether you subscribe to allow listing, block listing, grey listing, reputation based controls or application risk compliance, monitoring the applications executing on your assets is critical. Simple anti-virus solutions alone do not do this. Monitor applications and identify or block the exceptions that do not fall into acceptable use parameters. This is critical to maintaining the operation integrity of your environment and if it is done well, can block or alert on any new or malicious code that attempts to execute.
Back to Basics
Years ago Burger King tried this philosophy and it saved their business. Without a solid foundation of basics, anything you try on top could crumble like a deck of cards. This means that basics like Active Directory, DNS, NTP, etc all should be working well before you layer on any tools from network management to security solutions. Without the basics operating efficiently, the reliability of any tool that uses that could be called into question and the results intentionally altered or difficult to interpret.
Training, Training, Training
Educating the masses – from executives to interns – is critical to any safe computing environment. All users should learn how to identify a phishing attempt or how to manage their passwords, smart phones, and even identification badges. The human element is the weakest link in the entire attack chain and training teams well should be a high priority for the management of any organization.
Strengthening corporate governance over cyber security is always a good thing, but there are several steps every organization should take as part of an overall governance strategy. I’ve outlined these steps above and encourage you to take a look at your organization to determine where your weaknesses might be before that report comes due to the board. Take the first steps today. Download our free Privilege Discovery and Reporting Tool and Retina IoT scanner to uncover where your biggest risks might be.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.