Monday, June 15, 2015

Essential IT Security - With Minimal Cost

In a recent 2015 article from The Register, the Australian Government was reported to have found breaches on several of their networks, over the past past two years. Despite this, they were confident that no data loss/exfiltration occurred, due to their stringent implementation of the "Top 4 Security Controls" developed by the Australian Signals Directorate.

The "Top 4 Security Controls" are as follows:
  1. Application Whitelisting
  2. Patching Operating Systems
  3. Patching Applications
  4. Minimizing Admin Privileges
The "Top 4 Security Controls" are also aligned with the Cyber-Hygiene Campaign coordinated by the Center for Internet Security (CIS), the Council on CyberSecurity (CCS), and the Governors Homeland Security Advisors Council (GHSAC). The following excerpt explains their campaign:
"[In the Cyber-Hygiene Campaign], the message is simple but powerful: applying just a few basic hygiene behaviors will mitigate the majority of known attack vectors, and by implementing these critical basics, organizations can free up limited resources to focus on more difficult cyber challenges.
These basic behaviors are:
Count: Know what’s connected to and running on your network;

Configure: Implement key security settings to help protect your systems;

Control: Limit and manage those who have admin privileges to change, bypass, or override your security settings;

Patch: Regularly update all apps, software and operating systems; and

Repeat: Regularize the Top Priorities to form a solid foundation of cyber-security for your organization."

These articles highlight the importance of not relying solely on tools and shiny devices. As information security professionals, we need to proactively analyze threats, and implement effective mitigating controls. The above controls help us in achieving this goal, at minimal cost to the business.