WHAT DOES A CYBER SECURITY STRATEGY LOOK LIKE?
One of the ways I keep up with what is new and current thinking in the cyber security world when I am on the road is by listening to the “Through the Security Rabbit Hole” podcast.
As I was listening to one of the recent presentations, I was considering what a cyber security strategy should look like. So here goes:
All/every employee must understand the organisation’s mission. Additionally all employees must understand their responsibility to help secure the company to achieve the mission. (This is particularly notable for phishing attacks.)
SET A SECURITY MINDSET, SECURITY BY DESIGN NOT AS AN ADD ON
Have people at the board and all levels that own the cyber security problem, its implementation and response.
Understand your adversary and how they will attack you. Know your systems, all its end points, and all of its vulnerabilities. Have proactive intelligence on who is scanning you and try to identify why. Understand what normal looks like so you can spot abnormalities. Build trust groups internally and externally to understand your threat vectors and changes in attack methodologies, as well as exchanging ideas and best practice.
Identify and isolate what is important to you, such as your IPR (Intellectual Property Rights), customer data, financial data, etc.
Review current access and limit access to sensitive data to only those who actually need to access it and need to know the content. Not those who think they should have access. Identify your critical infrastructure and lock it down.
Be proactive and not reactive to the threats and vulnerabilities. Know when a wheel nut has come loose, don’t wait for the wheel to fall off before responding. Be as proactive in knowing what is leaving your network as to knowing what is trying to enter your systems.
Recognise your risks, relevant to your mission and ambitions, and have clearly defined boundaries as to what your risk appetite is.
- Is it OK for your website to be down for 30secs, 30mins, 30hours?
- Who are you going to call in a crisis, where is your documented IR plan written down and who can access it?
- What do your agreements say they will do to assist you in crisis, think about reviewing their contracts?
- What is your press statement going to look like and who is your talking head going to be?
- Plan for breaches, anticipate breaches, rehearse and exercise your response, don’t wait till it happens so that you have to make decisions in crisis.
- What will be your single public message? (lots of good examples out there deployed in recent events)
- How will your staff, vendors and outsourced capability respond on Christmas Eve or even Christmas Day if you need help?
Understand how you are going to communicate during a crisis, if your systems are “owned” by a miscreant, it is no use using the corporate email system to decide and share your battle plan.
- Patch management
- Good password rules
- Regular pen testing
- Sans top 20 critical security controls
In the UK, I always find it is worth reviewing what the UK Government has on the subject on their gov.uk site on best practice for cyber security advice.
When it goes wrong, know whom you are going to call.
Lastly, it’s all about the people, not the technology; your people are your asset. But never forget they can be exploited and can be a vulnerability, so invest time in educating them and getting their buy in.
Xanadata is a data analytics company, specialising in building systems that analyse data at extreme throughputs addressing markets such as cyber security, e-discovery and BI analytics. It develops and builds custom hardware and software to allow organisations to rapidly identify vulnerabilities, threats and risks caused by systems connecting to the Internet. Contact us to help you understand your systems, all its end points and all of its vulnerabilities.
Original blog written by Kevin Williams for Team Cymru. Blog reproduced with thanks to Team Cymru: