Amar Singh from Cyber Management Alliance recently hosted an educational webinar discussing the necessary foundational controls for a business. The webinar, available for viewing online is titled Designing the Foundations of a Secure Organisation. Amar invited an expert in this field to join him and discuss these controls and how they could help improve the overall cybersecurity posture of an organisation. David McKissick works for Tripwire.
Amar, throughout his career, has found that many organisations don’t have a solid control and process foundation and so, over time, these already weak foundations start to shake, start to fall apart and eventually damage the organisation. Often it comes down to basic issues that cause this downfall. If the foundation is not right for your company, just taking out one control can lead to its reputation crumbling.
Also discussed in this webinar was the fact that companies are constantly searching for new technologies, the next-generation product that will solve all their problems; Artificial Intelligence (AI) is a prime example. People are looking for that new dynamic solution that will protect them from every possible cyber-attack. But the basics get missed. Simply buying technology is not the answer, says Amar. They alone will not help you prevent cyber-attacks. Don’t be tempted to ‘just tick the boxes’ in order to comply with regulations, particularly from May 2018.
Foundational controls are the essential controls needed to build a secure foundation; they are important. Get them right and there is every possibility that you will get your security right, and cyber-criminals don’t like these controls, especially if they are implemented correctly!
What Do We Mean by Foundational Controls?
For David McKissick, foundation controls form the core of your security architecture. As companies run more and more software processes, plus the rise in the use of Internet of Things devices, the attack space becomes even greater, creating targets of opportunity for cyber-criminals to steal sensitive, confidential information and bring down networks.
2016 probably saw more cyber-attacks that any other year. Not only did these attacks cause monetary problems, but also damaged reputations worldwide for the businesses and created legal liability. This year, the UK government announced a £1.9 billion investment over the next five years to help protect the country against cyber-attacks.
Foundational controls help in the detection of threats, remediate a breach and harden systems against cyber-attacks. They are fundamental and provide the backbone to your organisation’s security systems. David believes that too much emphasis is placed on primitive controls and that employees represent that largest threat to a business. For many it’s not ‘if there’s a breach’, it’s more a case of ‘when there’s a breach’.
The Pillars of Foundational Controls
- Discovery – actively manage, inventory, track and correct all devices on a network; create a list of authorised software and version that is required within the organisation.
- Best Practices – establish a standard secure configuration of your OS’s and software versions; standardised images should represent hardened versions which should be validated and updated on a regular basis to ensure the security configuration.
- Risk Assessment – running automated vulnerability tools on all systems on the network, weekly or a more frequent basis; deliver prioritised lists of the most critical and vulnerabilities to each responsible system admin. The majority of breaches have come from known vulnerabilities that haven’t been patched.
- Monitoring – leverage all available logs to detect, assess and monitor what’s taking place inside your network and on your devices; know what’s taken place on your critical infrastructure 24/7.
CIS Critical Security Controls from CSC is a good base from which to start and list twenty actions that will help organisations block or mitigate against attacks. By implementing the first five CIS controls, which are critical, you can reduce the risk of cyber-attacks by roughly 85%, recommends David. He also advises that implementing all twenty controls, which are important, reduces the risk by about 94%.
A prime objective of a cyber-criminal is persistence, says Amar. The aim is to stay within your network as long as possible for observation which if achieved, will have a negative impact on the business. Visibility into your networks, your servers, your IoT devices is crucial should a breach occur so that you can understand the how, why and where such an attack took place.
Regulations like breach notification over the coming months and years is going to become a business imperative; knowing exactly what happened when a breach occurs is going to be the aim for all organisations in order to report back to regulators. So, log management and the need to know what you are logging is an essential part of foundation controls. From May 2018 and the introduction of breach regulation laws, you won’t be able to notify the regulators if you don’t know that you’ve been breached, and it will cost you a significant amount of money.
Q&A
Should the foundation controls be implemented in a specific order? David advises that not necessarily, but controls one and two come first, i.e. understanding the hardware and software on your network, then you can see vulnerabilities and implement secure configurations. The important part is know what’s on your network, then you can focus on what to protect on your network – you can’t protect what you don’t know about.
Amar adds that it is important to know what the top risks you are facing as an organisation by taking a risk-based approach.
Is this approach focused on any organisation of any size? In David’s opinion, yes, because every business needs to know what’s on their network. It’s a misconception that large companies have more intellectual data than a smaller company, for example, law firms.
Implementing these foundation controls is a big task and companies may be looking at protect and block instead. There are so many factors to consider; segmented networks, BYOD and user devices, shadow IT and users installing applications on their work devices – don’t be led by the hype.
For Amar, there is no protection. There are deterrents; there is the question of can you detect and respond. There is no foundation control that is more important than the other, they are all linked
Discover more about the essential foundation controls; learn what David believes are crucial to your business in protecting your networks, your servers, your devices. View Cyber Management Alliance’s highly informative and interesting webinar.
