The modern IT landscape is changing daily. Cloud applications, bring-your-own-device (BYOD) policies, virtual systems and portable devices for telecommuting are added and removed from networks every day, every hour. How can you keep up with the changing environment? How can you tell if your information security policy is robust enough to protect agency data and assets?
Many agencies must comply with multiple cybersecurity standards for guidance in implementing a security policy. Frameworks such as the National Institute of Standards and Technology Cybersecurity Framework and the 20 Critical Security Controls provide comprehensive details about best practices and compliance requirements to help agencies thwart malicious attacks. But sometimes the standards can seem overly complex. And when you must comply with multiple standards, it can be challenging to identify the mutual requirements.
Tenable’s strategists examined some of the most popular standards to identify the critical cyber controls, a set of common elements shared across the standards that represent the top five best practices. If you implement or harden a security policy based on these critical cyber controls, you will be complying with the most important requirements of standards such as NIST, payment card industry, Health Insurance Portability and Accountability Act and North American Electric Reliability Corporation.
1. Track your authorized inventory of hardware and software. Before you can prevent or monitor malicious cyber activity, you must know what technologies–both hardware and software–are used by employees. And these days, most IT environments include cloud services, virtual machines, unknown endpoints and BYOD portable devices which are not procured by the agency. Any of these technologies may or may not be authorized by the IT department.
To discover and monitor all devices and assets, you should scan the environment both actively and passively. Agencies that only scan periodically or deploy single discovery technologies may completely miss transient virtual systems or mobile devices.
2. Continuously remove vulnerabilities and misconfigurations. A day doesn’t go by without news of a new vulnerability or data breach. Agencies must implement procedures to remove or mitigate vulnerabilities as they are discovered. Optimum procedures include:
Apply continuous network monitoring technology rather than scanning periodically (e.g., weekly or monthly). Continuous network monitoring continually discovers, assesses, and then reports on every component against a security policy.
Audit and apply configuration changes to limit malicious exploits.
Apply patches to remove vulnerabilities proactively. Organize technologies by asset type (e.g., operating systems, software applications, Internet-facing devices, cloud services, etc.) and then for each type, define a realistic timeframe for patching vulnerabilities.
NIST defines continuous network monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Continuous network monitoring provides the best method of monitoring the health of your network. By continually scanning 24/7 both actively and passively, you give yourself every opportunity to proactively uncover and mitigate weaknesses.
3. Network security should be a daily habit to stem the tide of vulnerabilities. For each asset type, deploy one or more mitigating technologies to prevent or detect malicious activity. For example, host-based technologies include anti-virus software, application white-listing and system monitoring; network based technologies include activity monitoring, intrusion prevention and access control. Since cloud technologies are an evolving field, auditing them can be a challenge. But you can audit many cloud applications through application programming interfaces (APIs); you can detect attacks with threat intelligence subscriptions; you can also track cloud usage through network and endpoint system monitoring.
4. Give users access to only what they need. Following the principles of least privilege and the need to know, all network users should only have access to data, systems, and applications that they need to do their jobs. Limit administrative privileges, avoid using default accounts, enforce strong password creation, and keep comprehensive logs for forensics.Users who have access to systems that they don’t need represent a serious risk to your agency. If a user account or system becomes compromised, that malicious user can leverage compromised credentials and access to other sensitive systems.
Knowing which users have access to specific assets can help address many other tough issues, such as:
Removing or revoking accounts after a person is no longer with a project or your agency;
Proving to auditors that you are compliant with regulations which require strong user access auditing;
Investigating systems that may be compromised after a user account is compromised;
Contacting system administrators and end users who have security issues on their assets.
Deploy multiple technologies to determine active user accounts, such as authentication logging and network protocol analysis.
5. Search for malware and intruders. Even after you implement these four controls, there is no guarantee that a determined hacker, a malicious insider or a simple mistake won’t lead to a compromise. The first four cyber controls make the search for malicious activity much easier, since they create many barriers for adversaries to hurdle. These days, it’s not a question of if you will be attacked, but when. Attackers are acquiring new technologies every day; we have to stay one step ahead of them. Without specific activities that search for and identify malicious behavior, your agency’s cybersecurity is left to chance and luck. One of the best ways to search for suspicious activity is to deploy a continuous network monitoring solution.
Do it now! Are you doing all of this? When you implement the Five Critical Cyber Controls, you can rest assured that your agency is protected. Take it one step at a time; build up your layers of defense, then fortify the five controls with specific requirements from a source like NIST 800-53.
Continuous network monitoring solutions are available from several security vendors. Continuous monitoring uncovers gaps and blind spots in security defenses to help you address both known and unknown weaknesses, to mitigate the chances of exploitation now and in the future.
Comprehensive cybersecurity takes time, a careful plan and multiple technologies. Don’t get overwhelmed by hundreds of requirements; concentrate on the most important controls first for a secure foundation.
Ron Gula is the CEO of Tenable Network Security. He serves on the Advisory Board for the University of Maryland Cybersecurity Center. He was also appointed to the National Cybersecurity Science, Technology, Engineering and Mathematics (STEM) Education Advisory Board as part of the National Initiative for Cybersecurity Education (NICE). Ron started his career in information security at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research.