Background
There has been a geometric increase in the number of breaches recorded by organisations in different sectors within the past few years. Hackers are continuously trying to gain unauthorized access into your system by whatever means possible for reasons which may include gaining competitive advantage, cause reputational damage, theft or denial of access to information, breaches may also be as a result of poor security practices among user or due to lapses in security policies or procedures (oops) amongst other reasons.
The chart above, clearly depicts the increase in breaches across the past three years. This brings to bear, the need for well-defined security controls in organisations.
This paper seeks to address controls that can be put in place to reduce the probability of an attack and how to minimize the effect in an event where it occurs. Critical security controls can be divided into two major headings. They are:
1. Technical Controls: these are controls require prior security knowledge, not necessarily advanced to be able to implement. They are also vital for the security of the firm’s information/ cyber security.
2. Physical Controls: these controls don’t require any form of prior technical knowledge to implement; all that is needed is good knowledge of the organisation, the various tools used and what they are used for. Examples include, use of cameras, cable locks, ensuring only authorized access to physical resources amongst others.
3. Management Controls: Management has an oversight responsibility over the firm. Management controls therefore speak to the role of management in ensuring that assets are well secured and laid down procedures are being followed to the letter.
Technical Controls
1. Secure Configurations for Infrastructure
Ensuring devices accessing the network, and software packages installed on them have defined policies which can be centrally modified based on severity level and device attributes. It also entails modification of default vendor configurations on devices. This can be done using active directory policy, orchestration software and network configuration management tools.
2. Controlled Use of Administrative Privileges
Resources accessible by each user should be strictly what is needed to carry out routine tasks using the principle least privilege access. Access control policies should also be reviewed periodically in case of job rotation and change of role by users thereby granting a specific user more privileges than necessary. Controlling privileges involves identifying accounts with excessive privileges and disabling such or reducing privileges. In controlling privileges, it is also important to note that a single user should not be able to make a request and approve same, there must be separation of duties. Some tools that can be used for monitoring use of administrative privileges include Sudo for UNIX and Run for Windows operating system.
…if they have no business there, then why grant access?
3.Continuous Vulnerability Assessment and Remediation
This refers to scheduling periodic automated scans against all systems on the network to detect, assess and prioritize vulnerabilities and mis-configurations. It also helps in creating and automatically distributing prioritised remediation plans. Some tools that can be used include OpenVAS, Nessus and Qualys.
4. Email and Web Browser Protections
This control explicitly pays attention to concepts like scripting and active component limiting in browsers and email clients, URL logging, attachment handling, filtering, configuration and whitelisting. If your browsers and email clients are not well secured, there is a high probability your users and network are not secure either. A way to always keep mail and browser is secure is ensuring mail client and browsers are always up to date and using patch management tools.
5. Malware Defence
Just as anti-malwares are being upgraded, malwares are also being designed to beat such defences. It is therefore not enough to have malware defences in place, but regular update of anti-malwares tools is necessary to keep your organization safe within the ever evolving security threat landscape. The use of dynamic endpoint security tools and not just traditional anti-virus software, will enable quick detection and response to threats. It is therefore important for organizations to make use of rapid updating, large scale malware defences that can be easily integrated with other tools.
6. Network Defence
Ports, protocols and services are the usual target entry points into a network or system. It is important to maintain an inventory of network boundaries, deny communications over unauthorized ports and malicious IP addresses. Scheduling periodic scan for unauthorized connections across trusted network boundaries to detect, monitor, analyse and defend your network from infiltrators. Denying traffics not explicitly allowed into your network by using scanning tools and host-based firewalls and port filtering is extremely important. All servers must be properly configured to limit remote access. Nmap and other port scanning tools can be used occasionally to scan network.
7. Secure Configuration of Network Devices such as Firewalls, Routers and Switches
The use of next generation firewalls, Intrusion Detection and Prevention Systems (IDS and IPS) play a crucial role in securing networks as they combine features from traditional firewall and other network filtering capabilities using in-line deep packet inspection. The benefits derived from them however, are largely dependent on the level of attention paid to their configuration. Administrative access on these devices should be minimal and patches should be installed promptly. Default vendor configurations should be changed before devices and tools are placed on the network to prevent breaches, there should be a section in the organization’s IT policy to mandate change of default credentials. The use of baseline scanners can help manage policies and automate enforcement of policies.
8. Data Classification
There are various rules guiding the use of data GDPR, NDPR, China Regulations depending on the region your firm is operating. The penalties for violating these policies can be very dire on the firm involved. To ensure compliance with these regulations, it is important to classify data as this will guide in assigning criticality level to data. There should be administrative accounts and non-administrative account with different access levels as any violation of any of the data protection policies may lead to reputational or financial loss. Organisations and government parastatals making use of PII or data must ensure that all data protection laws and policies are` strictly adhered to. In occasions where storage of data is not necessary, it is advisable not to store such as avoidance is the best security practice. File Integrity Monitoring (FIM) and Database Integrity Monitoring tools are very helpful in protecting data also the use of access control cannot be overemphasized.
9. Controlled Access to Infrastructure
This can be broadly divided into two, organisations need to control both physical access (building, physical assets and so on) and network access (servers, data and so on). Physical control involves the use of biometrics, cameras, key cards and locks to gain access to building or room where devices are stored. Network access control involves the use of routers, switches, firewalls, secured configurations, strong passwords, access control lists, policies and anti-virus protection to prevent unauthorized access in your network.
10. Removable Media Control
Removable media refers to any device that can be plugged into the computer ranging from smartphones, tablets, hard drives, USB sticks, iPods, Bluetooth devices, smartwatches, CDs and DVDs. These devices are highly mobile devices and their use cannot really be controlled. These devices may be used to steal sensitive information or may contain malwares. It is therefore necessary to have strict policies addressing the use of these devices. The use of endpoint security tools will go a long way in ensuring the data stored on these devices are not accessible by unauthorized persons in case of theft
11. Account Monitoring & Control
It is important to monitor user account activities and identify risks associated with accounts like weak passwords, unchanged passwords, unused accounts that are still enabled and so on to minimise chances or attackers leveraging such loopholes. Logging is also important to monitor user behaviour, it can be used to keep record of failed login attempts, amount of time users are logged in, type of information being shared and even change in login pattern of users. Logging and alerting tools may be used to monitor and control accounts.
12. Maintenance, Monitoring and Analysis of Audit Logs
It is not enough to just keep logs, maintaining and monitoring of audit logs is very important. It has also been identified by OWASP as one of the top 10 vulnerabilities according to their 2017 publication. Proper log monitoring and analysis gives full visibility of the network environment. Though it might not be absolutely possible to safeguard the network from all attacks, it is necessary to keep logs for easy analysis and identification of possible causes of breaches. During one of the penetration testing exercises conducted for one our clients at Chase Digital, we were on the network undetected for a period of time long enough to be noticed, there were logs but they were not well monitored. Too much emphasis cannot be made on how important it is to monitor logs as potential breaches can be averted. Security Information and Event Management (SIEM) software packages allow you monitor and analyse network activities effectively.
Don’t just keep logs, monitor them!
13. Application Software Security
Securing an application must be reactive and should commence as soon as application is deployed. The Open Web Application Security Project (OWASP) body comes up with top vulnerabilities to look out for, they include injections (SQL, OS, and LDAP), broken authentication, using components with known vulnerabilities, cross-site scripting and broken access control amongst others. To deal with some common vulnerabilities vendors release patches from time to time, it is the responsibility IT department to ensure that patches are installed promptly, without any delay. A lot of organization run foul in this regard, even firms you’d least expect. Applications also need to be scanned periodically for quick detection and resolution of issues. Some tools include Acunetix, Qualys among others. Code reviews, including black and whitebox testing should also be done.
14. Endpoint Security
This control is needed when the network is being accessed remotely by various endpoints (laptops, phones, tablets and other devices). Organisations have long passed the era of using desktops, as a matter of fact most companies use the Bring Your Own Device (BYOD) for so many reasons. As a result, most devices used today are mobile; and once they are taken out of the office premises, there is a limit to the amount of controls that can be enforced on such devices. There is, therefore, the need for endpoint security software. Some endpoint security solution providers include McAfee, Symantec, Trend Micro, Crowdstrike, Cylance, and Endgame amongst many others. Endpoint security tools help keep your corporate network secure regardless of the various devices connecting remotely.
15. Penetration Tests and Red Team Exercises
This is a test of the overall strength of an organisation’s defence (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. This exercise also seeks to test users knowledge on security as tests should involve some form of social engineering techniques The end result of this exercise is usually a remediation plan to help resolve all identified vulnerabilities within the organization’s landscape.
Physical Controls
1. Inventory of Authorised and Unauthorised Infrastructure
Maintaining a robust inventory of network devices, software, hardware and services on your network allows for easy management and control. It enables the administrator to easily detect and take necessary actions on unauthorized, outdated or malicious infrastructure running on their network. Tools that can be used for endpoint security, asset management solutions and mobile device management (MDM) solutions.
2. Ensuring Physical Security
A lot of social engineering attacks feed on the lack of proper physical access to firm’s premises. The use of gates, fences, guards, keys, cameras and man traps as inconsequential as they may seem can be used to deter attackers. The use of shredders to destroy both paper and devices like hard drives that are no longer in use to prevent dumpster diving. Enforcing the use of ID cards within the office premises and as a means of gaining access into critical infrastructure.
Management Controls
1. Security Skills Assessment and Appropriate Training
Your system is only as secure as your weakest link. No matter how secure your system is, an untrained staff is all your attackers need to gain access to your network. Access can be gained through phishing attacks and various social engineering techniques. Users must be abreast with recent security trends and how to stay safe online, hence the need for training and staff development.
Untrained users are like holes in your ship
2. Organisational Structure
The success of the information security department of an organisation is largely dependent on its organizational structure. How are change requests handled? How are complaints handled? Are there people in charge of all the units within the department? are there no assumption, if requests or complaints are not properly attended to, is there a structured reporting line? Or is everything left to chance. No matter how much investment has been made by the organisation, if the department is not well managed, it will definitely amount to nothing.
3. Detailed IT Policy Documentation
Just like the popular saying, where there’s no law, there is no offence, for users to take responsibility there must be a well laid out IT policy document. The document should provide a detailed guideline for all activities that will be carried out within the firm’s network or premises. The policy document should contain penalties for failure to comply with laid down policies depending on the risk posed. The IT policy should contain the Information Security division’s organogram to guide reporting and escalation of issues as they occur.
Conclusion
It is important to note that the amount of money spent on procuring IT infrastructure, network security solutions and the number of security personnel available doesn’t automatically guarantee the security of your corporate network.
It was appalling to see one of our client’s server running Drupal 2.0 in 2018. You come across firms that don’t how many devices they have, no inventory. If you don’t know the amount of resources to be connected, how then can you detect that unauthorized devices on your network.
It’s important to know that these controls are dependent on one another, not paying attention to the seemingly minor controls could have the same effect as ignoring the “big” controls.
Security is everybody’s responsibility and must be treated as such.
About Author
Oluwatosin Fatokun is an information Security Analyst working in the information technology and services industry.She has also worked with various high performance teams to perform VAPT exercises and document recommendations, review and develop IT policy documents and develop IT strategies for various organizations including a DAX 30 firm. She is also also passionate about teaching younger ones (not restricted to any gender) on how to develop web applications.
References
https://www.sophos.com/en-us/security-news-trends/security-trends/company-boundaries.aspx
https://www.cisecurity.org/controls/
https://security.berkeley.edu/account-monitoring-and-management-guideline
http://www.cucaier.gob.ar/images/descargas/112_3.pdf
https://www.securitymetrics.com/blog/6-phases-incident-response-plan
https://security.uci.edu/security-plan/plan-control11.html
https://mti.com/blog/2017/11/23/10-steps-cyber-security-removable-media-controls/
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
https://www.gartner.com/doc/488013/role-definition-organizational-structure-security
