This is a guest article written by Stuart Winter-Tear. The author’s views are entirely his own and may not reflect the views of IT Governance.
It all begins with a headline such as:
“Hackers hack [insert new thing hacked]”
Obviously, you change “insert new thing hacked” with whatever has just been demonstrated at the latest hacking convention, be that an ATM, fridge, sniper rifle, car, baby monitor, etc.
Following this news, two camps will emerge. The first is the FUD (fear, uncertainty and doubt) group characterised by doomsaying.
The second is the junk-hacking group, which is characterised by being unimpressed with what they call ‘junk hacking’ (junk I found around my house and scared you by hacking it).
Both groups probably have their merits. One thing is without doubt, however: the hacker has gained global media attention and is now busy doing interviews and flying around demonstrating their impressive feat at other prestigious events.
This may well sound sexy, but something is missing:
Away from the glare of publicity, infosec professionals are quietly and diligently implementing and monitoring ‘basic’ security procedures and protocols, knowing in the back of their mind this will go a long way in thwarting most attackers.
Just as in the non-virtual world, most criminals don’t want to work too hard – they’d much rather the fast, easy, opportunistic, low-hanging fruit-style hack.
When you leave your home you probably ensure you lock the doors and windows. This isn’t going to stop the most able, knowledgeable, determined and resourceful criminal, but we do this nonetheless as we know it deters most.
The same security principle applies online.
When I read of ‘sophisticated’ (APT) cyber breaches, nine times out of ten it will begin with exploiting a basic security fundamental that was either not in place or poorly configured.
A sentiment I often see is that we have to sort out basic security before moving on to the ‘sexy’ sophisticated elements – but I believe security basics ARE sexy.
Most software is buggy and potentially full of exploitable holes; we already know this, but by implementing information security basics within each section of the concentric security circles, from the asset to the perimeter (defence in depth), we can mitigate many attacks.
Examples of basic infosec logical controls include:
- Routers, firewalls and switches correctly configured (principle of implicit deny).
- Anti-virus and anti-spyware software in place.
- Network segmentation, monitoring, backup and continuity implemented.
- Security update patching within a reasonable timeframe.
- Encryption of data at rest, in transit, entire devices.
- Authentication, authorisation and accounting. Preferably multi-factor authentication (MFA) – access control principle of least privilege.
- Policies, procedures and change management,
- Regularly testing all the above.
Of course, this is not an exhaustive list. For example, I’m not sure if staff training and awareness would fall into the ‘logical controls’ category (human firewall), but is so vital I would be remiss not to mention it.
Now, you probably won’t get a hearty slap on the back, press interviews and a ticker-tape parade for ensuring all the basics of infosec are in place, but you have deterred most attackers, enabling the supply chain to keep moving and the data to stay secret, avoided negative publicity, adhered to standards, facilitated management and payroll, and so on.
Now that IS sexy security.
And the irony is that when we peer beyond the sensationalist details of the latest and greatest hack, we find often the security basics were not implemented.