With the proliferation of many advanced security tools, enterprise and C-Suite managers have recently turned to deploying the most fashionable, powerful, and popular tools on the market, bolstering their defense capabilities and impressing shareholders.
The story is typical: A CIO or CISO is lured by clever marketing gimmicks or a widely-shared article. This gimmick can either be in the form of an exciting showcase at an industry event or a vendor blackmailing a CISO, stating that a vulnerability has been discovered by the vendor but could be blocked by procuring that vendor’s product. Just ask OPM (Office of Personnel and Management): One vendor believes that its product demo detected the largest breach in U.S. Government history.
Although this Black Friday-esque approach to IT security makes us feel like we’re doing well by our enterprise, we would be more effective and efficient in our cybersecurity investment if we ask ourselves the following questions:
Where Does Cybersecurity Fit Into My Enterprise’s Mission?
Although the need for a cybersecurity is obvious, the way it manifests itself within an organization’s hierarchy says a lot about how an enterprise feels about the need for security.
- Is security merely a disaster-aversion mechanism that is unlikely to affect us? Seek protections that don’t hinder work performance. Stick to a blacklisting approach. Employ the CISO in the physical security department. Let employees connect their personal computers to the enterprise LAN (Local Area Network).
- Is security part of a risk mitigation strategy in a high-risk environment? Implement a whitelisting strategy and place the CISO close to the General Counsel or CEO’s office. Provide employees with corporate devices and only allow those devices on the enterprise LAN.
- Is security an integral part of your business? Put CISO in the C-Suite. Show customers that just as your organization takes its own security seriously, the organization will take care of customers’ security with due care.
What Exactly Am I Defending?
No security software will be effective if some assets are beyond the perimeter of the tool’s reach. All known assets ought to be identified by the security software suite; that’s obvious. The difficult question is, how do I identify those assets that I don’t know about?
An easy approach would be to just lock down the network and whitelist connected devices. However, what about peripherals connected to individual endpoints? A user charging a mobile device in the USB port, a portable mouse, Bluetooth-enabled devices, remote connections, and official guests, who bring devices to your worksite, are all scenarios ISOs cannot possibly know in advance.
Another class of uncertainty is who is using the network. The easiest model is to give everyone the same permissions for all services using the same credentials which are committed to memory (or worse, sticky notes and email). Each element of that approach is bothersome. To ensure accountability (which enhances policy compliance) and mitigate risk, systems administrators ought to implement a system where any user on the enterprise network can be identified to a unique human being at any given moment, where only that person can be using that account, and that account only has privileges that are useful for that person’s job (least privileges).
Do I Have Clear Policies?
At the end of the day, the weakest point of the enterprise is human beings. It’s simple to whitelist hardware peripherals without impacting the business. How about whitelisting email? Not as easy. Is it surprising that email phishing attacks are one of the most popular vectors for all threats. What if my CEO, who is not as cyber savvy as the CISO, clicks the wrong link in an email?
Policies are more than guidance when the correct path is difficult to discern; they empower users to make difficult decisions knowing that they are backed up by experts and are protected by the organization.
So Why Does This Need to Be Said?
There are two reasons why small and medium-size enterprises do not state their mission, take an inventory of their assets and users, and set policies. First, it is not among the most glorious parts of the job and second, it can lead to uncomfortable discoveries, since what you don’t know probably can’t hurt you, as the saying goes. However, consider this: What does it imply to customers when they notice that an enterprise takes its own data security seriously? What does it imply to employees when the IT acceptable use policy is posted in the coffee room where employees congregate? These are the questions that companies need to ask themselves to ensure that they pursue cybersecurity plans that will yield the most benefit to themselves and their customers.
Jonathan Berliner is a Cybersecurity Solutions Engineer at Booz Allen Hamilton. He specializes in using big data analytics and software development to support network security and incident response, as well as cryptography and public key infrastructure. Previously, he was on the operations and calibration staff of Caltech's LIGO Laboratory.