Cloud Hosting

Many security professionals in developing their strategy still fall back on the old punch list approach to security configurations. They believe that if they check the box on tried and true methods such as password managers, creating strong device passcodes, using two-factor authentication, encrypting devices and using VPNs, their companies will be secure against cyberattacks.

But by simply going through the suggested methods to safeguard your organization, security professionals arent considering the actual risks or impact on workflows. Every organization requires a tailored approach to cybersecurity, which simply cant be achieved by checking off boxes on a standard list.

The National Institute of Standards and Technology (NIST) has been pushing for the abandonment of security checklists for yearsever since the dawn of the Cybersecurity Framework and integration of the Risk Management Framework into the security life cycle.

The problem with security baselines and the hundreds of registry keys, file and folder permissions and Windows Group Policy settings is that they limit the idea of what achieving sound security is. Sound security is a constant cycle of changes and the balance of risk, cost and liability while maintaining confidentiality, integrity and availability of cyber resources.

Checklists are also never complete and never current. In the bring your own device (BYOD) and IoT world, the variety of operating systems, versions and capabilities make it impossible to have a hard-coded punch list. These static lists also provide a road map for hackers to know what not to try, thus making detection harder.

Another issue is that checklists create a false sense of security. Organizations are vulnerable when their security leaders have the viewpoint that if we do X, Y, Z, then were good. That couldnt be further from the truth. Security is not absolute and is different for everyone. The specific needs of one industry vary greatly from the needs of another. In developing your security strategy, once you identify whats required for your industry and organization, you will be able to better limit the potential of a cyberattack and mitigate the damages.

So, how do you successfully get rid of the checklist approach? What is an alternative way to develop a security strategy that maximizes your defenses?

Start by taking the structures provided in the NIST Core Controls or Center for Internet Security 20 and apply the areas of concern from each group/family to every class of tech in your network. This includes PCs, servers, switches, firewalls, IP phones, peripherals (printers, cameras, UPS, video boards), mobility (smartphones, tablets, IoT), software and any other outliers.

Once you have everything categorized, take a long look at the risks and figure out how you can best mitigate and manage them.

Now that risk is understood and the methods to mitigate them are in place, its time to write them down. There are multiple parts to this:

Your security plan and procedures are in place. Everything has been implemented and maintenance is fully automated. Youre secure, right? Wrong. Theres an old idiom I like to keep in mind: Trust but verify. Look at the procedures and plans and ask, How do I test this? Having the procedures available to test enables you to develop plans about when to test. Do you audit everything or just a sample? How is the sample selected? Are there event-based triggers?

In college, my English professor embedded the mantra, Writing is a recursive process, into my brain. Ive learned that this also applies to security plans, policies and procedures. Annual reviews of these materials are critical to ensure completeness and to make necessary updates to any changes over the previous year.

If you encounter a cyberattack, its important to have post-event reviews based on forensic details to reformulate your strategy. Ask yourself, How and why did this happen? What can be done to prevent or mitigate?

There are certain significant changes that should always trigger a risk assessment and documentation, plan, policy and procedure update. These changes include migration to cloud SSO platforms, OS major revision upgrades, change of security solution vendor, etc.

As Ive mentioned, security is not absolute. A checklist thats not frequently revised and updated will not provide proper value and protection. As new threats emerge, and as every organization has different requirements for cyber protection, its crucial to introduce a security strategy and cybersecurity framework that will keep up with constant changes, limit the occurrence of cyberattacks and mitigate the damages if an attack does occur.

Read the rest here:
Security Strategy: Moving Away From Tried and True - Security Boulevard