Cyber Field Report
As we approach the Alabama Cyber NOW Conference on April 5th, we will highlight some of the companies and individuals making this event possible. We recently caught up with David Forrestall with SecurIT360, a Platinum sponsor of ACN. David provided us with a Cyber Field Report leading up to the conference.
We all need information to make decisions and to build plans to protect ourselves and the people we serve. This information includes strategies, risks, threats, vulnerabilities, actors, technologies, etc. Alabama Cyber Now (ACN) is a few weeks away and is a great forum to continue the discussion so that you are informed and can sleep better at night. We have served clients all over the U.S. for the past seven years performing audits, penetration tests, risk assessments, and security-program development. During this time, we have seen a persistent theme: people get lost in the details. We all know that security is not “set-it-and-forget-it.” So, what is the plan?
Cyber Action Plan
Focus on the basics first, it is a Process not a Product
There is no silver bullet, and advertisers are investing millions of dollars to convince you to buy their widget that will handle all of your security needs. But guess what? Even security products have vulnerabilities that hackers take advantage of. To be clear: You need quality security products to keep yourself safe. They are required to add layers of security, but it is the process around these that keeps you secure. They must be updated and maintained. If you do not check on their performance, you have no idea of whether they are still functioning properly.
Basic Blocking and Tackling
Studies show that over 90% of breaches happen because something simple was missed. So, before you run out and invest in new security solutions, it is important to make sure the basics are covered by solid products and the processes supporting them. Making sure these basics are covered reduces much of your risk:
Security patching for all hardware/software – This is where many of your vulnerabilities lie. The desktops are a place to start, but don’t forget the applications. All applications (office, Adobe, Java, browsers, etc.) need to be up to date. Switches, routers, firewalls, and infrastructure systems need updates too. You need to independently check to make sure that this is happening.
Endpoint protection – Antivirus/Malware solutions – Make sure these are working. Pull a report and do an inventory of systems. Not the most glamorous thing in the world, but simple and effective.
Review all accounts and passwords regularly – I don’t have to hack if I can just log in. You should also limit privileged accounts and prevent the use of shared accounts.
Constantly inventory devices on your network – If you don’t know what is on the network, how do you know whether it is allowed or protected?
Encrypt all portable devices – Smartphones, tablets, laptops, USB drives: anything that may carry sensitive data, which can easily “walk off”.
Provide security training for users and IT staff – Your users are the target and need to make well informed decisions. As for IT, yes they are smart, but typical IT training does not always include security processes (there is that word again…). And what IT folks hear most is faster, cheaper, and more reliable. Oh, and by the way, can you make it secure too?
Review firewall, remote access/VPN, and wireless solutions regularly. Another way to get in…
Implement a proactive monitoring/logging/alerting solution – There are millions of events produced in your network each day. They need to be collected and analyzed. There are many options available that will alert you when something bad is happening, so that you can react.
Check your email gateway (Spam filter). Make sure it has virus and malware capability. Email is one of the most common attack vectors. Most of you should have this, but you need to double-check that this is in place and functioning.
Additional basic perimeter protections. Make sure that your firewall has IDS/IPS capabilities – not all do. Internet content filtering software also keeps users from going to dangerous websites. Some firewalls include both of these features, but they may require additional licensing or products AND you need to make sure they are updated and functioning properly. You need to ask if you are not sure.
What do leaders need to do?
Leaders do not need to become experts or spend millions on cyber security to protect their organizations and customers. BUT, you do need to know enough to oversee and carry on the conversation.
Where to start:
Educate yourself – The buck stops with you. When something happens, answers will be demanded. Get in the conversation and ask questions of those that you trust to handle cyber security for you.
Measure your status – Measure against accepted standards. This is more than asking your IT guys to check the firewall. Standards are multi-dimensional, covering all areas. CIP, NIST, or ISO 27000 are solid standards to compare yourself to – AFTER you have covered the basics.
Develop a plan to close holes – There is no such thing as 100% security which always leaves room for improvement. The gaps should be ranked by risk and prioritized. Regular meetings and documented progress against risks will show the level of commitment to security.
Develop a security program – The rapid pace of change does not allow you to set-it-and-forget-it. Policies need to be written and responsibilities assigned. The program will require monitoring and regular reporting.
A Note to the CFO: You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive. Cyber Liability insurance is not enough. In today’s world, the expectation is that there are measureable efforts (and funds) devoted to keeping information safe.
About our perspective – SecurIT360 is a knowledge-based, cyber-only firm that also represents various industries concerned with protecting sensitive information, including Financial, Healthcare, Utilities, Legal, Education, and IT Services. Our recommendations come from working experience with many solutions. We are independent; a vendor agnostic and a client advocate. We do not “sell” or broker hardware, software, or a particular vendor. Ours is a process, not a product. Yes, you need products, but it is the process and people around those products that keeps the firm secure.
View more blog posts by visiting TechBirmingham's full blog.
