Most businesses will have heard about cyber security attacks, or may have experienced attacks themselves. They may also be aware of new attacks that are taregting their industry. But the issues for many businesses is knowing what action to take to reduce their risk of attack. There are numerous standards including NIST and ISO27001, but they take time to understand and implement, do not easily translate into actions that businesses can take, and can be too unwieldy for smaller businesses.
We like to take a more pragmatic approach to reducing cyber security risks for clients, by using the Critical Security Controls from the Centre for Internet Security (CIS Controls). These are a concise, prioritised set of recommendations that are based on combating real attacks that have hit businesses. There are twenty controls, each of which contain a number of recommendations. Implementing the controls significantly reduces the risk of a cyber attack.
The first five controls can be summarised as follows:
- Inventory authorised and unauthorised devices. Make sure you know the servers, PCs, mobiles, switches, routers etc. that are part of your system. This includes virtual servers in public/private clouds. Understanding that devices are present will enable you to pick up unauthorised devices, and old devices that have been forgotten and are now unpatched and insecure.
- Inventory authorised and unauthorised software. Make sure you know the software that should be running on your servers, PCs etc. This also includes authorised and unauthorised SaaS applications. Understanding the software that should be running will enable you to implement application whitelisting, which will significantly reduce the risk of malware (including ransomware) being able to run on your system.
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. This includes ensuring that there is a standard and secure way of implementing servers and workstations, that administration of servers and devices are secured, that laptops and mobiles are encrypted, and that Group Policy is consistently applying secure settings on servers and workstations. Failing to do this can lead to workstations installed without anti-virus and servers that allow unlimited login attempts by criminals.
- Continuous Vulnerability Assessment and Remediation. This includes making sure that all servers, workstations, databases, applications and websites are patched on a regular basis (using automation if possible) and implementing regular vulnerability scans. Unpatched systems are the cause of over 40% of successful cyber attacks.
- Controlled Use of Administrative Privileges. This includes changing default passwords on devices such as firewalls and routers, ensuring that administrative permissions are limited to only those people who need them, that two factor authentication is used for adminstrator logons, and that failed login attempts and the creation of new administrators are investigated. Many broadband routers are installed with the default password unchanged. These can easily be discovered and compromised using IoT search engines such as Shodan. A compromised router can redirect you to fake websites which steal credentials.
Whilst the first five controls are regarded as essential (and mirror the Strategies to Mitigate Cyber Security Incidents developed by the Australian Signals Directorate) we look at all twenty controls when performing an independent security review for a client. We consider the business assets (information, databases, processes) and likely ways that they would be attacked (ransomware, fraud). Our clients get a clear idea of their areas of risk, and prioritised recommendations on measures they can take that will have the greatest impact in reducing those risks.