Cybersecurity Best Practices











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Cybersecurity Best Practices

by James G. Barr

Docid: 00021386

Publication Date: 2206

Report Type: TUTORIAL

Preview

"Cybersecurity” refers to the technical and business practices
designed to protect digital information and digital information systems
from attack via the Internet or other extra-enterprise network. As the
principal means of defense against threats such as identity theft and
ransomware, both public and private sector entities are scrambling to
develop and implement effective cybersecurity strategies. This “all hands
on deck” approach involves ordinary citizens, enterprise IT and security
departments, legislatures, standards bodies, and government agencies. This
report is concerned with cybersecurity as practiced by enterprises.

Report Contents:

Executive Summary

[return to top of this
report]

The term cybersecurity refers to the technical and business practices
designed to protect digital information and digital information systems
from attack via the Internet or other extra-enterprise network.

Related
Faulkner Reports
Recruiting Cyber Security
Professionals Tutorial
Network Security Best
Practices Tutorial

While it may be difficult, if not impossible, to detect and deter all
cyber incursions – particularly considering that many attacks are
state-sponsored – enterprise officials are obliged as part of their
fiduciary duties to take all reasonable actions to prevent or mitigate
cyber threats, consistent with enterprise best practices and all relevant
security and privacy laws, regulations, standards, and guidelines.

A subset of information security, cybersecurity practices were first
conceived and developed in the 1990s to counter the effects of “hacking”
in which small groups or even individuals would exploit the
vulnerabilities of the Internet and Microsoft Windows to penetrate
enterprise networks and data stores with the intention of stealing money
or disrupting enterprise operations.

In the several decades since, cyber attacks have increased in number and
severity, including attacks aimed at identity theft, industrial espionage,
and the destruction of critical infrastructure. As the target
populations have expanded, so have the ranks of the perpetrators, which
now include criminal gangs and foreign governments.

While it may be difficult, if not impossible, to detect and deter all
cyber incursions – particularly considering that many attacks are
state-sponsored – enterprise officials are obliged as part of their
fiduciary duties to take all reasonable actions to prevent or mitigate
cyber threats, consistent with enterprise best practices and all relevant
security and privacy laws, regulations, standards, and guidelines.

This report identifies cybersecurity best practices from an enterprise
viewpoint.

Top Technical Best Practices

[return to top of this
report]

Apply Vendor-Supplied Patches

Most enterprise networks are protected by an array of firewalls,
intrusion prevention systems, anti-virus applications, content filtering
programs, and other cybersecurity measures – which taken together enable
“defense in depth.”

Unfortunately, this strategy is subverted when vendor-supplied patches
and security updates are not installed on a timely basis. Patches
should be promptly evaluated when received and implemented as prescribed,
except, of course, when a particular patch or update might cause
non-security-related operational problems – a situation which should
rarely manifest.

Utilize Data Encryption

The next best thing to preventing a cyber attack is to render any
captured data useless through encryption. Perhaps the most potent of
all cybersecurity countermeasures, encryption is available even to small
enterprises

Perform Penetration Tests

To help determine the effectiveness of enterprise cybersecurity controls,
the Security department should recruit “ethical hackers” to probe
enterprise defenses. These individuals, who possess the same skills
as malevolent hackers, can attempt to compromise the enterprise network,
logging and reporting any exposures they discover. Security can then
remediate these vulnerabilities before they’re uncovered by real cyber
attackers.

Preserve Forensic Evidence

While preventing or mitigating a cyber attack is “job one,” job two
is identifying, apprehending, and successfully prosecuting the
offender. With respect to prosecution, the Security department should
make every effort to preserve the cyber crime scene and collect
“admissible” cyber evidence. Digital forensics is a
highly-specialized field, but it may be worth the investment to train one
or two enterprise security staffers in forensic procedures. As an
alternative, the enterprise could place a respected – and certified –
third-party forensics firm on retainer.

Exchange Threat Intelligence

Cyber attacks represent a common threat to enterprise interests and, as
such, enterprises should pool their cybersecurity knowledge for their
mutual protection.

According to US federal officials, “Organizations should move from
informal, ad hoc, reactive cybersecurity approaches where the organization
operates in isolation to formal, repeatable, adaptive, proactive,
risk-informed practices where the organization coordinates and
collaborates with partners.

“Through sharing, an organization benefits from the collective resources,
capabilities, and knowledge of its sharing peers. When sharing threat
intelligence, organizations have the opportunity to learn from each other;
gain a more complete understanding of an adversary’s tactics, techniques,
and procedures; craft effective strategies to protect systems; and take
action, either independently or collectively (i.e., as a sharing
community) to address known threats.”1

Perform Regular Backups

Nothing is more fundamental to cybersecurity than the ability to recover
data that is lost, stolen, or compromised due to a cyber attack. All
enterprise data, regardless of type, value, or location should be
routinely encrypted and dispatched to a secure offsite location.

Implement Multi-factor Authentication

Multi-factor authentication is a method of access control in which more than
one method of authentication is required to securely verify an individual’s
identity. It can be used for controlling physical access to a secure
facility or logical access to a computing device.

Authentication factors are typically divided
into three categories:

  • Something you know, like a password or pin.
  • Something you possess, like an access card.
  • Something you are, like a biometric identifier, usually a
    finger, iris, face, or voice scan.

Adopt the NIST Cybesecurity Framework

Every day, hackers and other computer criminals – some state-sponsored –
attempt to penetrate enterprise information systems with the aim of
stealing or compromising the integrity of sensitive data, particularly the
personally identifiable information (PII) belonging to employees and
customers. To help prevent or at least mitigate the impact of cyber
crimes, the US National Institute of Standards and Technology (NIST) has
provided a “Framework for Improving Critical Infrastructure
Cybersecurity.”2

Recognizing that cybersecurity resources are limited, the Framework
“focuses on using business drivers to guide cybersecurity activities.” The
goal is to identify and prioritize business objectives, thus enabling
enterprise security officials to concentrate their cybersecurity measures
and countermeasures on those areas most essential to enterprise success.

According to NIST, the Framework, which is offered free of charge,
provides a “common taxonomy and mechanism” for enterprises to:

  1. Describe their current cybersecurity posture.
  2. Describe their target state for cybersecurity.
  3. Identify and prioritize opportunities for improvement within the
    context of a continuous and repeatable process.
  4. Assess progress toward the target state.
  5. Communicate among internal and external stakeholders about
    cybersecurity risk.

The Framework is logically divided into five basic functions as depicted
in Figure 1:

  • Identify critical enterprise infrastructure
  • Protect critical enterprise infrastructure
  • Detect potential cyber events
  • Respond to cyber events
  • Recover from cyber events

Figure 1. NIST Cybersecurity Framework

Figure 1. NIST Cybersecurity Framework

Source: NIST

Focus on the Cyber “Elephant in the Room”

At least for now, that’s “ransomware”. Ransomware is a type of malware
that deprives users of access to their computer systems or data until a
ransom is paid. An attacker’s typical modus operandi is to:

  • Encrypt a victim’s sensitive files,
  • Demand a ransom from the victim for releasing those files, and
  • Provide the victim with a decryption key if and when the ransom is
    paid.

As today’s number one cyber threat – and the most likely cause of cyber
attack-induced business failure – the enterprise chief security officer,
working in cooperation with the enterprise chief executive officer, should
devise a specific strategy for managing and mitigating a possible, even
likely, ransomware attack.

To begin, the US National Institute of Standards and Technology (NIST)
has released a series of “tips and tactics for dealing with ransomware.”3

  1. Use antivirus software at all times – and make
    sure it’s set up to automatically scan your emails and removable media
    (e.g., flash drives) for ransomware and other malware.
  2. Keep all computers fully patched with security updates.
  3. Use security products or services that block access to known
    ransomware sites
     on the internet.
  4. Configure operating systems or use third-party software to
    allow only authorized applications
     to run on computers,
    thus preventing ransomware from working.
  5. Restrict or prohibit use of personally owned devices on
    your organization’s networks and for telework or remote access unless
    you’re taking extra steps to assure security.
  6. Use standard user accounts instead of accounts
    with administrative privileges whenever possible.
  7. Avoid using personal applications and websites such
    as email, chat and social media on work computers.
  8. Avoid opening files, clicking on links, etc. from unknown
    sources
     without first checking them for suspicious
    content. For example, you can run an antivirus scan on a file, and
    inspect links carefully.
  9. Develop and implement an incident recovery plan with
    defined roles and strategies for decision making.
  10. Carefully plan, implement and test a data backup and
    restoration strategy.
     It’s important not only to have
    secure backups of all your important data but also to make sure that
    backups are kept isolated so ransomware can’t readily spread to them.
  11. Maintain an up-to-date list of internal and external contacts for
    ransomware attacks, including law enforcement.

Top Business Best Practices

[return to top of this
report]

Budget for Cyber Excellence

When formulating a security budget, always set aside sufficient funds
for:

  • Recruiting and retaining certified cybersecurity professionals.
  • Training in-house personnel on the latest cyber attack vectors and
    techniques, methods for preventing or mitigating cyber attacks, and
    formulas for measuring the success of cybersecurity initiatives.
  • Engaging ethical hackers and other outside experts.
  • Upgrading hardware and software systems to vendor-supported levels.
  • Implementing new cybersecurity technologies like multi-factor
    authentication.

Limit Access to Sensitive Data

Cyber attacks are often perpetrated using stolen credentials. To
help prevent the theft or misappropriation of confidential or proprietary
data, employee access to sensitive data should be provisioned on a “need
to know” basis. Operate on the principle of “least privilege” when
allocating access to sensitive data, particularly personally identifiable
information (PII).

Preach Acceptable Computer Use

While acceptable computer use is usually codified in an enterprise policy
(of the same name) – and discussed during “Security Awareness” classes and
new employee orientation sessions – enterprise security officials should
ensure that all employees know what is unacceptable, either through
periodic memos, wall signs, social media posts, or whatever mechanism is
most effective for communicating with a given group of employees.

As to the essentials:

  • Do NOT open e-mail attachments except from trusted sources.
  • Similarly, do NOT click on embedded web links supplied by unknown
    parties.
  • Do NOT install third-party software without prior IT approval. Better
    yet, do NOT install third-party software.
  • Do NOT venture to unknown or suspicious websites. Do your homework
    before entering a foreign URL.
  • Do NOT conduct enterprise business over public, unsecured Wi-Fi
    networks.

While well-trained employees can form an enterprise’s first line of
defense, analyst Matt Zanderigo advocates a “trust but verify” approach to
employee cybersecurity compliance featuring user activity monitoring,
which “allows [an enterprise] to monitor users to verify that their
actions meet good security practices. If a malicious outsider gains access
to their log-in information – or if an insider chooses to take advantage
of their system access – [the enterprise] will be immediately notified of
the suspicious activity.”4

Explain “Social Engineering” and Its Consequences

Within the context of cybersecurity, the phenomenon of “social
engineering” is often discussed but seldom explained. Basically,
social engineering is any attempt to compromise enterprise information or
information systems by manipulating employees or other insiders.

According to NIST, social engineering usually works like this. “The
social engineer researches the organization to learn names, titles,
responsibilities, and publicly available personal identification
information. Then the social engineer usually calls the
organization’s receptionist or help desk with a believable, but made-up
story designed to convince the person that the social engineer is someone
in, or associated with, the organization and needs information or system
access which the organization’s employee can provide and will feel
obligated to provide.

“To protect against social engineering techniques, employees must be
taught to be helpful, but vigilant when someone calls in for help and asks
for information or special system access. The employee must first
authenticate the caller by asking for identification information that only
the person who is in or associated with the organization would know. If
the individual is not able to provide such information, then the employee
should politely, but firmly refuse to provide what has been requested by
the social engineer.

“The employee should then notify management of the attempt to obtain
information or system access.”5

Build In Cybersecurity

It is axiomatic within the security community that cybersecurity is best
when built in to information systems, not added on. In
that spirit, cybersecurity should be incorporated into the enterprise
software development lifecycle (SDLC).

To that end, the software development industry is expanding its “DevOps”
practices, which combine software development with IT operations, to
insert a third crucial element, security; thus creating “DevSecOps”. The
intent is to integrate security design (such as implementing wide-scale
data encryption) and security testing (like conducting QA-administered
functionality and performance exercises) into both software development
and operations; in effect, building security into the entire SDLC.

Create an Actionable Incident Response Plan

As enterprise officials are acutely aware, even the best cyber defenses
can be breached. Recognizing that reality, officials should assemble
a Cyber Crisis Management Plan which addresses:

  • Victim response
  • Incident reporting (starting with law enforcement)
  • Media management (particularly for high-profile incidents)
  • Continuous post-incident monitoring to ensure the attack has been
    repelled
  • Post mortem-style review to identify and reflect upon lessons learned

Purchase Cyber Insurance

To help compensate for financial losses due to cyber attacks, purchase
cyber insurance. When evaluating prospective providers’ policies, be sure
to read all the policy provisions and exclusions to determine what’s covered
and what’s not covered.

Top Personnel Best Practices

[return to top of this
report]

Appoint a Chief Cybersecurity Officer (CCSO)

As with any major enterprise initiative, cybersecurity requires C-Level
visibility and accountability. Enlisting a senior executive to manage
cybersecurity operations will ensure that cybersecurity receives adequate
attention and, just as importantly, sufficient resources, especially in an
economic environment where operational cutbacks are common.

Conduct Extensive Background Checks on New IT/Security Hires

Although it’s difficult to safeguard enterprise information and
information systems from attackers positioned “beyond the firewall,” it’s
virtually impossible to curtail attacks launched by enterprise insiders.

While all prospective employees should be subjected to comprehensive
background checks, candidates for IT and Security jobs should see special
scrutiny.

Support Cyber Education for Security Staffers

Ideally, each Security department
analyst should possess one or more cybersecurity credentials, such as the
Certified Information Systems Security Professional (CISSP).

Administered by (ISC)2, formerly the International Information
System Security Certification Consortium, the CISSP is, perhaps, the most
highly acclaimed certification for information security professionals
seeking a better understanding of cybersecurity strategy and
implementation. Candidates must pass an exam and have at least “five years
of cumulative, paid work experience” in two or more of eight security
domains. These domains and their percent weight on the CISSP exam are as
follows:

  1. Security and Risk Management – 15 percent
  2. Security Architecture and Engineering – 13 percent
  3. Communication and Network Security – 13 percent
  4. Identity and Access Management (IAM) – 13 percent
  5. Security Operations – 13 percent
  6. Security Assessment and Testing – 12 percent
  7. Software Development Security – 11 percent
  8. Asset Security – 10 percent

CISSP is DoD approved, complies with ISO 17024, and is the most required
security certification on LinkedIn.

For its part, the Security department should encourage analysts to pursue
certification, offering financial and other support as needed.

Engage Employees in Cybersecurity Planning Efforts

When fashioning cybersecurity plans, it is useful to get the perspective
of all stakeholders. Since implementing an effective cybersecurity
program will require employee cooperation, employees should participate in
cybersecurity planning. Such collaboration can generate useful
insights into how employees:

  • Are impacted by cyber attacks.
  • Avoid social engineering schemes.
  • Adhere to enterprise security policies, like Acceptable Use.
  • Understand their responsibility to protect enterprise assets from
    external and internal threats.

More importantly, enterprise officials can assess whether their employees
are part of the proverbial problem or part of the solution and plan in
accordance with those findings.

Adopt a Zero Tolerance Approach to Insider Attacks

Employees should be informed that those who commit a cyber crime,
conspire to commit a cyber crime, or willfully ignore evidence of a cyber
crime will be immediately terminated and recommended for prosecution (as
appropriate). In other words, one cyber strike and you’re out!

Recommendations

[return to top of this
report]

Implementing cybersecurity best practices requires planning and
resources. It is, therefore, prudent to prioritize best practices
according to:

  • Which practices are likely to produce the best results in a given
    enterprise environment.

  • Which practices can be employed in a reasonable timeframe and at
    reasonable expense.

As a means of securing executive buy-in, the chief security or
cybersecurity officer should craft a detailed best practices project plan
and submit the plan for C-level endorsement. The plan should include:

  • Specific cybersecurity objectives and timelines.
  • Specific – and tangible – measures of cybersecurity success.
  • Special requirements, such as the assignment of key business and
    technical personnel to cybersecurity project teams.
  • A sufficient budget, which can be easily justified on the basis of
    potential crises averted.

Finally, it is imperative that enterprises reevaluate their cybersecurity
plans on a regular basis to ensure continued plan viability.

[return to top of this
report]

Continuity Central: http://www.continuitycentral.com/
International Organization for Standardization: http://www.iso.org/
SANS: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/

References

1 Chris Johnson, Lee Badger, and David Waltermire. SP 800-150
(Draft): “Guide to Cyber Threat Information Sharing (Draft).” US National
Institute of Standards and Technology. October 2014:2.

2 “Framework for Improving Critical Infrastructure
Cybersecurity: Version 1.1.” US National Institute of Standards and
Technology. April 16, 2018.

3 “NIST Releases Tips and Tactics for Dealing with
Ransomware.” US National Institute of Standards and Technology. May 13,
2021.

4 Matt Zanderigo. “10 Best Practices for Cyber Security in
2016.” ObserveIT. April 15, 2016.

5 Richard Kissel and Hyunjeong Moon. DRAFT NISTIR 7621,
Revision 1: “Small Business Information Security: The Fundamentals.” US
National Institute of Standards and Technology. December 2014:16.

 

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]