Many security professionals in developing their strategy still fall back on the old punch list approach to security configurations. They believe that if they check the box on tried and true methods such as password managers, creating strong device passcodes, using two-factor authentication, encrypting devices and using VPNs, their companies will be secure against cyberattacks.
But by simply going through the suggested methods to safeguard your organization, security professionals aren’t considering the actual risks or impact on workflows. Every organization requires a tailored approach to cybersecurity, which simply can’t be achieved by checking off boxes on a standard list.
The Problem With Security Baselines
The National Institute of Standards and Technology (NIST) has been pushing for the abandonment of security checklists for years—ever since the dawn of the Cybersecurity Framework and integration of the Risk Management Framework into the security life cycle.
The problem with security baselines and the hundreds of registry keys, file and folder permissions and Windows Group Policy settings is that they limit the idea of what achieving sound security is. Sound security is a constant cycle of changes and the balance of risk, cost and liability while maintaining confidentiality, integrity and availability of cyber resources.
Checklists are also never complete and never current. In the bring your own device (BYOD) and IoT world, the variety of operating systems, versions and capabilities make it impossible to have a hard-coded punch list. These static lists also provide a road map for hackers to know what not to try, thus making detection harder.
Another issue is that checklists create a false sense of security. Organizations are vulnerable when their security leaders have the viewpoint that “if we do X, Y, Z, then we’re good.” That couldn’t be further from the truth. Security is not absolute and is different for everyone. The specific needs of one industry vary greatly from the needs of another. In developing your security strategy, once you identify what’s required for your industry and organization, you will be able to better limit the potential of a cyberattack and mitigate the damages.
Maximize Your Cybersecurity Defense
So, how do you successfully get rid of the checklist approach? What is an alternative way to develop a security strategy that maximizes your defenses?
Start by taking the structures provided in the NIST Core Controls or Center for Internet Security 20 and apply the areas of concern from each group/family to every class of tech in your network. This includes PCs, servers, switches, firewalls, IP phones, peripherals (printers, cameras, UPS, video boards), mobility (smartphones, tablets, IoT), software and any other outliers.
Once you have everything categorized, take a long look at the risks and figure out how you can best mitigate and manage them.
- At an organization and facility level: What are the risks? What are the threat actors (insider, outsider, natural)?
- Device category (as identified above) or subcategory: What are the risks associated with these?
- Consider compliance requirements: What are the risks of not complying with the latest iteration of the General Data Protection Regulation (GDPR)? What about new laws such as the California Consumer Privacy Act? What will happen if you don’t ensure strong compliance across the entire IT infrastructure?
Now that risk is understood and the methods to mitigate them are in place, it’s time to write them down. There are multiple parts to this:
- Policy: Develop a formal set of rules by which those people who are given access to company technology and information assets must abide.
- Plans: Create detailed diagrams and configurations, these can be used to rebuild a network from nothing in case of a total disaster.
- Procedures: Cultivate the how-to’s for the plan—how to implement, how to respond to identified issues.
Trust but Verify
Your security plan and procedures are in place. Everything has been implemented and maintenance is fully automated. You’re secure, right? Wrong. There’s an old idiom I like to keep in mind: Trust but verify. Look at the procedures and plans and ask, How do I test this? Having the procedures available to test enables you to develop plans about when to test. Do you audit everything or just a sample? How is the sample selected? Are there event-based triggers?
In college, my English professor embedded the mantra, “Writing is a recursive process,” into my brain. I’ve learned that this also applies to security plans, policies and procedures. Annual reviews of these materials are critical to ensure completeness and to make necessary updates to any changes over the previous year.
If you encounter a cyberattack, it’s important to have post-event reviews based on forensic details to reformulate your strategy. Ask yourself, How and why did this happen? What can be done to prevent or mitigate?
There are certain significant changes that should always trigger a risk assessment and documentation, plan, policy and procedure update. These changes include migration to cloud SSO platforms, OS major revision upgrades, change of security solution vendor, etc.
As I’ve mentioned, security is not absolute. A checklist that’s not frequently revised and updated will not provide proper value and protection. As new threats emerge, and as every organization has different requirements for cyber protection, it’s crucial to introduce a security strategy and cybersecurity framework that will keep up with constant changes, limit the occurrence of cyberattacks and mitigate the damages if an attack does occur.