Building a Security Program – Continuing to Mature – Part 2
In our article last week on how to get started when building a security program, we covered a lot of the foundational aspects you should be considering when trying to start an information security program for the first time or build a more organized roadmap to mature your current security program. You may be doing all six of those security processes already and just looking to keep improving security for your company. Maybe you had some of those basic controls in place but are now working on implementing the rest. Either way, you’ll want to continue adding to your security roadmap and maturity your overall security capabilities over time, so let’s continue the discussion and look at the set of controls to help with building a security program.
Again, we’re using the CIS Top 20 controls to drive this conversation, but these general practices can be applied to any best practice standard you choose to use for your organization. These aren’t necessarily listed in the order of importance for your organization when building a security program, nor are they in order of their ease of implementation.
Email and Web Browser Protections
Email clients and web browsers are often the way your users will be interacting with untrusted environments (i.e. anything on the Internet), making them high-value targets for attackers to use as part of social engineering or client-based exploits. By controlling email clients and web browsers that are allowed in your environment, the organization can better protect those approved clients and implement mitigating controls. These mitigating controls may include:
- Centrally managed browser updates to make sure they aren’t vulnerable to new exploits
- Monitoring browser types/versions through software inventories and authenticated vulnerability scans
- The use of email markers to identify externally-originating mail, reducing social engineering risk
- Mail scanning for malware and dangerous attachments
- DMARC policy
- Implementation of SPF and DKIM standards
Malware Defense
This one is pretty straight forward and most organizations today have some sort of protection in place, but when maturing your security program, just installing an antivirus client isn’t enough. Some key considerations and controls you’ll want to plan for include:
- Centrally managing antivirus controls
- Regularly updating software (weekly) and definitions (daily or hourly)
- Employing advanced malware detection controls that include methods beyond pure signature detection, such as heuristic detection
- Make sure users cannot disable, delete, uninstall, or modify antivirus software
- Monitor for AV-related alerts and respond accordingly
Limitation and Control of Network Ports, Protocols, and Services
Just like inventorying the hardware and software in your organization as we pointed out in the first part of this blog series, you’ll also want to also consider inventorying and monitoring what ports and services are present in your network. For starters, you’ll want to know exactly what is listening on your external perimeter (and minimize the list of ports/services listening as much as possible), since anyone from the Internet could interact with those ports and services. This is one of your organization’s biggest risks of compromise.
But as you mature, you’ll also want to understand, inventory, and monitor what ports/services are available from all of your internal network segments, as well. Then, with a solid understanding of what services are required to be accessible, you can start implementing network segmentation based on these rules.
Network segmentation is the restriction of traffic flows between internal segments of your network, based on a whitelisting approach of only what is necessary. This prevents Kathy from HR from seeing the login interface for your internal SIEM, for example, and can really help prevent the scope of a compromise and restrict an adversaries ability to move laterally within your network.
Data Recovery Capabilities
This may seem like a no-brainer, but one of the often overlooked aspects of an information security is availability. This refers to your systems and networks resiliency to downtime and your ability to recover in disaster scenarios. It’s worth creating a formal disaster recovery plan, understanding your businesses recovery time needs, prioritizing back-up assets, and testing your host/data back-ups on a regular basis. To start with, make sure you’re backing up your most critical assets that you couldn’t live without and consider high-availability pairing for central networking devices.
Secure Configuration of Network Devices
Just like you want to harden your hosts and servers, you’ll want to roll the same hardening process out to your network devices as well. Developing a process based on a standard, applying that process to all devices prior to placing them into production, and regularly updating that process as new vulnerabilities are identified should be a core control for your security program.
Boundary Defenses
Your boundary with the open Internet is one of your most critical lines of defense. It is the only thing separating you from untrusted traffic from anywhere in the world. Consider the following controls associated with your external network boundary:
- Whitelisting approach on your firewall to only accept required traffic originating from the Internet.
- Make sure your firewall has been hardened and consider regular configuration reviews to verify this.
- Implement a DMZ
- Deploy IDS/IPS at your network boundaries
- Regularly conduct external penetration testing to help measure real risk
Data Protection
Do you know where the most sensitive data lives within your organization’s network? Have you identified and segmented your critical assets from less-sensitive parts of your network? Most organization’s we’ve encountered would say no to this, but controlling where your sensitive data lives and tightly protecting those places can help reduce the severity of a breach, should one ever occur. More advanced protections include the use of Data Loss Prevention (DLP) tools at your perimeter to identify and block the unauthorized flow of sensitive information or software to identify and block unapproved USB storage devices.
Controlled Access Based on Need to Know
A lot of organizations think they are already controlling access within their organization appropriately. Truly managing access though is a multi-layered problem that is really difficult to do right. It starts with easy fixes, like making sure you are only using encrypted protocols throughout your network, e.g. HTTPS and SSH rather than HTTP and Telnet.
But you’ve also got to consider shared drive restrictions, making sure that each user only has access to the data they need to access. And in order to do that, you’ve got to have role-based authentication set up in your centralized authentication source, such as Active Directory. And to effectively maintain role-based authentication, you’ve got to have documented role definitions that are approved by management and tied to what permissions/resources that role should have access to. As you can see, this problem is one that can be taken in baby steps and will follow you throughout the increasing maturity of your security program.
Wireless Access Control
Carefully consider wireless networks used to access corporate assets. With the improvements in wireless signal technology, someone could be a significant distance away and be on your internal network. Consider the following controls:
- For corporate network access, implement 802.1x authentication with RADIUS/AD to help control access.
- For guest networks, Pre-Shared Keys (PSKs) are fine but make sure you’ve got client isolation enabled and the rest of your network is segmented.
- Prevent bridging networks on corporate assets.
- Prevent corporate assets from connecting to the guest wireless and bypassing policy.
- Consider regular wireless penetration tests to confirm controls in place.
Account Monitoring and Control
As I said, this list is not in order of importance when building a security program, so consider this saving the best for last. Account control in today’s technical environment involves the use of multi-factor authentication. That is just one of the baseline requirements to really secure your most critical assets. You’ll want to start with anything exposed to the open Internet, including VPN, Email, SharePoint, etc. But then make sure to roll out controls to administrative systems, network devices, SIEM, domain administrator accounts, etc. In addition to MFA, you’ll want to really examine your password policy and consider increasing the minimum length requirement. We talk about some considerations here and here.
That was a ton of information for one blog. The “medium” level for your organizational security program’s maturity could consist of many years of improvements. A lot of these items aren’t cheap, many take a lot of resources, and others will require political backing at the top-level of the business. But no one said building a security program would be easy!