Guest Author: Mark Thacker, CISSP
Chief Information Security Officer at Beyond
We see it in the news every day: another business undone by a security compromise. Our reaction is often to find a quick fix, something security vendors are all too quick to promise. While raiding the company treasury may seem expedient, rash security purchases rarely help.
Early in my security career, I attended a small conference that made a huge impression. The auditorium’s perimeter was lined with the sponsors’ elaborate marketing booths, but as the keynote presenter spoke, the vendor reps became increasingly uncomfortable. With slides projected onto one screen, and hacking tools onto the other, he used the former to display the latest product buzzword, and the latter to render it useless.
Tension building, he stepped away from the podium, and then literally and figuratively rolled up his sleeves. He spoke one word: fundamentals.
Epiphany washed across the audience like wildfire. The speaker bypassed each product by taking advantage of the weak security fundamentals found in almost every organization – in our organizations. Inconsistent configurations, neglected patches, unaccounted-for assets, poorly trained people, and more; even the most advanced products were simply undone. Another uncomfortable truth soon followed—an organization with good security fundamentals and simple technologies will almost always enjoy less risk (and a healthier treasury) than the organization with poor fundamentals and the priciest tech.
Of course, entire frameworks exist to describe these cyber security fundamentals, but let’s cover five today:
1. You cannot protect what you cannot define
This fundamental is simple to understand but takes discipline to maintain. Pulling together a list of machine names is a great start, but not sufficient. Record the operating system in use (version numbers, not marketing names), firmware versions, the manufacturer, model, and serial numbers, etc. When breaking news announces a vulnerability, you will know if you are affected.
2. Complexity is the enemy of security
Once you have created your inventory of technology assets, put on your CIO hat. If you find you have a patchwork of mis-matching technologies, consider why. Businesses that have experienced rapid growth at some point in the past often struggle here. Some businesses arrive at this patchwork intentionally, however, out of a desire to get the best tool for the job.
We all know a system must be well-maintained to remain secure, so consider the following questions. How easy is it to maintain each of these different technologies? Can you achieve any scale in, say, deploying patches and upgrades, or does a technician have to touch each one? Do you have a qualified technician with specialized skills for each technology in use? If so, what happens if he/she leaves? How readily can you find a replacement resource?
3. Legacy technology only gets harder
Building solid fundamentals requires discipline, but discipline is not always fun. Legacy technologies are often overlooked as minor daily inconveniences that are more readily accepted than the one-time, major effort needed to replace them. With each passing day, however, time marches on.
Technology is often a sliding scale with a leading and a trailing edge, and the two move together. For each step the leading edge takes forward, the trailing edge eliminates a previous version from support. This relentless progression will soon expose your legacy technology to a world of attackers looking for the easy way to make a quick buck. In short, they will be looking for you.
Every day, the work will only get harder. Start now.
4. Work in layers
In 1984, a group known as the IRA attempted to assassinate then-UK Prime Minister Margaret Thatcher. The British leader narrowly escaped the blast. The IRA later issued a statement reading: “Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.”
Cyber attackers and their victims have much the same relationship. The attackers can operate with impunity and strike at their leisure. Their victims, however, can never lower their guard, and must consider everything.
But ‘everything’ is difficult to fully ‘consider’. Structure your planning by thinking about your technologies in layers, from physically locking away your technical assets, to properly configuring networks, to patching operating systems, and more. Use freely available resources like the OSI Model to inventory your protections and ensure nothing is missed.
5. Quality training is worth every penny
Why spend weeks hacking when you can trick someone into letting you in? Sometimes we are most imperiled by our own employees just trying to do their job. One errant click can be ruinous.
If your current cybersecurity training is less than engaging, throw it out. These may “check the box” for compliance obligations, but they will not influence behavior. Good cybersecurity training results in visceral attendee reactions. Find these trainers and programs.
What do I mean? I have heard people audibly gasp when they realize what a hacker can do. Some people get excited to learn more. Some start to ask great questions. But few check out. That is good training. Don’t skimp here.
And that’s it – five fundamentals to help keep your business safe. But there are many more to discuss. Until next time.
About the Author: Mark Thacker, CISSP
Beyond Chief Information Security Officer
Mark Thacker is a 14-year veteran of Information Security and a Certified Information Systems Security Professional (CISSP). He has served in senior leadership and technical design roles across multiple Fortune 100 and 1000 organizations with a strong focus on application security and security architecture disciplines.
An FBI InfraGard member, Thacker has also advised the Department of Homeland Security in Washington, DC on application security technology standards for the Federal Government.