Top 5 Solutions: What Security Areas Do Enterprises Need To Have Covered?
Cyber Security Hub Advisory Member Shares Insight
Cyber Security Hub, Editorial Advisory Board Member and Director, Security at KAI Partners, Inc., Jamal Hartenstein outlined the top 5 necessary solutions for a strengthened defense.
How do you mitigate the most common attacks against your system or network? You need to have a prioritized set of actions that collectively form a defense-in-depth set of best practices.
The following is an overview of 5 areas that enterprises need to have covered in order to form their own unique elaborate defense-in-depth best practices. These can help facilitate adherence to the frameworks ratified by the respective regulations.
1. DATA FLOWS: Identify and document what type of data your enterprise controls or processes. Document where it goes. Generate a report on who (humans and applications) has access to it, and what type of access each possesses. Conduct periodic reviews on your report.
2. POLICY: Document your internal and customer-facing policies and stick to them. Include them in training.
3. PATCH MANAGEMENT: Continuously monitor, assess, and remediate vulnerabilities using documented processes and procedures. Archive your patch schedule and remediation efforts.
4. ENCRYPTION: Encrypt the data that requires protection. Data at rest encryption (D@RE) at least, which is storage level encryption. Data in transit encryption (DiTE) as well, unless justifications for business intelligence analytics of cleartext data, or data deduplication operational issues outweigh the DiTE encryption security measure. If forgoing DiTE is the businesses decision, other compensating controls should be in place.
5. MFA: Deploy Multi-factor Authentication on admin level accounts. Get enterprise agreement as to whether you define an admin account as any account (individual, group, or a service) with elevated privileges to change another’s system or user settings. Some enterprises exclude “Local Admin” privileges on an individual’s personal workstation from the definition of admin. But, if you are giving an individual the ability to add/remove their workstation from your domain, you may be giving them elevated privileges to change a systems setting as it relates to domain membership in MS Active Directory Services Users and Computers.
Why These Top 5?
1. Data Flows
I was in Kandahar, Afghanistan when the 160th Signal Brigade’s 54th Signal Battalion took over control of the whole Microsoft Active Directory forest for the entire Southwest Asian theater of operations. Public Key Infrastructure (PKI) with Multi-factor Authentication (MFA) was deployed shortly thereafter. 54th Sig was able to do this successfully because they had identified wherein the warzone humans and applications were authenticating to the enclave of multiple domains, and what data they were exchanging. Regardless of your unique IT Security Roadmap program, mapping your data flows also helps you: support federated services, comply with GDPR and CCPA, have more effective incident response plans (IRP), and postures you for adherence with CIS CSC top 20 and NIST frameworks. The first 2 controls of CIS CSC version 7 ask for such an inventory (with direct mapping to NIST Core Framework ID.AM, PR.DS and NIST 800-53 CM-8, IA-3, SC-17, PM-5).
3. Patch Management
We are all aware of Microsoft’s patch Tuesdays, but if we swim upstream to the Operating System (OS) version updates, we may face greater challenges. Not keeping your enterprise up to date with the latest OS versions can cause software to reach end-of-service (EOS). Microsoft doesn’t even provide security patches for OS versions that have reached EOS. Completing your own requisite testing before deploying version upgrades to your production network can be very time-consuming in some cases. Consider that in your documented plan.
Do your C-suite a favor by allowing them the opportunity to say “yes”, if ever asked by media or lawyers, whether their patch management plan would demonstrate updated systems with recent OS versions and security patches.
NIST 800-53 SC-8, SC-28, and CIS CSC #13 ask for “Transmission Confidentiality and Integrity” and “Protection of Information at Rest.” You’re right in thinking that doesn’t explicitly ask for encryption of data at rest and data in transit. But media and judges are prominently aware of the buzzword “encryption,” although they don’t understand the various methods or compensating controls. “Is your database encrypted?” is one of the most common questions asked by media to new CISO/CIOs after the previous executives were fired after a breach. But that’s not convincing enough because all I’m doing is presenting you with the risk of potential reputational damages.
What your enterprise should do is evaluate your personnel and application’s unique needs to access cleartext data (particularly data you’ve identified as Personally Identifiable Information (PII) in your Data Flows). Generally, your database administrators (DBAs) can work with cyphertext, having no need to view PII in cleartext. But what if tokenization or encryption ruins your Business Intelligence team’s ability to conduct data analytics, stifling your market research? The answer is to find the balance between operability and security that works best for your enterprise using risk management frameworks to identify whether other compensating controls may make more sense than encryption for your enterprise. Cognizant of your Data Flows, data analysis needs, industry regulation, and other factors, this is an area your enterprise needs to have covered, with your decision justified, documented, and explained to C-suite and board members who have a fiduciary responsibility to make informed IT security decisions. Encryption of data at rest and in transit might be your best way to protect info and pass audits (and maintain healthy brand reputation should an incident occur, because the compensating controls that may have helped you pass an audit are not the buzzwords known by media and judges).
“Does your enterprise employ MFA and encryption?” These words are resoundingly asked by opposing counsel in depositions, by the media, and by data controllers evaluating potential B2B relationships with data processors (as they should be). Attorneys General of states such as New York, California, and others, have published reports informing that MFA is a part of the standard that organizations are measured against in litigations as result of the breach, or an incident that triggers the state’s mandatory disclosure reporting laws. “Controlled Use of Administrative Privileges” is CIS CSC #4 (and maps to NIST 800-53 IA-5, AC-2, AC-17, AC-19). MFA makes the top 5 list of areas that enterprises need to have covered not only because laws and frameworks say so, but because MFA is an industry-accepted best practice for protecting data. Hard/soft tokens, SMS, voice message, email, and SAML assertions are adopted widely among industries on the customers accessing their own data, on admin-level employees, and employees working remotely. Additionally, some audits may justify MFA as a compensating control for “Protecting Information at Rest,” as discussed above regarding encryption under NIST framework.
These areas are the top 5 solutions for what enterprises need to have covered. They mitigate the most common attacks on systems and networks. They posture enterprises for compliance with the regulation. They help decision-makers prioritize a set of actions that collectively form a defense-in-depth IT Security Roadmap. Addressing these top 5 first helps organizations effectively achieve improved protective controls and facilitate further adherence to the frameworks ratified by the respective regulations in the future.