Top 10 - 2016 New Year's Resolutions for Cyber Security Professional

[Inga Goddijn <inga () riskbasedsecurity com>]

http://thehackernews.com/2015/12/cyber-security-professional.html

Billions of dollars are spent in securing business operations, and yet
attackers still find ways to breach a network.

With the ever increasing growth in security attacks across all threat
vectors, you should consider these New Year’s resolutions to help solve
your security challenges in 2016:

   1. *Take stock of what you have*
   2. *Segment your Network*
   3. *Setup controls with ACLs*
   4. *Secure protocols, network ports, & services*
   5. *Monitor account activity*
   6. *Monitor servers & databases*
   7. *Make sure that your applications are secured*
   8. *Ensure security policies are in place*
   9. *Measure effectiveness and ensure your security products are doing
   their job*
   10. *Add threat intelligence into your security operations*

As you prepare for 2016 and reflect on all the security news stories from
this year, these ten resolutions need to be on your “*to-do*” list:
1. Take stock of what you have
Knowing the genetic makeup of your environment is the key to securing your
IT systems. It is critical to have an updated inventory of your systems,
applications, and network devices as you cannot secure what you do not know
about.

If you are starting up for the first time, you can use discovery inventory
tools to create that initial inventory.

You should also consider using continuous discovery tools to identify what
is connected to your private or internal network and what is connected to
the public network or Internet.

As a best practice, you should use your inventory list and create device
groups so that you can identify authorized users that perform critical
tasks.

Eventually, feeding this information into a product would help you to
identify unauthorized access and mitigate threats before they become
attacks.
2. Segment your Network
Managing network traffic
<http://thehackernews.com/2015/02/network-security-auditor.html> and
allocating bandwidth are typically seen as the main purposes of network
segmentation, so some security aspects are often overlooked.

Adding new applications and making changes in the existing devices can
drastically impact the security of your networks.

With proper segmentation in place, you will be able to apply appropriate
security measures.

For example, the network that handles employees’ personal information and
compensation details could be clearly marked off from your financial
activities.

The key factors to consider when segmenting your networks should include:

   - knowledge of where your sensitive data resides
   - what applications and services your users need access to
   - capabilities of existing devices to implement segmentation
   - regulatory demand
   - how you will identify and respond when someone attempts to cross these
   boundaries

Based on this information you can allocate user and device permissions.
Once you segment your networks based on required access, it will become
easier for you to visualize how your devices interact across different
segments and to identify suspicious activity.
3. Setup controls with Access Control Lists
Your firewalls and routers will permit or restrict data flow based on your
ACLs. Ideally, you should be building your access control lists (ACLs)
based on user need and in-line with your segmentation polices.

You need to identify what type of the controls are necessary for your
applications and users.

With proper external ACLs, you could control IP spoofing in outbound and
incoming traffic. For example, if incoming traffic shows an IP that falls
within your organization’s IP range, then it is suspicious. Similarly, if
outbound traffic shows an IP that does not fall in your IP range, then you
have every reason to suspect a black cat.

You can make good use of your IP whitelists using your firewalls and
routers and telling them how to handle incoming and outgoing traffic.
4. Secure protocols, network ports, & services
Whether it’s sensitive personal information or financial data, the demand
for security of electronic communication is high for both private and
business use.

To protect and keep your data secure, you need to secure your application,
transport, network, and data link layers.

To ensure the availability of your critical business services, monitor your
endpoints and detect traffic over restricted services, ports and protocols
to mitigate malicious activities like:

   - malware infections that could enter via removable devices like USBs
   - unauthorized port scans, as attackers use this method often to gain
   entry into your network

Communicate best practices to your users and let them know what is
acceptable and what is not - especially in terms of using BYOD,
transferring files, and using VPNs.

5. Monitor account activity

Access rights to your devices need to be controlled and monitored. Apply
the concept of least privilege enforcement to avoid abuse of privileges.

It is highly recommended that you monitor accounts
<http://thehackernews.com/2015/01/data-loss-prevention-tools.html> that are
given administrative privileges and set rules to log automatically off or
disable that account if it is used for performing unauthorized activities.

For example, administrators can create local accounts with local
administrative privileges. This is something an attacker or malicious
insider would do to ensure they can retain access, even if they lose their
privileged credentials.

Privileged accounts can, if unmanaged, lead to lack of accountability and
increase your chances of credential theft. Stolen credentials lead to
compromised networks which affect your customers, vendors, employees and
eventually lead to loss of reputation.
6. Monitor servers & databases
Maintaining the integrity of sensitive information is vital. Keep track of
changes made to files that contains business critical information or system
data.

Since attackers like to modify local files or registry settings so they can
embed themselves, monitor these changes. Correlate file audit events with
user activity and system changes to thwart an attack.
7. Ensure security policies are in place
When regulatory agencies come up with compliance policies and procedures,
they are trying to help you know how to defend attacks while also building
customer confidence in doing business with your organization.

In reality, compliance standards will help you to identify ways to improve
your IT infrastructure and act as a basis for your corporate security
strategy.

For example, you should have clear internal policies when employees use
their personal devices at work or when they use office devices/laptops at
home.

These policies can help you prevent rogue users and devices from tampering
with your data and network. In the case of mishaps, you should be able to
take immediate action - remotely/automatically with your endpoint
monitoring systems.

Implement change management for configurations of hardware and software on
laptops, workstations, servers and network devices, to prevent policy
violations and mistakes.
8. Make sure that your applications are secured
Patches are meant to plug security holes. You need to keep your systems
patched with latest updates from vendors so that you do not have known
vulnerabilities that could create unwanted issues.

Attackers find their targets based on known vulnerabilities
<http://thehackernews.com/search/label/Vulnerability> - so if patches are
not applied on time, you may be making yourself an easy target.

You should have a good patch management strategy in place to protect your
environment from threats and unwanted malware that could result in a
security breach.
9. Measure effectiveness and ensure your security products are doing their
job
It has become an imperative to use multiple security systems like
anti-virus & IDP/IDS.

Each of these systems is specialized and perform specific security
functions. But, they operate in silos that could create gaps in data
correlation and leave your organization vulnerable.

So, how do you measure overall effectiveness and ensure that your are
working as expected?

Consider using a SIEM with continuous log monitoring capabilities so you
can monitor and consolidate logs from all devices centrally and help ensure
overall security of your environment.

Besides acting as a preventive measure, log monitoring also comes in handy
for performing forensic analysis, in the case of a security incident.
10. Add Threat intelligence into your security operations
Threat intelligence data can help turn noise into actionable information to
respond to attacks before a breach occurs.

Leverage this information with real-time event correlation to protect your
environment from known bad actors.

As a best practice, send threat intelligence feeds into your SIEM since
it’s the best solution for collecting, consolidating, and analyzing all of
your log data and threat intelligence in one place.

A SIEM will help you detect attacks faster. Your SIEM should be able to
alert you if it gets a match between threat intelligence (*let’s say a bad
actor IP address or URL*) and what it is happening on your network.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!