8 Basic Elements of a Strong Cybersecurity Posture
Cybersecurity is a massive concern for every modern business. According to data from the Identity Theft Resource Center (ITRC), in 2017 alone, there were approximately 680 confirmed data breaches among U.S. businesses—breaches that compromised 159,365,480 records. To put that into perspective, the total population of the United States is, according to the U.S. and World Population Clock, 326,971,209 as of January 1, 2017.
This means that the personal data of roughly half of the country’s population were stolen from businesses in 2017. Another 2,910,117 records were compromised from attacks on the banking industry.
The most sobering thought is that these are just the statistics for data breaches that were confirmed by the ITRC—it cannot account for all of the breaches that went undetected or unreported.
“…in 2017 alone, there were approximately 680 confirmed data breaches among U.S. businesses—breaches that compromised 159,365,480 records.”
The unfortunate truth is that you cannot stop 100% of all breaches. There are simply too many threats out there (and too many unknown exploits) to ever guarantee absolute protection from everything.
From the pre-existing exploits of programming errors in your IT assets, to internal attacks by employees abusing their access privileges, to simple mistakes by employees who accidentally transmit something they shouldn’t, there are numerous ways for malicious actors to breach your cybersecurity measures. A dedicated attacker or group of attackers can eventually breach almost any defense.
However, that doesn’t mean that you have to make things easy for attackers. While you might not stop absolutely every attack, you can limit your organization’s exposure to risk and prevent the majority of attempts by following a few basic elements of cybersecurity and maintaining good “cybersecurity posture.” By cybersecurity posture, we mean the overall strength of an organization’s cybersecurity measures. A company with a strong cybersecurity posture is one that has all of the necessary elements in place to prevent or at least limit the impact of attacks on the organization.
A strong cybersecurity posture is one that minimizes your exposure to risk. It also means having a strong grasp of the basic elements of network and data security. Compuquip’s research into data breaches shows that many attackers start their intrusion attempts by exploiting gaps in cybersecurity basics—so you should make sure that you’ve covered them.
Additionally, it is important to get management at all levels of the company to not only “consent” to upgrading your company’s cybersecurity posture, but to embrace the changes. Getting management to “buy in” to the need for cybersecurity is an important first step. When upper management supports your cybersecurity program and models the behaviors needed to sustain it, you’re more likely to get everyone else to take cybersecurity seriously.
The following sections will list the basic elements of cybersecurity and what each entails so you can identify opportunities for improving your security posture and make a case for cybersecurity to your management team.
One of the most critical aspects of any strong cybersecurity posture is knowing exactly what assets are a part of your organization’s network. Identifying all of the devices and software platforms that are linked to your network is the first step in maintaining security hygiene and closing any gaps in your cybersecurity posture.
There are two major aspects of the identification process:
What devices are part of your network infrastructure? Some major devices to consider include:
What software platforms do each of the devices on your network use? The most common platforms are Mac, Windows, and Linux, but some devices may run other platforms as well. Knowing which platforms are running on each device is a key part of managing your IT assets in the long term, as it helps you know which devices need patching for recently-revealed security vulnerabilities.
Aside from identifying all of the devices and platforms on your network, another critical aspect of asset management is managing changes to your inventory of devices, their platforms, and their configuration settings.
This change management is a continuous, ongoing process that needs to be carefully executed to avoid creating new security vulnerabilities or other issues following each change.
Risk management is closely related to asset management and identification. In fact, there is some overlap in that some cybersecurity risks, such as unsecured routers or workstations, can often be found during the asset identification process.
An important component of risk management is running a risk assessment. A risk assessment’s purpose is to identify the risks and likely impacts, if any given threat is successful. This could include a vulnerability scan, but a more critical step in a risk assessment would be to determine risk and impact as well as analyze the control environment.
This risk assessment should be done after the asset identification process is completed. Doing this will ensure you identify all machines within the environment, so you don’t miss any during the risk assessment step.
A risk assessment takes all of the identified risks and sorts them by priority based on the threat level and ease of remediation. Typically, bigger threats that are easier to patch should be prioritized over lesser threats that are more difficult or time-consuming to fix.
Who has access to what information in your organization? How are they getting said access? Also, do they need access to everything, or can their access be limited to the minimum necessary?
Access management requires you to answer all of these questions for every authorized user in your system. The process of access management can be broken down into several discrete processes and policies:
All of the data on your network and individual devices should be organized into discrete categories that make it easy to find and use for those who need it. Different organizations may need to organize data in specific ways depending on the kind of data they handle and whom they need to let access the data (such as individuals inside the organization or clients outside of the organization).
This involves the specific tools or protocols your organization uses to restrict access to data. Some tools include:
The restriction of access privileges based on the role of the user to the absolute minimum necessary for them to fulfill their role. Using the principle of least privilege is important for minimizing the company’s exposure if a user account is ever compromised—the less that compromised user account has access to, the less the attacker can do with it.
Are you aware of the potential weak points in your network infrastructure and how they may be exploited? Threat management is a process that is concerned with identifying and assessing the various threats to your organization’s cybersecurity, and involves three key procedures:
This battery of tests is designed to expose exploits in your system by simulating intrusion attempts. Used by many organizations to try to identify exploits in their cybersecurity protocols and tools, this process is also used to verify that previously-identified exploits have been resolved.
This is closely related to risk management and involves running both vulnerability scans and assessments of any identified vulnerabilities to organize them by priority.
This ongoing process of managing security patches/updates to close previously-identified vulnerabilities also helps to make sure that these patches do not introduce new vulnerabilities or instabilities to the system. This can be a very complicated process, as the interactions of different hardware and software systems make it difficult to anticipate every possible outcome following an update. Many successful attacks are made possible by unpatched vulnerabilities, so maintaining a rigorous patch/update schedule is crucial.
Security controls can encompass a massive range of administrative, physical, and technical controls that are used by your organization to prevent illicit access to sensitive information.
Administrative controls are usually concerned with developing and enforcing specific policies and procedures within an organization. In other words, administrative controls can be a list of “Do’s and Don’ts” for employees to follow when accessing or using sensitive data.
Physical security references the various means you use to protect the physical assets on your network from being accessed by unauthorized personnel—which was referenced in the “access management” section.
Technical security controls are all of the specific security measures used to protect your data. There are innumerable specific technical security controls that an organization may use, so here’s a short list of highlights:
This can include measures such as network firewalls and traffic routing solutions that are used to filter access attempts.
The use of two or more criteria to enable access to company resources, such as a password combined with a software/hardware token, biometrics, or other secondary/tertiary verification methods.
The subdivision of some parts of the network into discrete pieces that are isolated from everything else. Helps to limit the severity of a breach (or at least slow an attack down as attackers have to overcome multiple layers of security).
Any measure used to protect individual user devices on the network could be considered endpoint security, and may include things like antivirus programs, full disk encryption, and host-based firewalls.
Many organizations use content filtering to prevent employees from visiting specific websites from the workplace’s network. This helps to mitigate the risk of employees downloading malware from the web to their computer and giving attackers access to your network.
Disaster recovery (DR) and business continuity (BC) planning can be massively complicated. This is because BC/DR encompasses many different systems and contingency plans designed to keep an organization’s IT infrastructure up and running in the face of a major event that would normally prevent access.
While the name “disaster recovery” conjures images of earthquakes, floods, hurricanes, etc., DR is needed for much more than natural disasters. Power grid failures, DDoS (distributed denial of service) attacks, and random events that damage the infrastructure that enables internet service for the servers that house your business’ data and applications can all result in a loss of access that negatively impacts your business.
“A BC/DR plan is designed to create fail-safes to prevent any single point of failure from completely wiping out your network and data.”
A BC/DR plan is designed to create fail-safes to prevent any single point of failure from completely wiping out your network and data. Frequently, this involves creating backups of sensitive data on remote servers—and even copies of your network environment that runs your business’ mission-critical applications that can be brought online in case of a catastrophic event.
Well-made BC/DR plans can be the difference between a business and its customers being mildly inconvenienced by a security event, or a business being brought to the brink of ruin because it cannot recover quickly and restore normal operation before it loses money and customers.
Incident management is the set of policies and procedures that a business has in place for responding to a specific security event—such as a breach.
Every incident management plan may have unique individual steps based on the nature of the incident and the resources available to the organization, but a solid general framework for creating an incident management plan would be:
What steps is your business taking to prepare for a specific eventuality? This may involve identifying all of the assets at your disposal and comparing them to what is necessary to respond to a specific type of incident so you can fill gaps or create a set of expectations for employees to follow.
This is your organization’s ability to notice that a breach has occurred. Intrusion detection systems (IDS) are a crucial part of this process. Ideally, the IDS used should be able to log security events for future reference so your team can identify the methodology, timing, and source of the attack.
What are the immediate steps your organization will take to limit an attacker’s access to specific systems, such as isolating the infected machines by shutting them down or disabling their network connection? Is there a multi-layered security architecture in place to slow down attackers and keep them from accessing specific systems from a single point of entry?
How will your team remove a threat from your network once it’s there? Is there a way for your system to block requests from a specific IP address once it has been identified as a malicious actor? Or, is there a way for your security team to shut down the asset and/or take it offline?
If an asset is negatively impacted by a breach, how will you return that asset to normal service? There may be some overlap with BC/DR planning here because of the focus on restoring operations to pre-attack norms.
What did your security team learn from the breach? This involves taking a look at the data recorded in the identification step and using that to enhance future response planning, or to prioritize a security update that addresses the vulnerability that was exploited.
Simply creating a list of policies and procedures for employees to follow isn’t enough. Employees need to be aware of these policies, why they should follow them, and how they can maintain strong cybersecurity mindset. This is where security education, training, and awareness comes into play.
This typically involves a formal training program that teaches employees about the basics of cybersecurity and their role in maintaining a strong security posture. Additionally, training should include hands-on sessions with actual equipment that simulates scenarios such as a social engineering attack (like phishing) to help employees recognize attack strategies and practice the steps for responding to such attacks.
This often involves your efforts to make sure employees know about specific issues, such as social engineering attacks (spear-phishing), internet of things (IoT) vulnerabilities, BYOD (bring your own device) policies, and basic security principles such as best practices for passwords.
“If the necessary personnel aren’t put in place to manage a security solution, or aren’t given the authority to supervise it effectively, then critical security events and issues may get overlooked and ignored.”
The eight items listed earlier in this guide comprise the core components of cybersecurity. However, there’s one more aspect of an effective cybersecurity program that all too many businesses forget about: the execution and management of controls and solutions.
If any security solution is going to be effective in the long term, then the company needs to assign resources and personnel to manage it. If the necessary personnel aren’t put in place to manage a security solution, or aren’t given the authority to supervise it effectively, then critical security events and issues may get overlooked and ignored.
One example of this is the Target data security breach that occurred in 2013. According to a report featured on Reuters.com, “Target’s security team in Bangalore had received alerts from a FireEye Inc security system on November 30 after the attack was launched and sent them to Target headquarters in Minneapolis.”
The alert was ignored. This may be attributable to the limited resources of the Target team at the time. As the Reuters article notes, “it was likely that Target’s security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious.” This indicates that Target’s security team was inundated with similar alerts, and didn’t have enough people in place to manage their incident response accordingly.
So, the breach and subsequent malware infection went unnoticed for weeks, slowly collecting sensitive customer data, such as payment card data and other personally-identifiable information (PII) that attackers could use to steal identities and commit fraud.
Covering the basics of cybersecurity is important for limiting your attack surface and preventing most intrusion attempts. However, cybersecurity doesn’t end there. Constant vigilance is a necessity to minimize your risks.
Contact Compuquip Cybersecurity today to learn how we can help solve the security challenges you're facing to better protect your company against threats.