The last time we looked at how Critical Security Controls (CSC) can help you build your InfoSec framework, we covered getting a handle on your software and your hardware inventories. Today, we're going to discuss the importance of continually assessing and remediating vulnerabilities, keeping a tight control of administrative privileges, and monitoring your audit logs. These concepts are encapsulated in CSCs 4, 5, and 6.
You should develop stringent policies, consider devoting resources to properly circulating them and educating employees, and continually measure their effectiveness, making changes wherever necessary.
Critical Control 4 - Continuous Vulnerability Assessment and Remediation
New vulnerabilities emerge every day. If you aren't continually scanning for them, then cybercriminals have an advantage they can exploit. The idea that you can put security in place and then rest on your laurels is dangerous. Identifying vulnerabilities is not enough, you also have to take action.
If you don't find and deal with vulnerabilities, then you're a sitting duck, when you really want to be a moving target.
It takes organizations 176 days on average to remediate a vulnerability, but it only takes a cybercriminal an average of 7 days to exploit it, according to NopSec's 2015 State of Vulnerability Risk Management report. It's vital to root out vulnerabilities and be proactive about addressing them, or you will be compromised.
Think about the following:
- Automated real-time vulnerability scanning with intelligence updates.
- Automated patch management for all software.
- Compare results to confirm vulnerabilities have been patched.
You will also need to consider patch evaluation in a test environment to ensure business functions aren't going to be adversely impacted. In some cases, alternative countermeasures to deal with a vulnerability might be necessary. It can also be a good idea to phase your patch rollouts to minimize disruption and prioritize patches for the riskiest vulnerabilities.
Critical Control 5 - Controlled Use of Administrative Privileges
The weakest link in your defenses is very often your employees. Verizon's 2015 Data Breach Investigations Report revealed that more than two-thirds of cyber-espionage incidents are a result of phishing scams. It's much easier for cybercriminals to get around your defenses by hacking passwords or tricking employees with administrative privileges into unwittingly downloading malware. You can stop insider attacks with the right tools, but it pays to tighten your policy in general.
- Minimize administrative privileges.
- Validate accounts and make sure privileges have been authorized.
- Enforce usage of complex passwords and make sure they're encrypted.
- Flag new accounts and login attempts.
Keeping tight control over administrative privileges can drastically reduce the risk of a data breach.
Critical Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs
If you don't maintain a system of audit logs, you may not even be able to determine when you've been attacked. According to the 2015 Trustwave Global Security Report only 19% of data breaches in 2014 were detected by the victim organization. It's not unusual for companies to collect logs but never check them, leaving breaches undetected for months. Many companies keep records in order to tick a compliance box, but if you don't monitor and analyze them thoroughly, then they aren't doing their job.
- You need at least two synchronized time sources for consistent timestamps.
- Audit logs should be validated and recorded in a standardized format.
- Make sure you have storage space and retain logs for a decent length of time.
- Consider using separate logging servers to prevent attackers manipulating logs.
- Collect, aggregate, and analyze logs regularly.
Proper analysis will help you to detect, understand, and recover from an attack.
Measure your effectiveness
When you're trying to monitor vulnerabilities, privileges, and logs in real-time, you'll often rely upon automated software systems to gather the data you need and flag any potential issues. Make sure that you test their effectiveness regularly. Dummy attacks can help you to identify weaknesses and flaws in your defenses.
Time is of the essence. The faster you remediate vulnerabilities, identify suspicious behavior, and uncover attacks, the better. You should set benchmarks for performance and put metrics in place, so that you can ensure your security performance is actually meeting expectations. Keep working to improve that performance and you can make life untenably difficult for would-be attackers.
The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.
This article is published as part of the IDG Contributor Network. Want to Join?