How CSC can help build your InfoSec framework

Critical Security Controls is a set of best practices devised by the Center for Internet Security, a nonprofit dedicated to improving cybersecurity in the public and private sectors.

Cyberattacks are costing businesses between $400 billion and $500 billion per year, depending on which analysts you listen to. Cybersecurity has never been a hotter topic. The market is expected to grow from $106 billion this year to more than $170 billion by 2020, according to Markets and Markets. The average cost of a data breach, by the time you factor in remediation, non-compliance fines, and brand damage, is tough to accurately calculate, but it's high, and it's rising.

The Heartbleed vulnerability was 2014's catastrophic security bug, and it had a wide-reaching impact. But even as companies pour more money into security services and platforms, the exploit still remains on many servers. As the IoT threatens new avenues of risk, the response in the enterprise is mixed, and good practices in some areas are being severely undermined by a casual approach in others.

Building a solid foundation

Just as a house built on sand is not going to last, an InfoSec strategy that lacks a solid foundation is going to fail, no matter how much money you throw at it. We hear plenty about the growth in software vulnerabilities, the rise of malware and ransomware, and the risk of ignoring threats, but what should you be doing?

A great place to start creating your InfoSec framework is with the CIS (Center for Internet Security) Critical Security Controls. This is a recommended set of best practices, put together by government and law enforcement agencies, that focuses on actionable ways to bolster your cyber defenses. You'll find a full explanation at the SANS institute.

Taking any of the 20 actions on the list will have a positive impact on your security status, but the smart move is to work towards fulfilling the full range.

A step in the right direction

These are simple common-sense rules, but you'd be amazed at how often they're overlooked. We don't have time to cover everything in this article, but if we just take a brief look at the first couple of entries on the list, you'll get an idea of the practical advice within.

Critical Control 1 – Inventory of Authorized and Unauthorized Devices

Building a good security foundation is about asking the right questions and identifying gaps in your knowledge. This first control is absolutely fundamental to security, but many organizations will struggle to answer questions like:

  • How many servers do you have in total?
  • How many devices are connected to your network?
  • What about firewalls, switches, and routers?
  • Can you control what joins your network?

There's no way you can have a complete map, or flag potential vulnerabilities, without knowing exactly what hardware you have. An up-to-date, comprehensive hardware inventory is essential.

Critical Control 2 - Inventory of Authorized and Unauthorized Software

You should take this together with the first control and devise a list of authorized software that covers every system and device you're using. You'll need to be able to monitor your software in real-time to validate versions and ensure that unapproved apps are blocked or, at least, flagged.

To ensure vulnerabilities and exploits are dealt with in a timely fashion, you also need to know what operating systems and versions of software are in use, and have a system to flag necessary updates based on new threats as they emerge.

Critical Control 3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

The laptops, computers and other hardware in your office are not secure out of the box. The default configurations for new devices in terms of the operating systems and pre-installed applications are designed for an easy setup, not for security. Common vulnerabilities are well know,n and this makes hardware and software in its default state ripe for exploitation. 

You should develop a security baseline for every software system and create standardized images that are securely stored and deployed through secure channels. It’s also important to validate these configurations and update them on a regular basis to cater for any new vulnerabilities that are discovered. You can find some help getting started with your security baseline by referring to the National Institute of Standards Technology checklist or benchmarks at the Center for Internet Security.

It takes time

As you can see, simply creating an accurate inventory of your hardware and software can be a big undertaking. Rome wasn't built in a day, and you'll find it takes time and resources to build a good InfoSec framework, too. What's important is to formulate a plan that takes a holistic view. Start working through the steps outlined in the Critical Security Controls, and your defense will be strengthened with every step you take.

Whether you're training up a team, hiring a new CISO, or engaging the services of a security consultancy, this list arms you with a solid framework to measure your efforts against. It's invaluable actionable guidance, and it has the potential, not just to improve individual security, but to boost our collective security online. Every business should consider making it a starting point for building that solid security foundation.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)