Author - Abhishek Kushwaha
However, over the time it has been proven that the Internet is vulnerable, vulnerable to human errors, vulnerable to malicious individuals and vulnerable to natural disasters. Focussing on malicious individuals, who are working to improve their skills, scale and determination, it has been realized that something more comprehensive, more than installing firewall and IPS, is required to tackle the challenges posed in front of the society in the manner how the Internet and related services are used.
Cyber security has taken a prominent place in the security world. Cyber security, as per definition from ITU-T, is defined as:
[Cyber security is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment.]
Given the nature of how broad the term is, different organizations may associate a slightly different meaning with the term, certain level of flexibility in term’s use is expected.
Guiding principles for Cyber Security:
When moving towards cyber security, the approach should be supported with defined set of principles that can help in management of risks right from identification to mitigation in a manner that is in tune with cost and privacy considerations. The setting of right tune is important due to tightening regulations and cost as any control put in place generating excess data would turn out be drainer in terms of resources and can lead to fines.
The recommended set of guiding principles can be:
Risk based approach: Risk assessment to identify the threats, vulnerabilities and impact to the organization and then coming together to manage the risk by effective set of controls.
Result focussed: Focus must be on the final outcome, irrespective of the means used to reach it, and progress must be measured based on achievement of the desired outcome.
Prioritization: Priority matrix must be developed to prioritize the events and assets. The management approach must be based on priority, handling high priority activities first.
The increase in mobility, interoperability, population, complexity and distribution of components has given the attackers a plethora of surface to play with.
Adaptability: The approach or the controls developed as part of cyber security must be applicable to large set of assets and should be adaptable to wide array of sectors.
Privacy and regulatory compliance: The approach to cyber security must respect the privacy of individuals and should support the regulatory requirements.
Internationally influenced: The approach must be influenced with international standards so as to maintain maximum possible acceptability.
Taking a Risk based approach to Cyber Security:
In the current scenario the cyber security guidance available are mostly voluntary but the industry is moving to mandatory compliance at least for critical infrastructure, if not end-to-end. A risk based approach can help address the complexities faced during rollout of the strategy. Risk based approach starts with identifying, analysing and evaluating the risks which require attention. The approach must be holistic in nature to the maximum extent possible to enable all business units take advantage of changing landscape. Let us go through some of the critical areas which need to be made part of cyber security initiative right from the beginning:
Information Risk Management Leadership:
It is important that Board and senior managers support the information security and risk management and may wish to communicate their risk appetite and risk management policy to people associated with the organization to ensure they are aware of organization’s risk boundaries. A lack of effective risk management can lead to increased exposure to risk, missed options, poor return on investment, etc. In order to manage the risks following can be done to promote a risk aware culture:
• A governance framework should be developed which consistently supports the risk management culture across the organization and is owned by the Board or senior management.
• A major task would be determining the risk appetite of the organization so that the business decisions are guided within risk boundaries.
• Board discussions agenda should include information risk to the organization. Risk assessment reports must be regularly reviewed and contacts with outside authorities should be maintained in order to get better insight on emerging risks.
• Appropriate standards must be referred to build a life cycle approach to risk management, which can help in continual improvement, along with roll out of corporate risk management policy.
Internet and other untrusted networks expose corporate networks threats that aim to compromise CIA of the systems and the information. It is to be noted that protection is required against internal threats as well. Failing to secure the network properly can lead to leakage of sensitive information, malware infection, exploitation of vulnerable applications and systems, etc. Following activities can help to reduce the risk:
• All the traffic should be inspected and filtered at the network perimeter to ensure only business supporting traffic is being allowed. Firewall must be installed between untrusted network and internal network with only authorized ports and protocol allowed and default deny-all setting in place.
• Direct connectivity between internal network and untrusted network should not be allowed. Network isolation must be employed to isolate critical assets and easily manage the large environment. Wireless networks must be secured and Network Address Translation must be used to protect internal IP addresses from exposure.
Creating and enforcing secure baselines for all types of system components and applications can vastly improve the security posture of the IT systems. As a best practice all not necessary functionalities should be disabled or removed which can reduce the exposure of IT systems to variety of threats. Applications and systems which are not hardened will be vulnerable and can result in unauthorized access to systems, exploitation of insecure configuration, increase in security incidents, etc. In order to reduce the incidents due to insecure configuration following steps can be taken:
• Policies related to patch management must be enforced to make sure patches are applied within established time frame. Along with patching updated inventories of hardware and software must be in place. Automated tools can be used to capture the details.
• Hardening guidelines must be available for all types of systems components, router, firewall, server, workstations or any other. Unnecessary ports and services must be disabled. Change control must be in place for any changes to be effected in any system or application. User rights must be limited with respect to the ability to make changes in the components.
• Regular vulnerability scans and penetration testing must be conducted and any loop holes identified must be fixed in within a defined time frame. The team must maintain awareness regarding recent threat landscape as well.
Identity and Access Management:
Organizations need to understand the privileges required by the users, and whether it is at all required, to carry out their daily tasks. The principle of granting only privileges that are required to carry out daily jobs is termed as ‘Least Privilege’. Failure to manage privileges effectively can result in misuse of privileges, increased attacker capability and privilege creep, etc. Following methods can help in reducing the number of incidents due privilege misuse:
• Policies and procedures for identification and access control must be established providing guidance on password selection, complexity and life cycle along with roles and responsibilities.
• Procedure must be established for review of user accounts right from creation till deletion. Also, periodic reconciliation process must be set up to identify any dormant or test accounts and should be removed.
• The number of privilege accounts must be controlled in the system components. Privilege accounts should not be used for day to day activities. Normal users should be provided privileges based on the Principle of Least Privilege.
• Access to audit logs must be controlled and users must be monitored during their daily activities, specifically while carrying out sensitive tasks.
At some point in time all organizations have faced certain types of incidents and will continue to face new incidents. Therefore, it is worthwhile investing in an efficient incident management procedure to better manage the incidents and reduce any financial impact. Failure to implement incident management procedure can lead to major and long term disruptions and legal and regulatory non-compliance. The type of incidents will vary based on the type of business and a risk based approach will be more suitable considering the following points:
• Organization should establish and maintain organization-wide incident management plan approved and supported by senior management. The plan must be mature enough to be able to manage a wide variety of incidents.
• Roles and responsibilities must be clearly outlined and appropriate training must be provided to the personnel so as to handle wide variety of incidents efficiently.
• The incident management plan should be tested on a regular basis and learning must be incorporated to improve the plans. Business continuity and Disaster recovery should also be included and appropriate back-ups must be maintained to counter any incident which results in loss of data.
• In case of incidents it might be required to inform large number of people including clients, vendors, law enforcement, etc. Appropriate responsibilities must be documented as to who, what and how to inform the interested parties about the incident.
• Root cause analysis must be performed for all incidents and learning should be used to enhance the plan for future. If required the incidents should be reported to law enforcements and user awareness should be carried out to eliminate the possibilities of re-occurrences.
Virus and Malware Prevention:
Connecting to untrusted networks exposes the systems to viruses and malware. Such infections can lead to business disruptions, information leakage and even legal sanctions. Common mediums of such infection include E-mail, uncontrolled Internet access and removable media. Following can be considered to reduce virus and malware risks:
• Relevant policies and procedures addressing viruses and malware must be established and communicated within the organization. Users must be educated regarding the use of e-mail attachments and removable media on the corporate systems.
• Anti-virus and Anti-malware defence must be established and all systems must be regularly scanned. All electronic data exchange must be scanned for malicious content.
• Content filtering should be carried out by firewalls to prevent movement of malicious code from untrusted network to internal network. If possible, suspected content should be quarantined for further analysis.
Logging and Monitoring:
Logging and monitoring allow timely detection of attacks and can help in incorporating procedures that can help prevent future attacks. Monitoring ensures that systems are being used in conformation with established policies. It is to be documented as to what actions are to be logged and what will be the monitoring procedure. Failure to monitor the systems can lead to non-compliance as well as diminished ability to detect and react to the attacks. A consistent and documented approach needs to be put in place, which can include the following:
• Appropriate policies must be put in place and should be aligned with incident management policy. It should be ensured that all network and host systems are monitored by some automated solution and should have the capability to detect attacks through the use of signatures or heuristics.
• All network traffic movement, inside or outside, must be monitored for any malicious activity. Along with it should be able to identify the subject, the activity that triggered the alert and the object.
• The monitoring solution should be customized to capture appropriate logs and events that fulfil the requirement of monitoring. Inappropriate collection could result in legal and regulatory breach and could turn out to be costly in terms of management.
To the extent possible it should be ensured that all logs and events are collected and stored at a central repository and enough space is available for the storage for a certain period. Above all it must be ensured that all devices are synced to central time source so that all logs and events are accurately time stamped to support investigations or legal actions.
Removable Media Controls:
Lack of removable media controls can lead information theft, malware infection and above all loss of reputation. It is better to disable any usage of removable media unless some business requires it specifically and the approval should be based on risk assessment. In order to manage the risks from removable media following can be considered:
• Policies and procedures should be implemented to control the usage of removable media. The usage should be limited to users, systems and type of data that can be moved on to removable media.
• All removable media should be inventoried and users should not be allowed to their own media. All removable media should be scanned before it is used for data transfer and anti-virus solution must be deployed on all hosts.
• Removable media reuse and disposal procedures must be put in place to ensure that older data is not accessible. Industry accepted deletion and wiping techniques should be employed for securely deleting the data.
• The removable media must be hardened as per hardening guidelines and appropriate monitoring should be in place to detect any unauthorized use. If required, encryption can be used to protect the information present in the removable media.
Home and Mobile Working:
Mobile technology has made huge strides in the daily life of individuals. More and more people are using mobile devices for work related activities. It has resulted in the extension of corporate security boundaries. It is required that organizations maintain relevant policies and procedures to control the usage of mobile devices and layout plans for management of any compromise that might occur. The risks can be like theft of mobile device, shoulder surfing in public, insecure configuration leading to loss of data, etc. Following can be implemented to reduce the risks associated with mobile devices:
• If the organization allows the use mobile devices then secure baseline must be documented and implemented on all devices. Also, all users must be trained in the manner as to how to use their devices securely in public areas or any other place.
• The amount of corporate data present in the mobile devices should be kept at minimum to what is required to complete the activity. Also, the connectivity to corporate network from untrusted networks, like public Wi-Fi, must be protected by use of VPN to protect the data transmitted.
• Users must be instructed to report any or all incidents related to mobile devices at the earliest and corporate incident management plan must be extended to mobile device incidents.
User Education and Awareness:
It is evident that large numbers of incidents are caused by unintentional acts of users. It is important that the users are aware of their responsibilities towards the usage of corporate resources. Lack of awareness can result in unacceptable usage of company resources, use of removable media and personal devices can introduce malware, users not reporting incidents on time or not at all, etc. To reduce the risks following steps can be taken:
• An acceptable usage policy shall be present and must be communicated to all the users.
• All new joiners should go through security training at the time of joining and annual training sessions must be held for all the users, informing them of the new trends in the security field.
• Organization should promote incident reporting culture along with the security culture, users must be confident while reporting the incident without any fear. In - addition, disciplinary process must be in place for users misusing the resources.
It will be a worthwhile activity to assess the readiness of the organization to support the cyber security strategy. By creating a integrated approach for cyber security controls deployment an organization can safeguard its resources. There will be limitations, limited budgets, resistance to change, privacy concerns, etc. A clear statement of return on investment will help the strategy become an integral part of organizations’ transformation.
Abhishek Kushwaha, CISA, Security+
Abhishek Kushwaha currently serves as a Associate Consultant at SISA Information Security Pvt. Ltd. Bangalore. His work focuses on conducting onsite PCI DSS Audit assessments, Risk Assessments and Security Audits.