Sometimes we all feel like we’re losing the security game. But, just like when you’re losing the Craft of Minewar, you can use add-ons to energize your security game. Here are seven definitive things you can put into your security program to guarantee a winning score.
You are often required to punch holes in your firewall and let the open sewer of the Internet flow directly onto your applications. You need to filter the crud out before it messes up your critical network app services. Web servers are commonly attacked because they’re low hanging fruit. New vulnerabilities are released for web servers and web app frameworks on a constant basis. Just a random sampling finds 35 cross-site request forgery vulnerabilities released in the first quarter of 2017,1 plus menaces like the new ransomware that targets Apache Struts. It’s pretty easy for an attacker to cycle through a variety of these vulnerabilities across the Internet and find someone who hasn’t patched or locked something down.
One of the best tools for this is a web application firewall, which should be savvy enough to nail common web application attacks like the OWASP Top Ten2 dead in their tracks.
Even better if the firewall can add a layer of intrusion prevention and IP reputation filtering to wipe out the obvious attacks before their reach the soft, chewy web servers on the inside.
The best defense is to set up your filters to allow only the specific types of application traffic from the places you trust and then block/alarm on anything else.
As stated in Verizon’s 2016 Data Breach Investigations Report, 63% of data breaches involved weak, default, or stolen passwords.3 User passwords are easy prey to phishing or guessing. Not to mention credential stuffing when users reuse passwords from their work systems on other systems, which are then breached.4 It’s 2017, and way past the time to move away from passwords towards multi-factor authentication (MFA). And hey, make it easy on your users and wrap up your strong authentication in a Single Sign-On (SSO) service so they only have to log in once.
The 2017 Cybersecurity Trends Spotlight Report noted that 45% of the surveyed cybersecurity professionals reported their biggest obstacle to improving their programs was lack of skilled employees.5 Yes, there is a severe talent shortage. If you can’t find the people you need, you need to grow them. That means thinking ahead and getting them while they’re experienced enough to be in high demand. One obvious source is to promote talented folks from within the organization. A strong IT professional can make a fine security professional, given the right training and mentorship. Hey, I wrote a whole book for engineers moving into security.6 Another place to look for budding talent is the local universities. Many have cyber-security programs for college students and returning professionals.7 Some also offer opportunities for seasoned security professionals (like you) to guest lecture, which is a great way to get you and your company name out in front of them. It also lets you spot the rising stars and get their contact information so you can recruit them upon graduation. Some of these programs also have internships that enable you to see how potential hires perform on real projects within your company.
Who knows what evil lurks in hearts of that web traffic…. Well, we know it’s malware. Icky, icky malware. Sometimes cloaked in encryption as it moves evil stuff into your organization and sneaks your valuables out8. And users aren’t just getting hit on the fishy sites but it’s mixed in with hacked legitimate web pages and within banner ads. You can’t escape. All the training in the world isn’t going to stop a web drive-by embedded on a news site that takes advantage of an unpatched browser vulnerability. You need to scrape off the top layer of the incoming filth with a reputation filter feed of known nasty sites. But don’t stop there; decrypt the SSL/TLS stream and scan the heck out of what you find inside. A good, clean inbound web stream will do wonders for reducing your malware infection rate.
Telework is not just VPN and chill. A Gallop poll found that 37% of U.S. workers do part or all of their jobs via telecommuting.9 To tap talent anywhere, more and more organizations are building remote teams. You need to make sure these folks dispersed around the planet can do what they need to do and access what they need to access without compromising the security of your organization. These goes beyond just slapping up a VPN and calling it done. You need a real strategy that allows for granular access to apps and data based on metrics and risk, like Google’s BeyondCorp model. You need to encrypt data at rest everywhere, especially on the road warrior laptops and USB drives. And you need to ensure remote workers have access to their critical apps at all times, whether in the cloud or on premises.
One of the realities of running an organizational security program is that things are going to go wrong. Don’t wait for it to happen, prepare your response plan now. Build plans for the major likely threats, including malware infection, malicious insider, zero-day vulnerabilities in your perimeter, data leakages, and denial-of-service attacks. The plan should contain information for staff on how to contain impacts, capture evidence, calculate spread, and restore services. You should also include the bones of a public response so your executive team can have a draft to work off of before the reporters begin calling. You’ve never written an IR? Check out RFC 2350,10 an old but good guide to building a solid incident response plan. Remember, an ideal security response plan will function even in the absence of the CISO, so having detailed instructions and practicing are critical.
Knowing what kinds of threats are poking at your organization is the kind of guidance you need in order to bolster defenses and allocate resources. Threat intelligence can be used to build a powerful risk management system that gives you warning about incoming barrages of attacks. A strong threat intelligence program is meaningful and actionable, which means you must play an active role in making it relevant to your needs and doing something with it. If you’re stuck on how get started with threat intelligence, we may know a thing or two to help you along the path.
MODIFIED: Jul 06, 2017