There are, at the time of writing, 331 days until the new year. That’s’ a lifetime in cybersecurity. What major goals are you hoping to achieve in your cybersecurity practice before then? SecTor sat down with six experts to get their recommendations for the single priority to focus on in 2017. Here’s what they had to say.
Chris Wysopal, former member of LOpht Heavy Industries and now CTO at Veracode, says that understanding and auditing the cybersecurity supply chain should be the priority for organizations this year.
Intruders find their way into corporate systems not just by identifying weak links in a company’s own resources, but by finding problems in other products and services that the company relies on. Target’s 2013 breach happened after attackers compromised its network via a HVAC contractor’s account, but these vulnerabilities can also exist in third party software and hardware.
Companies must hold vendors accountable and demand evidence that they’ve built them securely, Wysopal says. Perhaps his old LOpht pal Peiter Zatko can help. Along with his wife Sarah Zatko, he formed Cyber ITL, an organization to grade the security of software programs, which is crunching the numbers right now.
Understand your risk
The vulnerability of your supply chain would make an excellent component for Laura Payne’s own recommended project for this year: conduct a risk analysis. Attack surfaces differ by organization, explains Payne, who is a senior information security advisor at the Bank of Montreal. Attackers do, too. Each organization must analyze its threat vectors and the potential impact should they be exploited. A comprehensive risk assessment will help your organization to prioritize and allocate its cybersecurity dollars.
Be smart about access
Cheryl Biswas, cybersecurity consultant in threat intel at KPMG, is focused on access control this year. It’s time for organizations to segment their users more methodically, creating roles and responsibilities for them that map directly onto systems access, she says.
Why should an accounts underling have access to that USB port? And should one sysadmin really be able to control the entire network from a single account? Do we want another Terry Childs headline anytime soon?. Limit access to computing resources and features to those that need it. Be warned, though: the architecture and business analysis to support this makes it a big project.
Educate your staff
Two SecTor experts argue for a more basic approach to cybersecurity this year: just clean house and get basic cybersecurity hygiene right.
Fix your passwords, says Ben Sapiro, senior director of security, privacy and compliance at Vision Critical. Make them stronger, and impose two-factor authentication. Fix patching, and then get users to stop downloading things.
Stopping errant user behaviour is something that Nuix CISO Chris Pogue also singles out as a core area. Employee education is crucial, because it’s where many problems begin. Explain to them how their habits affect security posture. Help them to understand what social engineering looks like. For a discussion of how to do this, check out our previous blog post here.
Handle your backups
Finally, while we’re talking about cybersecurity basics that companies still aren’t following, F-Secure’s chief research officer Mikko Hyponnen has a single recommendation for 2017: for pity’s sake, sort out your backups. People think they’re doing it properly, but they aren’t, he warns.
Companies are only finding out that they’ve fumbled the backup ball when they get hit by ransomware. Cloud-based file sharing services may make us feel safe, but they’re not backups. Using a service or process dedicated to proper backups is a must, as is testing it regularly. That’s one problem you don’t want to be fixing after a disaster has occurred.
So, there’s four solid things to choose from for your 2017 to-do list. Some projects are bigger than others. It’ll be a brave CISO that tackles all of them in one go. How many have you ticked off, and how many do you plan to have done by the end of the year?