What do you think of when we mention cybersecurity? Anti-hackers, passwords, and firewalls are probably what you think of and you’d be right, partially. Firewalls play a small role in cybersecurity where they keep unwanted traffic out of your network. They play a critical role but a small piece of the puzzle, even for what we traditionally think of as cybersecurity. Likewise, passwords are just a small portion of cybersecurity, minuscule even, they’re a necessity but a tiny piece of the puzzle. And anti-hackers that are in live combat with hackers… I’m sorry to say but that’s only in the movies. There is a role that responds to attacks and can affect an attack in real-time but it’s nothing like the Hollywood version.
Defense-In-Depth is the terminology that cybersecurity professionals use that describes a strategy of layers of defense. Each layer provides it’s own unique blanket of security protections. Firewalls fall into the “Network Controls” layer where passwords fall into the “Computer Configurations” layer. As you can see in the above image, there are several other layers that provide security protections. Each of these layers relies upon the other layers to function at full capacity.
Business Controls are the top layer as they are the most important controls, this is where the Executives of each department get involved. Cybersecurity assures three areas of information; Integrity, Confidentiality, and Availability. These tenants ensure that information is available when needed, is unadulterated, and is only delivered to authorized individuals.
Each department head will identify the assets and information that are critical to their functions; commonly referred to as the Crown Jewels. Finance will most undoubtedly say that their accounting system is critical, so cybersecurity will focus on ensuring that the system that hosts their accounting software can continue operations throughout a disaster, like COVID-19. There may also be one or two desktop/laptop computers that have specialized software that must be available at all times; cybersecurity will identify those workstations and backup the systems so that they can easily be recovered if the hardware fails.
The department heads will also need to identify the impacts of a loss of information integrity, confidentiality, and availability; these are one portion of a risk assessment. The impacts should be identified as an actual cost to the business:
The budget is another concern in business controls. No cybersecurity program can perform without a fully-funded budget, and it still involves more than just the Chief Information Officer or Chief Information Security Officer; each department will have some budget for Cybersecurity. This may be a small portion but they will need to allocate some resources to Cybersecurity. These resources may be contributing to the Configuration Control Board (CCB), providing for maintenance packages for their department-specific software, or contributing to the overall cybersecurity budget to ensure it is allocated amongst all departments.
While an underfunded IT team may only delay ticket resolution an underfunded Cybersecurity team will leave gaping holes in your protections which could lead to an attacker getting into your system and wreaking havoc. There are two budgets to consider for Cybersecurity; an initial budget that stands-up a team to assess the current status of cybersecurity and develops a get-well-plan and the full budget based on the cost estimates from the get-well-plan.
Administrative controls deal with the business processes that protect the system in various ways. These processes often have an input, an output, and a desired result. They often require interaction from more than one department.
Controlling changes to an Information System is a vital process to cybersecurity. Uncontrolled changes leave the system in an unknown state; protecting a system that you can’t define is impossible.
A good configuration management program will ensure that the entire system is in a known and intended state at all times.
Configurations are typically controlled by a Configuration Control Board (CCB). This board is made up of representatives from each department so that each change can be assessed for impact on each group. Minor changes may be delegated to just the IT or Security department. For instance, applying patches to workstations may be considered low-risk, however, the CCB will need to determine which types of changes can be delegated. Delegating is, in and of itself, risky and should be done so only after careful consideration.
Information security leaders who have had a data breach in the previous 18 months reported that employees were the cause of half of them. The research was commissioned by data security firm Code42 and released in the form of a report: 2019 Data Exposure Report. In response to the question “Have you, or do you believe your colleagues from other departments, brought information/ideas/intellectual property/data with you/them from a previous employer to use in your current organization?” 65% of Information security professionals and 59% of Business decision makers replied in the affirmative.
Defining who has access to which data and when is an important process that reduces the risk that data is breached. Consider if all employees have access to all data, then when one account is breached then the entirety of your data is breached. Also, consider the insider threat, someone who transfers from one department to another and then to another without having their access revoked presents the external breach issue. Additionally, they gain the ability to cause damage to multiple systems themselves if they were to go rogue. Keep in mind that an employee’s access should be assessed during each major transition: hire, transfer, and termination.
Have you ever personally clicked on a link you shouldn’t have/didn’t intend to?” 43% of Information Security Professionals and 49% of Business Decision Makers responded in the affirmative.
According to Verizon Data Breach Investigations Report (DBIR) 2019, 94% of malware was delivered via email. Most malware requires the recipient to take some kind of action to initiate malicious behavior; that means that your users have to click on something for the malware to work. Although there are technical protections against malware, training your employees remains the most effective method of preventing malware installation on your systems.
Security Awareness and Training should include training on the following topics:
Whether you have an internal IT department, an outsourced Managed Service Provider, or specialized equipment maintainers (e.g. Xerox printers) controlling how they do maintenance is an integral part of your information security program. Service Level Agreements and contracts should explicitly call out information security concerns as well as internal procedures for monitoring maintenance. Considerations for maintenance are:
Although there are certainly other controls that may be considered administrative or business in nature this overview should have provided you with insight into aspects of cybersecurity that you may have overlooked; if you didn’t overlook them that’s great!