In the cut and thrust of organizational life security issues may be left ‘to other people.’ This delegation of responsibility for organizational security can lead to security breaches. Changing the organizational culture from within an organization can prove to be extremely difficult, especially where there is little understanding of the threat posed or the need for change.
Compounding the problem is the difficulty identifying personnel within the organization with the necessary skills and time to develop a comprehensive cybersecurity framework. The Center for Internet Security (CIS) recognized the need for a delineated set of controls with which an organization could establish a strong cybersecurity ecosystem.
The CIS critical security controls total 20 in number, and these are designed to be implemented in a step-by-step fashion to lead organizations to greater levels of security and improved regulatory compliance. The final 4 CIS critical security controls outline the steps required at an organizational level to enhance and maintain high standards of security.
This is achieved through a strong focus on cybersecurity by design and default; primarily by creating a security-conscious culture in all departments within the organization, from software development and acquisition to Human Resources and public-facing roles. Of course, those roles that are considered as business-critical should carry priority for ongoing security awareness training and systems testing.
1. Implement a Security Awareness and Training Program
What is security awareness? It refers to the intra-organizational awareness, and level of understanding regarding the organization’s specific security issues; both physical security and digital security. Where Security Awareness is used as a means of assessing the level of knowledge and engagement of personnel with security issues, the training program is how that level of awareness is developed and increased. CSC 17 addresses the important role that personnel play in enhancing or depleting organizational security.
Why is it important? Without an understanding and awareness of security issues, it is unreasonable to expect personnel to behave in a security-conscious way. This is why training personnel, and cultivating a security conscious corporate culture should be treated as an ongoing process. Disregarding this process can have a grievous impact on the overall effectiveness of the business. It can, in the worst cases, lead to litigation, adversely affect brand value or share price, and could attract the intervention of data protection regulators.
Tools and Procedures:
- Conduct a security awareness information-gathering exercise.
- Identify areas of weakness in security awareness.
- Develop an ongoing staff security awareness program.
- Employ staff training in cyber awareness.
2. Application Software Security
Application software, colloquially referred to as apps, can be a great asset to an organization. They are either developed in house or acquired externally, often for streamlining processes within the organization or as services offered. Regardless, CIS critical secruity control 18 requires the active security management of all app developments. All developments should be designed with security in mind whether it be used in house or sold to the consumer market. This primarily comes from disciplined coding structures and policy, an example may be that demonstration apps are tested locally and are not connected to the organizational network and are promptly deleted after use.
When an organization takes its cybersecurity seriously, a simple software coding error on the part of the in-house team or worse, in the acquired software, should not be the reason for a breach. Organizations often assume that third-party software products have been thoroughly tested, and that they pose no security threat. However CSC 18 suggests that it is prudent to take a caveat emptor approach; that is, to assume that all acquired software must be checked for security vulnerabilities prior to purchase.
Tools and Procedures:
- Actively train in-house software development teams in secure coding practices.
- Regularly update personnel on new weaknesses and vulnerabilities being exploited in third-party software applications.
- Employ analytical tools that can verify if software application security practices are being implemented correctly and take action when they are not.
- Deploy new software applications in a sandbox or controlled environment before open release on the system and test them against existing security protocols.
3. Incident Response and Management
When a cybersecurity incident occurs, the attacked organization must have a clear and effective response plan in place. Incident response requires procedures and processes that effectively detect an issue as it arises, analyze and respond to the problem, mitigate its impact, and eliminate the threat to the system. CSC 19 addresses issues around the protection of data and organizational reputation achieved by building and maintaining an incident response infrastructure that employs all the necessary elements, including management protocols, to quickly and efficiently deal with threats to the organization’s cyber systems.
Protecting the organization’s assets is an obvious priority, both for the security team and for top management; after all, what is a company worth if it loses its assets? What may not be so obvious is the nature of those assets, for example, loss of operational efficiency, loss of reputation, loss of data, even the loss of physical assets through fraudulent or malicious use. Another major reason to implement incident response management is regulatory compliance; in other words upholding the law regarding cybersecurity-related issues, especially around privacy and data protection.
Tools and Procedures:
- Develop an Incident Response and Management policy.
- Extrapolate Procedures and Processes based on industry best practice.
- Incorporate lessons learned from live incidents and test exercises.
4. Penetration Tests and Red Team Exercises
Penetration testing, also known as pen testing or ethical hacking, is simply the authorized testing of a system’s cybersecurity through staged attacks, the purpose of which is to identify areas of weakness that may be exploited by bad actors from inside, or outside the organization. When testing the efficacy of a security system, the Red Team is the group that takes the role of the attacker of, or opposition to, the organization. Red Team exercises are the sanctioned activities of these benign opposition groups whose main function is to bring new information gained from alternative approaches to the existing organizational view. CSC 20 requires the practical testing of all the preceding CIS critical security controls.
Unlike a physical security device, for example, a padlock, cybersecurity is largely digital and this makes it difficult to ascertain the security system’s ongoing effectiveness. An appropriate analogy might be an invisible net; how do we know if it has a tear and is no longer as secure? The obvious answer is to try to get something undesirable through the net, and this is exactly why pen testing and Red Team exercises are important, they work to find a tear or exploitable weakness in the system. The CSC 20 control point tests the overall strength and resilience of the cybersecurity architecture, allowing for ongoing adjustments and improvement.
Tools and Procedures:
- Implement CSC 1-19 before attempting a penetration test.
- Employ industry best practices when making alterations to the organization’s cybersecurity architecture or when deploying new and untested tech such as software.
Organizational issues, rather than technology, are often at the center of breaches of security, and this highlights the need for ongoing security awareness training for all staff, but most especially for those individuals and departments that are business-critical.
The CIS Critical Security Controls provide a simple, step-by-step framework to help your organization achieve greater cybersecurity and regulatory compliance, and RSI Security has the expertise to make it happen. Contact us for a free consultation here.