For an organization, any electronic or physical information is an asset and its security is exceptionally crucial. Information security is “the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information”. The main challenge in an increasingly interconnected environment is growing information exposure and a wider variety of risks. Threats such as malicious code, computer hacking, and denial-of-service attacks have become more common, ambitious and sophisticated.
Impacts of security issues have been in headlines since the beginning of the 21st century. The biggest security issue of the 21st century was with Yahoo. In September 2016, the once-dominant Internet giant, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack had leaked the real names, email addresses, dates of birth and telephone numbers of around 500 million users. The company said the “vast majority” of the passwords involved had been hashed using the robust bcrypt algorithm. This incident was a warning for all organizations to keep their asset security intact.
Key points for organization security
A complete security program for an organization involves many different facets working together to defend against digital threats. Making investments in security configuration management (SCM), file integrity monitoring (FIM), vulnerability management (VM) and log management is an astute decision. Below mentioned key points provide an outline to improve an organization’s security Posture.
- Analyze and implement a Security Plan:
- It is foremost to have an elaborate plan that covers the organization’s cyber-risk management strategy and also addresses how the business can recover quickly if an incident does occur. This plan must include the identification of possible risks and areas that need protection; it should define roles that personnel will have in response to different security events, as well as checklists of actions that need to be made periodically and/or that should not be allowed. Also analyzing the list of approved software and hardware will lead to a robust security mechanism.
- Security Configuration Management:
- Organizations must develop an inventory of all authorized and unauthorized devices and software. This information helps in tracking and controlling all authorized devices and software. This will also help in denying access to unauthorized and unmanaged products, as well as prevent unapproved software from installing or executing on network devices.
- IT security and IT operations meet at SCM because of this foundational control blends together key practices, such as vulnerability assessment, automated remediation, and configuration assessment. Organizations can also leverage a software-based SCM solution to reduce their attack surfaces by proactively and continuously monitoring and hardening the security configurations of their environment’s operating systems, applications, and network devices. Security configuration management consists of four steps. The first step is asset discovery. Next, organizations should define acceptable secure configurations as baselines for each managed device type. They can do so using guidance published by the Center for Internet Security (CIST) or the National Institute of Standards and Technology (NIST).
- Compliance auditors can also use security configuration management to monitor an organization’s compliance with mandated policies.
- Change Monitoring and Vulnerability scanning:
- This step involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unauthorized.
- Companies can leverage the control to supervise static files for suspicious modifications such as adjustments to their IP stack and email client configuration. There are four stages to any effective vulnerability management program:
- SCANNING VULNERABILITY: Companies cannot adequately manage risk without first determining which of their IT assets need protection. Organizations should leverage factors such as physical or logical connection to higher classified assets, user access, and system availability to develop an asset’s risk factor. They should then identify the owners for each of those assets, set a scan frequency, (The Center for Internet Security recommends a frequency of at least weekly.) and establish timelines and thresholds for remediation.
- ASSET DISCOVERY AND INVENTORY: Once enterprises develop the vulnerability scanning process, they must decide which assets they will subject to that procedure, engaging in asset discovery and develop an inventory of all hardware and software installed on the corporate network. That inventory should include both authorized and unauthorized devices/software so that security teams can approve access and installation/execution for approved devices/software only. It should also record more granular details including possible connections with other assets, configuration, maintenance and replacement schedule, software installations, and usage.
- DETECTING VULNERABILITY: The next step in a vulnerability management program is to apply the vulnerability scanning process to those assets recorded in the company’s inventory. This procedure generally takes the form of automated vulnerability scans. Upon completion, it might reveal weaknesses on certain discovered assets.
- REPORTING AND REMEDIATION: In the event a scan detects vulnerabilities, it’s up to the organization to report and remediate those weaknesses. Effective reporting and remediation usually involve prioritizing all discovered vulnerabilities and creating a patching schedule based upon those rankings. If a complete fix isn’t available, security teams should investigate if there are any workarounds available that they can use to mitigate the risk posed by an unpatched vulnerability.
- Risk assessment and Contingency Plan:
- Risk management is primarily focused on steps taken to minimize the risk before it occurs. This includes techniques of reducing risks such as risk avoidance and mitigation. Risk management is also a process of formally accepting risks that are worth taking. On the other hand, the contingency plan includes steps to be taken when a risk occurs. A risk that occurs in a real-time environment is referred to as an Issue . It is common for issues to be managed as they occur without any preplanning. Contingency planning is generally used for low probability but high impacting risks, such as a disaster.
- Penetration testing:
- As Gartner defines “a category of tools that simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture” is a great way to evaluate the organization and staff readiness.A penetration test (pen test) is a simulated attack against a network, web applications, personnel and/or any other potentially vulnerable medium or system. The purpose of a pen test is to identify unhandled vulnerabilities in your environment so that existing risks and weaknesses can be understood and mitigated.
- With this approach, an organization should utilize security professionals to work as ethical hackers to emulate actual attacks and identify areas of weakness in the environment’s security posture. A pen tester should never operate without the consent of the organization for which the tests are being conducted against.
- A detailed pentest report, that outlines areas of entry and weakness within the organization should be created. The report should also contain clear, prioritized and actionable steps for mitigating identified weaknesses.
- Regular review: Organizations also need to enforce their information security policies and review them regularly in order to meet security requirements. Review and amendments in policies with strong backlog data to support changes build a strong base for the organization. This also baselines the organization to present industry standards.
- Security reporting mechanism: Threats and vulnerabilities must be evaluated and analyzed at an individual level as well as the organization level. This means establishing and implementing control measures and procedures to minimize risk, and auditing to measure the performance of controls. A channel secure enough to report a security issue within an organization must be implemented where any security incident including tailgating and sending secure information on the unreliable platform should be reported A strong Incident response policy should be prepared.
- Awareness of Security: Both senior management and IT are responsible for the organization’s information security strategy, although in smaller organizations this job will likely sit with risk and security, data and compliance, and IT and information security managers. To support the information security strategy, it’s important to improve staff awareness of information security issues through training and other initiatives. Also, interactive seminars held par regular intervals help in understanding the depth of knowledge in individuals. Also, employees should be aware of incident reporting mechanisms and should be trained on the risk categories introduced by the organization.
Before implanting any security to an organization, performing a security posture assessment is vital in determining potential weaknesses and your security. There are various vulnerability assessment and penetration testing tools available to initiate the process. Thus, securing your organization, following correct measures is the foremost hardening step in this world of cybercrime.