Mahmoud Mounir, regional director, Secureworks MEA, shares insights into the fundamental cybersecurity aspects that organisations should keep in mind.
Cybercriminals continue to leverage and coalesce around tactics that they know will work, because organisations today still struggle to tackle the basics of cybersecurity, according to Secureworks’ 2019 Incident Response Insights Report.
Here are five recommendations that organisations should focus on to improve their security posture:
- Choose a framework
It is easy for organisations to examine incidents and their ensuing root cause analyses in isolation and develop point-in-time solutions to address the issues. But building a security program around an existing industry standard framework ensures that the organisation addresses many of the security gaps, and not just the systems that have already been compromised. While there are a number of frameworks to choose from, the practical and pragmatic CIS Controls framework includes straightforward guidance for defenders.
- Implement multifactor authentication (MFA)
The most common and effective recommendation to enhance an organisation’s security posture is to implement MFA on all externally facing services. Every service available on the Internet, including cloud applications such as Office 365/Outlook, external VPNs, and SSO pages, should require users to provide a one-time password (OTP) in addition to their regular password. The OTP can be generated from a physical token or a software app. Though deprecated by some standards, an OTP via SMS message to the user’s phone is better than a single factor. This rule should apply to all users, especially senior managers and suppliers/vendors that need access to the organisation’s systems.
- Increase visibility
Incident response efforts are often hampered by a lack of visibility in the environment. This condition may be due to a lack of historical logs that allows network defenders to forensically piece together what happened, or it may be due to a lack of appropriate tools to monitor for ongoing threat actor activity. Organisations should check that log policies are configured to log useful data for an appropriate amount of time. Endpoint monitoring tools are essential for detecting suspicious activity in the environment after other controls have been evaded.
- Conduct preparedness exercises
Cybersecurity technology solutions cannot address all cybersecurity risks. Business email fraud is a good example of how people and processes play a starring role in either increasing or reducing risk.
Organisations should establish a process that involves multiple approvals for transactions, out-of-band confirmation of changes to bank account details, and no regular exceptions for “urgent” requests from senior management.
- Using exercises to understand and improve security posture
Table-top exercises can benefit organisations at different stages. In some cases, the scenarios and subsequent discussions can help participants understand their environment. Involving stakeholders from legal, public relations, and other groups across the organisation provides insight about what data is and is not important and why.
- Common gap identified through incident response tabletop exercises are:
- Misalignment of playbooks (e.g., internal CERT and Executive Crisis Team)
- Lack of communication plan within the incident response plan
- Inability to determine what data is or is not important, and why
- Unclear roles and responsibilities
- Employee susceptibility to social engineering
- Gaps in basic hygiene
