As discussed in the previous post, available here: https://www.starwindsoftware.com/blog/cyber-security-where-to-start-part-1, CIS 20 proposes a simple 3 phases approach as follows:
Now that we know our environment, we will see how to protect our assets but, first, we need to talk about an asset that is probably not listed in any CMDB. Nevertheles, it’s the most valuable asset of any organization: people, employees or call them how you want; basically, all the human beings that are involved in your business. To protect your systems, you need to educate your employees as they all play an important role in Cybersecurity.
In this “Protect” phase, we will, therefore, discuss both protecting your computers and raise the employee’s Cybersecurity awareness and try to answer the following questions:
- Is security taken into account while setting up your computers?
- Do you have an (up to date) anti-malware software deployed in your network?
- Do you regularly educate your users on Cybersecurity practices?
Define a secure baseline
Security baselines are a set of standard security measures for typical systems (e.g. Windows workstations, network devices) that prevent attackers from taking advantage of insecure configurations or vulnerabilities in the applications running on your systems. In other words, rules for setting up systems are defined upfront (most likely by your security team), and your systems should comply with these rules.
Obviously, your secure baseline should ensure that your operating systems and applications remain securely configured and up to date (i.e. security patches), that an (up to date) anti-malware is deployed and that built-in security functions of your operating systems are used (e.g. Windows BitLocker, Mac OSX FileVault).
What can be done on a regular basis?
- Periodically run Microsoft Baseline Security Analyzer to identify which patches are missing for Windows products and what configuration changes need to be made;
- Limit the use of removable media (USBs, CDs, etc.);
- Deploy an anti-malware with centralized management and automatic database update;
- Deploy multi-factor authentication when available, especially, for accesses outside your organization network (i.e. remote access);
- Change default passwords for all applications, operating systems, network devices;
- Encrypt hard drives, laptops, and mobile devices (e.g. BitLocker, FileVault);
Educate your employees on Cybersecurity
As mentioned above, your employees are the most valuable asset, and, in the meantime, the most difficult one to secure (sometimes referred to as the weakest link). Any employee can make a mistake and put the organization data at risk (e.g. phishing, fake president fraud, social engineering).
To ensure that your employees are and remain conscious about their role and responsibilities in protecting your organization, you need to define a security awareness program answering the following questions: what you communicate, how you communicate it and to whom?
A security awareness program defines how to train users of potentially threatening information and how to avoid situation that might put the organization’s data at risk. The goal is to empower the employees to take personal responsibility for protecting the organization’s information, and to enforce the policies and procedures that are in place.
The main benefits of a successful security awareness program:
- Employee mindset and behavior change because teams are personally invested in the security program.
- Informed teams and improved organizational resilience reduce security risks and staff-related data breaches.
- Reduced human error and process inefficiencies.
- Corrective actions based on the identification of nonconformities.
What to communicate?
- Lock your workstation when you leave it;
- Enforce the use of “screen-lock” for mobile devices;
- Don’t read confidential data in public transports;
- How to identify phishing emails;
- Ensure that everyone knows that common sense is ultimately your best defense. If something seems odd, suspicious, or too good to be true, it is most likely an attack.
- How and who to contact in case of suspicion;
- Tailor-made messages depending on the function in the organization and the threat landscape, such as secure code development for developers;
How to communicate?
- Develop an open-minded culture within the organization where people dare to speak up (e.g. clicking on a phishing email is a mistake but not telling it’s the worst)
- See something, say something
- Phishing campaigns (e.g. fake Paypal security notice warning potential marks of “unusual log in activity” on their accounts, fake Social Media notice warning of the reception of a new message);
- Global sessions for basic information relevant for any employee (such as phishing email) and tailor-made session (or even offsite training) for more specialized functions;
- Monthly or quarterly newsletters (e.g. SANS Ouch! Newsletter, Video of the Month, Daily Tips and Posters or MS-ISAC Monthly Newsletters);
- Posters, intranet messages, etc.
- Training is a continuous process. To be effective, security awareness training should be given during the onboarding and a on a regular basis;
- Don’t create “noise,” which your employees hear but don’t listen to. Don’t send newsletters on a daily basis. Give preference to working with monthly or quarterly campaigns;
- Tone at the top, get C-Level to buy in to increase support.
In this small article, we walked through some major steps, or, at least, starting steps to protect your identified assets. In the next, and last, article of this series, we will discuss the steps to ensure that you know how to handle a security incident and how to get back to business.