Best Security Controls Often Hidden in Plain Sight
By Kevin Murphy, President of ISACA Scottish Chapter
The swirl around the recent WannaCry cyberattacks has caused every responsible executive to ask
"What can I do to more effectively secure my organization?"
In a world of increasing complexity, it is tempting to reach for the latest security solutions and draft in teams of experienced consultants. Assuming both options are tied to a valid business case with a clearly articulated return on investment, each will provide assurance to an organization.
But before opting for expensive and radical overhauls, responsible security officers should ask themselves how well do they do the basics? Hidden in plain sight and often inexpensive, it is the following core controls, implemented effectively, that will best secure an organization:
- Back up important data regularly and test restores. This will reduce the impact of a successful attack and allow normal operations to recover.
- Perform intelligence-led security testing. This should include vulnerability scanning and penetration testing which is periodically executed on a risk-assessed basis according to the criticality of assets to business operations. Both perimeter and internal network should be in scope to understand how a successful attacker may gain access and then move about the network. Identified vulnerabilities should then be treated as part of a risk register.
- Disable untrusted macros. This will help prevent malicious executables from being executed.
- Perform application whitelisting. Only approved applications can run, preventing individuals from intentionally or negligently installing malicious software on the corporate network.
- Patch systems regularly. Due to resource limitations, it may not be possible to patch every piece of software. It is possible, however, to follow a defined patching procedure and implement effectively to prevent vulnerabilities that can be exploited.
- Authenticate emails. Deploy authentication protocols such as Domain-based Message Authentication, Reporting & Conformance (DMARC). This will help prevent emails with spoofed addresses, removing one of the largest attack techniques at the perimeter. Email risk scoring tools then can be used to identify suspect emails and quarantine them for analysis.
- Integrity checking. Include these controls on all databases/files and developed applications that contain sensitive data. These are prime targets for hackers who will be skilled in covering their tracks.
- Ensure anti-virus and anti-malware controls are up to date. Based on unusual activity, more advanced products can help prevent attacks before they manifest.
- Phishing awareness campaigns. It only takes one user to open an infected link on an email for a system to be infected; this remains the primary vector for an external attacker to gain network access. Reduce this risk by ensuring employees are aware of the threat and periodically tested via online training and periodic phishing campaigns.
- Incident response. Should the worst-case scenario materialize, ensure your incident responders are well trained and qualified, frequently practice realistic scenarios, operate according to defined practices and procedures, and have an easy and high-profile reporting process. The "golden hours" following confirmation of a successful attack are crucial in limiting impact.
Time, money and resources all contribute to the effectiveness of an organization's security posture. As was underscored by the extent of the latest attack, executives must view basic security hygiene as a strategic imperative.