Continuing our goal of providing a high-level overview of the things you should be doing to be more Cybersecure, this is part 2 of 5. Now that you have identified your assets and their “value”, we will focus on “Protect”, for a recap of the Five Functions of NIST you can read here and you will find part 1, Identify, here.
What we aim to protect:
- Confidentiality: Only the people that are supposed to see the data can (what was meant to be private stayed private)
- Integrity: The data you are reading now was not altered without your knowledge since it was originally written (its accuracy and consistency was maintained over its lifecycle).
- Availability: You can access your data when you need it (we could also had “from where and via the tools you want" , but it would be more from a productivity angle than security)
Two core principles on how:
- Least privilege approach: You should be given the lowest level of [security] privilege that is required for you to be efficient at your job most times. Example: Not everyone needs to have “super user” access and if you only need once a year, that should be accommodated via a temporary exception process, not by giving you access all the time.
- Layered defence: No security is perfect and [bad] people will find a way around it, layering will make it that even if one of your security measure fail, a secondary mechanism will probably catch it. Think of your medieval castle, they had moats filled with water to slow down attackers and limit what they could use to attack, then they were high outer walls with draw bridges, some even had internal walls and locked buildings (and secret rooms!)
And the dimensions to consider:
- People: We need to consider the human factor, protecting them from others, but also from themselves.
- Process: Establishing clear procedures helps avoid spur of the moment mistakes and allows for continual improvements of those processes via testing and review
- Technology: In the end, this blog is about Cybersecurity so technology plays a key point into protecting the assets.
Here is what we would consider to be the bare minimum in terms of protection (aka, if you are only doing the below, you are probably not doing that great, but it’s a good start):
- An Anti-Malware on all PCs and Servers (yes, even on Mac and Linux)
- A Next Generation firewall that inspects all traffic for malware and known attacks
- An email gateway solution that scans for malware, phishing and spoofing
- Every device patched with the latest fixes (ASAP for critical patches, soon after for the rest)
- Backup that follow the 3,2,1 approach (3 copies of the data, on 2 different medias (multiple snapshots or replications don’t count) and at least 1 copy offsite
- A Cybersecurity Incident Response Plan (it can be as simple as: if sh*t happens call this person/company (usually involves a retainer contract to make sure they will pick up the call on New Years Eve))
- Some training for end users on Cybersecurity risks (don’t click that link, don’t send money to strangers, make sure the person claiming to be your CEO in that SMS text really is your CEO)
These are quickly becoming the new minimum (you should get started on this list):
- A Next Generation Anti-Malware on all PCs and Servers that analyzes application behaviours, not just file signatures (yes, even on Mac and Linux)
- An anti-malware agent on mobile devices (Android and iOS)
- A Next Generation firewall that scans inside encrypted traffic
- An email gateway solution that scans for 0 day attacks via URL and Application sandboxing (testing the application and URL in a virtual environment to detect abnormal behaviours)
- Data Leak Prevention solution (some basic safeguards to avoid key information to be sent out intentionally or unintentionally)
- All backups encrypted at rest and in transit
- Offsite backup copy completely air gapped (none of your humans or software can alter or delete it (not even a super admin))
- A Cybersecurity training program re-enforced with phishing simulation to help employees develop they “questioning muscle” (should I click?)
Lastly, give your people the tools they need. If you do not provide it to them, they will still find a way to do it and you may not like it…
We hope this helps you continue your Cybersecure journey. All documents and information are only made available for informational purposes, you should work with a professional to adapt them to your business.
Stay tuned for the next of the Five Functions: Detect.