When You Can’t Have it All

8th of July 2019

By Gaffri Johnson, Senior Security Consultant, FortConsult

When you are responsible for managing your information security, ideally you would want to cover every possible angle. But a number of factors, such as financial resources, time and competencies, force you to prioritise. If prioritising is a challenge, a good exercise is to simulate a constraint. For example, what if we could only have 9 different domains of IT security to focus on? Which 9 areas would we include, in order to have the biggest positive impact on our information security posture?* 

*We acknowledge that by choosing, you’d leave out other important domains or areas of information security, but the point of the exercise is to force you to prioritise. 

Our GRC specialist and senior security consultant Gaffri Johnson’s favoured picks would be a mix between certain components from the ISO 27001 standards, coupled with the first 6 CIS controls. Here, we sum up Gaffri’s suggestions, while you can read the full article with detailed explanations for each selection here.

1. The right leadership to support information security
Without management support, you’re going to struggle. Management support is not only defined by the size of the purse at your disposal. You also need IT security to be positioned properly in the organisation (i.e. not as a subdivision of the IT department), and to have a mandate in business decisions related to digitisation projects. IT security also needs to have gatekeeper powers for procurement and development projects.

2. An information security risk assessment programme
This allows you to make sound decisions based on an understanding of the IT risks related to your organisation – and their potential impact on your business.

3. Prioritising awareness and cultural change
Educating your organisation regularly is essential, and not only in the shape of general awareness. You need to acknowledge that different stories about information security are needed for different types of employees. 
4. Inventory of authorised and unauthorised devices
Having no oversight and control of the devices that are used in the organisation exposes your business to a high risk of compromise. This goes hand in hand and intertwines with the risk assessment programme, as a part of the foundation for your risk assessments (see #2 above).

5. Inventory of authorised and unauthorised software
As in #4 above, having no control over the software that you allow in the organisation will almost certainly lead to a security breach sooner or later. As with #4, this goes hand in hand with the risk assessment programme, as a part of the foundation for your risk assessments (see #2 above).

6. Secure configurations for hardware and software
Too often are servers and infrastructure components being configured with out-of-the box security configurations, if any. Security best practices (and not default configurations) need to be enforced in your technology stack.

7. Continuous vulnerability assessments and remediation
Never lose control over Java, Adobe, browsers (and plug-ins) and business applications from third parties – and run frequent vulnerability assessments to ascertain that hardware and software isn’t providing that open door to your company’s crown jewels.

8. Controlled use of administrative privileges
Default admins, root accounts, SA/SU and enterprise, domain admins, admin service accounts and local admins on workstations provide attackers with a multitude of attack vectors.

9. Maintenance, monitoring and analysis of audit logs
You should always assume breach, as relying too much on the first preventive defences only (aka. the delivery stage of the kill chain) is dangerous and will leave you in the dark when you are compromised. It’s essential that you have visibility into network and system activity, so that you are able to detect malicious activity such as lateral movement, privilege escalation, exploitation and data exfiltration activities.

To sum up:
The right controls and automation, as CIS suggests, will only take you some of the way to an appropriate level of security. Investing in security technologies can help, but will not fully solve your cyber security challenges. If the underlying security governance processes are too immature; they won’t be effective. Which is why you have to ensure that effective IT security governance processes are in place. Using ISO 27001 as a security governance framework, paired with CIS20, is a very good starting point for that.