In the previous blog, we talked about the stress that making choices can cause during the quest for the most suitable cyber-security solution. These minimum requirements are, however, the most essential matters to have set up. This first level is the basis on which the other cyber-security measures are continued.
Level 2: the basic measures
Let us put this very plainly: the minimum requirements are matters that must all be in order within every organisation. This obviousness is, however, not necessarily applicable to the measures that we outline in this blog. These measures are in line with an organisation that wants to take steps to better protect its organisation against cyber-criminality. Level 2: the basic measures actually start at a piece of self-knowledge of the organisation. This self-knowledge is converted into transparency about all the equipment that is, in one way or the other, connected to the network within your organisation.
Do the right things
It may sound obvious, but doing the right things is one of the most difficult challenges of cyber security. It means knowing what threats you need to tackle and ensuring that there’s support from management for doing so. Just as an IT department automates processes that belong to others, the security department protects information that, likewise, belongs to others. Involving line management with the defining of risks, the classifying of data, and the carrying out of a DPIA (Data Protection Impact Assessment) is a matter of necessity. These, after all, are risks to their operations that we’re trying to eliminate.
Be aware of your vulnerabilities by periodically (monthly is usually best in line with the patch policy) scanning your network on vulnerabilities. Not just servers and clients are vulnerable, but also network components, appliances, VoIP devices, printers, etc. By detecting vulnerable equipment and software, you can take measures in a timely fashion and prevent them from being abused by someone. Practice teaches that it is not just wise to scan your network from the inside, but that it is also wise to do this from the internet.
Think about damage control in advance
You are aware of your vulnerabilities and you took measures to prevent abuse. However, that is not the end of it just yet. Restrict authorisations on the network to the information, shares, or applications that are required for the relevant employees to perform their activities. To illustrate this, we assume a ransomware attack. If employees can only access the documents that they need, then this also implies that a cryptolocker on their PC could only encrypt those documents. Of course, this is still very annoying, but you do reduce the impact.
Before ransomware starts encrypting files, it often first tries to infect other devices in the network. By applying network segmentation, you ensure that, again, the scope from a single workstation is curbed. It is often doable to set up this kind of configuration on a non-recurring basis; however, the chance is considerable that sooner or later you will have to deal with changes in your network, and changes make it difficult.
How many employees actually lose authorisations when they start working for a different department? How do you make sure that the authorisations on the network follow the person or the device? In due course, how often did temporary access convert into structural access?
Be aware of who and what is present on your network. The administered workstations are usually known and when scanning on vulnerabilities, you also detect the static devices. However, Bring Your Own Device, guests, mobile telephones, and suppliers represent challenges. After all, you often do not know how secure these non-administered devices are. You trust the owner to have things under control, or you provide little or no access to business assets. You can tackle this problem by making use of access control, or Network Access Control. This way you ensure that:
- only authorised devices have access to the network.
- network access follows the device (also when you use it at a different location).
- you can grant unknown parties access, however not without your knowledge.
Having insight into the connected assets is also a requirement pursuant to most of the standards and legislation; think about the Wbni (Dutch Network and Information Systems (Security) Act (in particular Section 2 Subsection 1 under d of the implementing regulation) or Annexe A8.1 of ISO 27001. This way, you will have more control over who is on your network. Of course, insight is pleasant, but that information alone will not protect you. You also want to detect when the equipment you authorised displays suspicious behaviour. End-point protection, e.g. anti-virus software, enables this for all devices that you administer in-company. Installing things like anti-virus software on a printer, a router, or a laptop of supplier is, however, not possible. That is why it is important to recognise suspicious behaviour and to also be able to intervene in respect of these devices. Intervention, in this instance, means that an alarm is sent to the IT Department or that the device is removed from your network.
Authentication and autorisation
By giving employees explicit (i.e. conscious) access to resources they need for their work and verifying their identity, you prevent abuse in your network. Therefore, make sure that one account is only used by one person; in the healthcare sector, this is even prescribed in the NEN 7510.
In addition, you must take measures to confirm that a person is who he says he is. You can achieve this by enforcing robust authentication, such as multi-factor authorisation.
Zero Trust. By restricting rights, confirming identities, segmenting networks, applying access controls, and monitoring behaviour on the network, we’ve taken steps towards zero trust principles. We assume that threats will always be lurking, both on the internet and within our own networks. That means trusting nothing and nobody, and verifying everything.
People as the weakest link
We cannot stress it enough: it is highly recommended having an awareness programme. The majority of the cyber-security incidents are caused because in a moment of carelessness an employee clicks on a link, leaves data behind, or opens a file that contains a piece of malicious software. By training employees in cyber-security topics (recognising phishing, clean desk, sharing information, the use of external data carriers, etc.) you can steer on behaviour. As mentioned in part one, phishing is still the most frequently used attack vector. And not because email is badly secured, but because employees fall for it. That is, for that matter, not very strange with the ever more professional phishing attacks. Recurring training with, of course, varied and interactive multi-media content is necessary to keep the vigilance at the required level, according to a recent German research at the Karlsruher Institut für Technologie.
The power is in the repetition. Of course, that all sounds nice, recurring training, but it is, obviously, at least equally important to measure the effect of the training. To determine whether the desired effect is realised, you want to confirm that the knowledge is not just present but is also put into practice. You do this with assessments, e.g. a mystery guest or a phishing simulation.
A secure inbox
Finally, it is certainly also worth considering to raise the protection of email to a higher level. With technical measures you can recognise malicious emails on the basis of all sorts of features. A combination of these various features can point to a malicious email. For instance, an email from a business that usually never sends you email, which also has an attachment, is more suspicious than an email with an attachment from a party with whom you have more frequent email exchanges. Of course, it can also be legitimate, but in these situations an additional warning to the recipient can be a useful tool to make your awareness campaigns even more effective. Are you curious how you can raise the cyber-security of your organisation to an even higher level? In part 3, the last part of this series, we will talk about a number of advanced measures.