Saturday, January 9, 2016

Your security task in 2016

Welcome, welcome, to the year 2016.  As is customary with this time of year, many security companies have published their top-10 lists for upcoming security trends.  You can read the following links for some good insight into the current predictions:

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-16-security-predictions-for-2016.html

http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016

https://blogs.sophos.com/2015/12/11/our-cybersecurity-predictions-for-2016/

Mostly, these top 10 lists end up being an enjoyable read, and nothing more. They contain predictions similar to the following:

1)  <<Popular platform/OS>> Will Be hacked!
2) IoT is really insecure!
3) We hope legislators will finally listen to us and make security a regulation!
4) <<Popular hacking method>> will become more popular!

Don't get me wrong, getting the information out there is important, but I think most readers skip past these.  What do some of these things mean for the average user?

So, I've decided to take a little bit of a different tack and address different user groups and focus on the "thing" or task they should do in 2016.

Individual User

As an individual user, there are two things that I would strongly recommend doing his year.

1) Use Multi-Factor Authentication (MFA)

MFA has come a long way in recent years, allowing people to bypass MFA on known devices.  They are really working out the kinks in the system.  Further, for a lot of people, their phone is the center of their universe anyways.  Turn on MFA on as many applications as you can.  In fact, don't use services that do now allow for MFA.

While this does introduce new problems should your phone get stolen, I feel that overall it is a step in the right direction.

2)  Link your accounts with providers such as Google, Facebook, etc

By linking your accounts on secondary services with one single main provider, you start to reduce the attack surface on your accounts.  There are less of them, and the one that you choose to have as your provider can be secured with a strong password and MFA (See 1 above). Further, many of these providers have advanced reporting and alerting to help detect security issues.  In a lot of cases these features are free.  Use them!

Small / Medium Business (SMB)

Here are a couple things for SMB users to consider this year.

1) Centralize your identities online

The SMB space is heavily reliant on cloud services to run their business.  Many even use services such as box/dropbox to move/host files around.  My word of advice: Centralize access to these systems and create a policy for your employees.  From an SMB perspective, your data holds a lot of value to you.  Having employees use their own accounts means that you lose control over access to that data.  Take that back by using mechanisms such as Azure AD Premium or Google Apps.

2)  Push your IT provider on Security

Many SMB customers use outsourced IT.  Sometimes these are single-person shops, other times they are using a managed service.  In both cases, push your provider to better understand how they are securing your systems.  Some of your questions may include
  • How am I secured against ransomware?
  • How are passwords managed?
  • What are your on-boarding and off-boarding measures?
  • What type of security software and monitoring is in use on my systems?
At stake is your data and company reputation.  Take charge and ask the right questions to get results.

Enterprises

Ultimately, it is tough to provide enterprises with specific advice as where they are in the spectrum will vary greatly.

1)  Have your CISO report directly to the CEO

Risk and the management thereof is important.  So important that the person responsible for this should have a seat at the big table.  Too many times CIOs bury security issues by speaking mis-truths, cutting budgets, and allowing projects to go forward knowing the security stance is poor.  Audit (generally security teams when the topic is security) cannot exist as part of the structure it is auditing.

2) Implement one of the first 4 SANS top 20 controls

There may be many gaps in your security posture.  It is sometimes really hard to figure out where to start.  The right way to do this is to work through the security architecture from top to bottom making sure that everything maps.  While there are quick ways to get this off the ground, generally these tasks take a LONG time to complete.  ( See SABSA Whitepaper for more)

For reference, the top 4 are as follows
  • Inventory of Authorized/Unauthorized Devices
  • Inventory of Authorized/Unauthorized Software
  • Secure Configuration For All Devices
  • Continuous Vulnerability Assessment and Remediation
The core point here is that almost any security mechanism, technology, protocol that you want to implement WILL require the top 4 be done in some capacity.  That is to say, they will probably leverage the capabilities provided by the above 4 in some way.  So get on it.

In conclusion, there is no silver bullet for security.  But there are things that we can start doing that will help us better last the ever evolving security landscape.