The current state of Australian security breaches has thrown organisations into chaos and disarray. Australia is currently 5th in the World for cybercrime density, and 11th in the World for the average cost of a data breach ($4.5m). However, most of these breaches could have been avoided had basic cyber security hygiene been implemented.
If implemented correctly, the five items detailed below will give your organisation a fighting chance when, not if, attackers attempt to breach your networks and applications.
1) Know Your Attack Surface
You can’t defend what you don’t know exists! Before you can start defending and monitoring your networks, applications and staff, you must first identify all the assets and areas of risk that make up your overall attack surface. Ensure that you undertake daily discovery scans and conduct a gap analysis of newly discovered assets.
Additionally, it is important to ensure that your asset management system is updated regularly, all newly identified assets are added to your vulnerability management program, and those security assessments are carried out routinely.
It should go without saying that these activities should be undertaken against your Internet-facing and internal, corporate assets.
2) Secure the Network Perimeter AND the Perimeter Endpoints
The saying “the endpoint is the perimeter” has become a marshalling slogan in recent times. Unfortunately, it is quite true.
Gone are the days when the network firewall was the only point of focus for security controls. Client-side attacks are often used to circumvent perimeter controls by targeting end users directly. Endpoint Detection and Response (EDR) security controls are now a ‘must-have’ to defend against these attacks.
On the flip side, attackers continue to relentlessly target web applications and cloud platforms. Next-Generation Firewalls (NGFW) and Web Application Firewalls (WAF) are great security controls to better secure your network perimeter.
It is critical to ensure that your Internet-facing systems are security hardened! This includes implementing Multi-Factor Authentication (MFA) and a SIEM (Security Information and Event Management) to keep a watchful eye over all of your infrastructure systems and applications.
3) Perform Routine and Comprehensive Security Tests
Penetration testing has become a multi-billion-dollar industry. However, most “penetration tests” are nothing more than vulnerability scans in sheep’s clothing. It is important to implement a multi-level security testing program to provide the best insight into the security risks affecting your systems. This includes
- Daily Vulnerability Scanning.
- Monthly Social Engineering (Phishing) Campaigns.
- Quarterly Penetration Testing against your networks, applications, and cloud platforms.
- Yearly Red and Purple Team assessments.
However, this should only be the beginning. Ensure that you have implemented a robust vulnerability management program so that all findings from these engagements are being addressed and remediated promptly.
It is critical that vulnerability scanning and routine penetration testing should be performed at a minimum, even if you’re on a budget. Oh, and don’t forget to rotate your service provider for these engagements.
Complacency is a killer!
4) Develop and drill your incident response capabilities
“Everybody has a plan until they get punched in the mouth.” – Mike Tyson
All Incident Response (IR) capabilities should always be routinely refined and tested to maintain their effectiveness, in the same way as sharpening a sword. This approach is critical to putting an organisation in the best possible position to combat the next attack threatening the business. This can be best broken down into three pillars; people, process, and technology.
- People need to be appropriately trained.
- Processes need to be in place and routinely tested (including policies and IR playbooks).
- Technology needs to be deployed to ensure the best systems are in place to respond and defend against cyber attacks.
All three pillars should be reviewed and updated every six months to ensure they are still relevant to the business context and aligned with industry-standard best practices. A fantastic way of performing a simulation for your Incident Response capacities is to routinely undertake Purple Teaming assessments. After all, how do you know your sword is sharp unless you use it?
5) Train your Army
An untrained army will lose every battle, every time. Cybersecurity training is often seen as an expenditure as opposed to an asset. A well-trained Blue Team can save an organisation millions of dollars when a security breach occurs.
Cybersecurity training should always be approached from multiple angles.
- Technical training for all IT Staff, including engineers and analysts.
- Cyber security awareness training for all staff.
- Specific awareness training for high-value targets such as CEOs and CFOs.
Remember that while cyber security training is important, it is just as important to put the training to the test by performing in-house drills. There are several budget-friendly alternatives to the big service providers, which can include web-based training providers or even implementing a train-the-trainer style approach. Now, go drill, drill, drill, soldier!
Although the five points above do not account for every approach you can take to harden your company’s security posture, it is a great starting point to ensure you don’t become the next news headline