FUNDAMENTALS OF INFORMATION SECURITY CONTROLSSentinel Africa
In my time as a Cybersecurity consultant, I have come across many instances when after a security assessment or audit, I am looked at with great expectation to recommend an out of this world solution to loopholes that have been unearthed by an audit or assessment.
Sadly, though often, my response fails to get a standing ovation. Why? Because of how simple it tends to be.
Reports have shown that in Kenya almost 90% of security breaches occur on information systems that have not been configured properly, where users are tricked into divulging privileged credentials or where simple controls like patch and vulnerability management are not well implemented on the network.
For a security administrator looking to secure your environment it can look like a daunting task wondering where to even get started right? In this article, I will take you through 5 areas information security managers need to look at as basics while implementing information security corrective measures in their environment.
The 5 are not in order of priority and should be implemented according to the organization’s capabilities.
Configure all users and computers to authenticate on an Active Directory. Most networks run Microsoft Windows Operating System PCs and Servers. All users and computers should be in a Windows domain and be managed through an Active Directory.
Why? Statistics show 67% of breaches occur on the network when users’ privileges are either hijacked or sniffed by external parties. Having an Active Directory (AD) enables you to reduce this number since you as the AD administrator will implement very basic but absolutely important controls on your network.
- Password Policy enforcement
- Logging of user activity
- User access control (authentication)
- Identity Management
This should be implemented as part of vulnerability management. Experts recommend that with proper patch management, you might not need to be as aggressive with endpoint protection since essentially apart from zero-day attacks, the vast majority of malware exploits vulnerabilities caused by out-of-date and unpatched systems.
As a Systems custodian, this is paramount. You must ensure that your systems (OS, Applications, Databases, Network devices, Printers etc.) are properly configured. Basically, any type of systems that has a settings file demands that you spend time analyzing how to switch on all the security settings. Many exploits come through this original sin – misconfigured systems. The important thing here is a competence issue. Custodians have to upskill on the applications, OS and Databases that are under their care.
The career path from CompTIA here can give you a quick guide to which competency requirements you might have and how to find proper training for them.
You have heard this many times in cybersecurity fora – you are just as strong as your weakest link (the human). People fall prey to scams, phishing, vishing, and other ruses that then lead to some of the most serious security compromises that has been recorded to date. With research indicating at least 53% of attacks are because of human error where users by virtue of their trusted access (especially insiders) may click on links leading to malware such as ransomware being introduced into the network. Google China after all was compromised when staff innocently plugged-in flash disks.
Conducting awareness sessions is basic here. To be effective and to enable more functionality into your awareness program such as simulation of phishing, USB drops, and vishing then you should turn to a Computer Based Training solution.
Last but not least, you need to have backups.
These backups should mirror the level of importance the business places on the data being backed up. Back up is only as good as it can be restored and hence doing regular restore tests is important to ensure that the data is not only useful but is also sufficient if a disaster were to strike. Many organizations facing ransomware attacks have had to resort to data backup as their only recourse. As a last resort when all preventive measures have failed, it is very important that you can restore data to a predetermined point of data recovery in the event of a cybersecurity incident.
- Multiple Factor Authentication – working as a preventive measure, implementing MFA reduces the gravity of access credential compromise. Many of us use a username and password pair to access our computers, ERPs and other business systems. An additional authenticating that access that uses a different channel e.g., your phone adds a much-needed layer of security against weak password security and user behavior.
- Privileged Access Management – for a network that uses multiple operating systems or is in a *NIX server environment, managing access to the root account can be very difficult. PAM comes in handy as it centralizes authentication into those secure and privileged sessions and can have additional functionality which is important to a security administrator such as session timeouts, logging, session saving etc. PAM implementations though I must add are not for a basic server setup and can get costly.
- Database Activity Monitoring – for Financial Services e.g., Banks, Microfinances, Savings and Credits Societies, implementation of database activity monitoring is a security basic. A DAM will monitor all the privileged activities on the Database that are being done on the backend by a privileged user (the Database Administrator one hopes). However, a DAM can also be configured to block or disallow all instructions that are deemed illegal or unallowable on the backend by the DAM and in this mode, it moves from being a corrective control to a preventive control.
Over and above all, the importance of InfoSec controls can never be overemphasized.