With cyber incident complexities growing each day, what is your organization doing to fend off those malicious and no good threat actors?
According to the 2018 Verizon Data Breach Investigations Report, 53,000 incidents and 2,216 confirmed data breaches occurred in 2017. While some organizations have very robust cybersecurity programs in place, they have the ability to invest significant capital in technology, people, training and time to increase their cybersecurity maturity. Not all organizations are this fortunate. Are you one of the less fortunate? If your organization has not made cybersecurity a focus, where can you begin? After all, the whole idea of cybersecurity is a scary unmanageable goal for many.
So, what motivates hackers? Typically, money and all the glory that comes with it!
According to the Verizon report, 73% of all attackers are motivated by financial gain. You may be asking yourself the question, what value would an ordinary hacker glean from my business? Well, that depends. Do you have Personally Identifiable Information (PII), Protected Health Information (PHI), customer data? Are you a link in the supply chain to a larger organization or does your organization have trade secrets? These are examples which equate to possible monetary gain for the hacking community.
I won’t go into the numerous ways the hackers can breach your organization and possibly gain access to your data. I want to focus on what your organization can do today to start protecting its data. As a controls-based organization, Stinnett has developed a multi-phased approach to solving this complex problem.
Phase I Risk Assessment
Phase I begins with a risk assessment of your data and systems to determine where data lives and what kind of data you have. Is the data regulated (e.g. PCI, HIPAA, SOX), is it compartmentalized (payroll, M&A) or private to your organization? During your risk assessment you need to categorize the data sitting on systems and in databases to determine where you are at most risk.
Once you have a good list documenting the data in your environment, put it through a threat model. One popular model is STRIDE, which was created by Microsoft. In its simplest terms, you need to evaluate the probability of someone accessing the data and then determine the impact of that data, should it be breached. You can multiply these numbers together to get a semi- qualitative risk ranking of the different threats that face your organization’s most valued data.When you perform this exercise be sure to talk to people outside of the IT department to understand how they use their data. IT is not always in the know and therefore cannot always provide 100% of the picture.
Okay, so now you know what you need to protect but how do you do that?
Phase II Baseline Gap Analysis of Framework
Let’s talk about frameworks for a second. What is a framework, and which one do I use? Frameworks are high-level control guidelines which can be implemented to protect information systems environments. There are several frameworks in existence. However, the most popular in the U.S. are Center for Internet Security – Critical Security Controls (CIS CSC) and National Institute for Standards and Technology – Cybersecurity Framework (NIST CSF).
Both frameworks recently released updated versions which address the ever-changing landscape of cyber threats. CIS CSC version 7.0 was published March 19, 2018, and NIST CSF 1.1 was published April 16, 2018. These frameworks are simple to understand and each map to one another, so if you cannot decide which one to use, pick one and map to the other one! We typically see small- and medium-sized organizations using CIS CSC and larger enterprises adopting NIST. In some situations, the NIST framework is preferred because it integrates with other NIST frameworks and special publications which can be mandated by the U.S. government when doing business with federal agencies (NIST SP 800-171; Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
Once you have reviewed the two frameworks and landed on one to use, start the gap analysis. Interview your IT security gurus and determine how well your internal controls map to the framework. Document the people, processes and technologies used in support of the controls. Don’t be alarmed if many of the controls are not in place. Remember, you don’t have a mature cybersecurity program yet … we are working on that!
After completing your analysis, discuss the results with IT and ensure they agree with the level of maturity in the environment. ISACA has a nice capability maturity model which can be used to document the levels on a 0-5 scale.
What is next? Do you need to spend a wad of money and close all the gaps? Likely that answer is NO. Remember, we know what assets are most important to us and we know the types of threats which are most likely to exploit access to those assets. The next step is to evaluate what the framework controls will do for your organization. For example, if you know that you have five systems with regulated data and the biggest threats to those systems are spoofing of identity (spear phishing attacks) and Elevation of Privilege (poor patch management exposes vulnerabilities) then you can find the controls which are most likely to reduce that risk. Implement these controls first!
In this scenario, we would recommend controls around continuous vulnerability assessment and remediation; controlled use of administrative privileges; maintenance, monitoring and analysis of audit logs; account monitoring and control, and awareness training.
Implementing these controls will address the highest risks first. Yes, there may be some fundamental controls which need to be implemented for basic cybersecurity hygiene. However, the controls outlined above are really going take your organization a long way.
Your IT department spent the last year implementing all of your recommendations. What should you do now? Rinse and repeat. Threats change daily so do those risk assessments and gap analysis exercises at least once per year or when major changes to the environment occur.
Best of luck and let us know if we can help.
About the Author
Jeremy Price is a Senior Manager and practice lead for Stinnett & Associates Cybersecurity Consulting & Advisory Services. He has over 20 years of IT experience, focusing on infrastructure technologies business management. Jeremy is a Certified Information Systems Auditor (CISA), a Microsoft Certified Systems Engineer (MSCE) and an Associate Business Continuity Professional (ABCP). He is also a member of the Institute of Internal Auditors (IIA), Information Systems Audit and Controls Association (ISACA), Disaster Recovery Institute International (DRII) and InfraGard.
Stinnett & Associates is not a CPA firm.