As a consultant in Cybersecurity I am often being asked how small organizations are supposed to protect themselves against cyber problems with limited resources and budget.
Nowadays it’s quite trendy to have penetration testing as a starting point for cybersecurity. Even though penetration testing is a good practice, it’s very limited and focused on one application/product and should therefore not be used as an entry point for cybersecurity.
This series of blog post will provide you with the basic actions for addressing the most common threats and vulnerabilities and for setting the foundation to increase the security posture of your organization. To do so we will use a well-known and recognized framework called the CIS 20 critical security controls
Before jumping into actions, let’s see what might, depending on your business, be the main concerns for small organizations:
- Theft of company information: whether by an external or most of the time by disgruntled employees
- Website defacement: what could be better for your competitors than defacing your website to steal your customers?
- Ransomware: we all heard stories the last couples of months (if not years) where organizations have to pay a ransom to get back their data and regain access to their system… and trust me a lot of organizations pay.
Independently of the threats you’re facing and the size of your organization, you should start first by asking yourself the following questions:
- Do you know what is connected to your computers and networks?
- Do you know what software is running on your servers and networks?
- Do you know and manage who has access to what and the privileges associated?
- Does your staff know their role in protecting the organization from cyber incidents?
Based on this small set of questions it becomes clear that we need to have phased approach. While many standards such as NIST proposed a 5 phases approaches (Identify, Protect, Detect, Respond,Recover), CIS 20 proposes the following simple 3 phases:
Know
How to protect something that you don’t even know it exists?
Obviously, a rhetorical question but you would be surprised to see the amount of organizations running without any inventory.
Often known as CMDB (Configuration Management Database) in the ITIL world, this first phase consists of ensuring that you know:
- What is connected to your network?
- What software is installed?
- Which online platforms are used by your employees (cf. shadow IT)?
In this context the first 2 controls of CIS 20 critical security controls are applicable:
- Inventory and Control of Hardware Assets: “actively manage all hardware devices on the network so that only authorized devices are given access”.
- Inventory and Control of Software Assets: “actively manage all software on the network so that only authorized software is installed and can execute”.
You probably believe that it’s a daunting task, and … YES, building and maintaining an inventory might be a daunting task. But you will never be able to manage your organization if you don’t know your assets (e.g. what do you need to backup, what do you need to patch).
Fortunately, many tools can assist in building an inventory such as:
- NMAP: the most famous network scanner to identify all the devices connected to your network (i.e. one IP on your network should be linked to one asset that you know about);
- ZenMap: graphical interface for NMAP;
- Spiceworks: automatically detects devices and software on your network and provide a graphical interface to manage the inventory;
- Microsoft SCCM, Service Now, etc.
In this first post we discussed about the cornerstone of cybersecurity, in the next post we will discuss more in detail, how to protect your assets, now that you know them!
