As we near the end of 2018, technology professionals and businesses alike are looking back on the last 12 months and evaluating highs and lows. For businesses, this can be an essential step when it comes to evaluating the current state of security processes and protocol within the organization. The security landscape has grown more complex in the past year and will continue to transform in the year ahead, and a revamp of security controls can make a world of difference in protecting your business against new threats.
Of course, security strategies and processes can be overwhelming to implement, and trying to stay up to date with policies can create stress for both users and the IT staff. A security posture assessment—including a review of security controls—can be a critical first step for any organization that wants to quickly identify their strengths and weaknesses and determine how to solidify their security defenses.
A security control can be implemented on physical property, computer systems or any asset. Security controls can then be used as a checklist of sorts against the current health of your organization’s security, but in general they also can be implemented as safeguards or countermeasures to avoid, detect, counteract or even minimize security risks. While there are many options for security controls, there are a handful of options that IT professionals may find the most effective when managing their security posture.
The Center for Internet Security (CIS) has established 20 controls for organizations to follow to protect themselves from cyberattack. The first six basic CIS controls are designed as an ideal checklist, or baseline, and a great first step to allow teams to keep up with IT security management best practices:
Inventory and Control of Hardware
All physical equipment needs to be actively managed. Asset management is vital, especially when it comes to security. It’s important to be aware of all the assets interacting in your system, because you can be assured that a hacker is aware of everything you have and is scanning for devices going on and offline to identify which ones are not patched. You are not able to apply controls or validate that everything is accurately applied until you are fully aware of each and every device. If you are not patching all of your devices, they are vulnerable.
Inventory and Control of Software Assets
Attackers continuously scan target organizations looking for vulnerable versions of software that can be remotely exploited. Companies cannot protect what they cannot manage—it’s important to be aware of all assets in your IT infrastructure, including software. Keeping track of all software, including third-party software, is no light task. Auditing and actively managing inventory is vital. Tracking and correcting all software on the network includes ensuring only authorized software is installed and can execute. If unauthorized and unmanaged software is found, it needs to be prevented from installation or execution.
Continuous Vulnerability Management
Attackers have access to the same information and can take advantage of gaps. Companies that do not scan for vulnerabilities and proactively work to discover flaws first can be easily compromised. Continuous vulnerability management is not just for the operating system. Determine if you have passwords that are public or if your databases have any open vulnerabilities. Monitoring a network continuously is absolutely necessary to be able to update, track and change vulnerabilities. Luckily, there are tools that can identify vulnerabilities and allow users to verify what the impact is on their system.
Controlled Use of Administrative Privileges
The misuse of administrative privileges can allow attackers to spread throughout your IT infrastructure. It can be crucial to have a logging and event tool that can run continuously and alert you if an account has been added or removed from any type of admin group. Administrative access granted to the wrong person could be catastrophic to your security posture.
Not everybody should have access to all administrative privileges. The people who have administrative access rights should be a very small group. You also need your IT professionals to be comfortable with this group, because they should never want to go around them to receive access to anything.
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
While complex, this control needs to fortify the security configurations on hardware and software on mobile devices, laptops, workstations and servers. This security control must track, correct and report when needed.
As IoT grows, this can be even more important, since all of these devices can be connected. Whether it’s the day an iOS update is released or a problem with the network, it’s important to watch the ebbs and flows for any red flags.
Maintenance, Monitoring and Analysis of Audit Logs
Active logging and passive logging are different. We often turn on logging and feel comfortable with it running in the background. Passive logging grants you the ability to go back and look at different events and determine the cause of any issues. Active logging means you are responding to intrusions and anomalies in real time.
Without passive logging providing us a baseline for threshold monitoring, it’s difficult to determine the health of a system. The combination of these actions allows us to perform almost a health checkup of sorts on our system.
Don’t Forget Regular Cyberhygiene
There are always ways to improve upon any organization security posture, and that includes maintaining good cybersecurity hygiene. Whether that’s upgrading aging infrastructure and systems or consistently backing up data and teaching users how to use complex passwords, it’s vital to keep up strong cybersecurity hygiene throughout an organization.
Choosing to implement a security assessment can be a great first step toward a healthier and more secure organization. Beginning with the six basic and vital controls can offer a great backbone for a modern and fully developed security program.