Bill Gates once said, “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” In terms of a cybersecurity culture this couldn’t be more true.
There are an overwhelming number of cybersecurity technology solutions out there, but if you don’t have good processes in place – or people who can interpret the information – they won’t do as much as you think to protect you. A tool can’t fix a bad process. Of course, technology is still an important component of a cybersecurity culture, but only in partnership with people and process.
It may seem strange to think about technology in terms of culture, however it fits in because a person is going to use it and a process is going to drive its operation. In our experience, we see a lot of different technology components in organisations that aren’t managed in the context of cybersecurity culture. The tools aren’t process-oriented or culturally-embedded, so people either don’t know how to use them, aren’t using them in the right way, or have left them in a static state.
Let’s take a look at the technologies you should be considering implementing – with the appropriate people and process considerations – to build a cybersecurity culture. We recommend a layered approach to cybersecurity, known as defense-in-depth. Here’s what it should include, and how each technology can be managed with security in mind.
Perimeter Preventative Controls
Perimeter preventative controls are those technologies designed to keep malicious traffic from getting on your network. Here are some suggested controls.
#1. Firewall: Designed to block unauthorised inbound access while permitting outbound communication.
- Prior to configuring, document the rules that will be applied and include a business justification for each. For example, if a port is to be left open, document why and what business requirement is satisfied by doing so. Always keep configuration backups.
- Consider High Availability (HA) synchronisation, a configuration in which two firewalls are placed in a cluster and their configuration is synchronised to prevent a single point of failure on your network.
- Be sure to segment your critical services. This allows you to isolate network traffic and filter, so you can limit or prevent access between network segments.
- Have someone review your firewall logs every day. Be sure they are highly-trained and up-to-date on the latest threat intelligence.
- Be diligent with patches and updates.
#2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Devices or software applications that monitor a network or systems for malicious activity or policy violations.
- Place sensors in strategic locations for both external and internal traffic capture.
- Ensure signatures are being updated as frequently as updates are available from the vendor.
#3. “Zero-day” Protection: Either an appliance or agent-based software that can detect a threat that exploits an unknown computer security vulnerability.
- Review activity on these tools every day to stay aware of what’s happening.
#4. Multi-factor Authentication for Remote-access: Multi-factor authentication requires an additional challenge to the user to provide more authentication information (something you have or something you are) over and above your username and password (something you know) to access an account.
- At a minimum, this should be required for all administrator remote-access activity.
Internal Network Preventative Controls
Internal network preventative controls are those technologies designed to monitor your internal environment for malicious traffic or suspicious activity. Here are some suggested controls.
#1. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Employ a host-based system to include an application layer for critical services, such as web applications. It frustrates hackers when there are layers to get through.
#2. Web / Internet Filtering
- Be sure to have approved sites documented, and include an exception list based on roles that might require access to special sites.
#3. Data Loss Leakage Prevention (DLP): Software that detects potential data exfiltration transmissions.
- Monitor or block the use of removable media, such as USBs.
- Send email securely, especially when transmitting Non-Public Personal Information (NPPI).
- Control your NPPI Inventory. There are new tools available that can automatically find all the NPPI on your network and make sure it can’t be exfiltrated.
#4. Antivirus Software
- Use a centrally-managed solution capable of pushing updates to all endpoints and reporting on failed updates, as well as malware infections.
- Update as often as the tool allows.
- Do not allow it to be configured or altered by individual users.
So, while technology is an important piece of your overall mission for cybersecurity, it should not drive the conversation or be considered without including your people and your processes. You can spend money on expensive tools, but if they aren’t process-oriented or embedded in the cybersecurity culture of your organisation, they will provide a false sense of security.