Cyber risk is now part of our everyday lives. It seems that high-profile breaches happen every day, and they are a grim reminder that it’s not a matter of if, but when, we are going to be the target of a cyber-attack. Cyber security is a very difficult problem to solve. The threats are constantly evolving. The adversaries are plenty: teenage hackers, social hack-activists, organized crime, and lately, nation-states with dedicated cyber warfare operations.
Against this background, there are four basic cyber security measures that should help any organization increase their security posture. The measures are governance, prevention, monitoring and resilience.
Governance
Create an effective cyber security task force made up of relevant levels of management with the authority and responsibility for:
- Defining security posture (risk assessment, security policies, evaluation of threats,mapping critical assets).
- Defining risk appetite (the amount of risk that the organization is willing to take based on risk-level determination).
- Defining metrics (measure progress). “If you cannot measure it, you cannot improve it.” – Lord Kelvin (1824-1907).
- Designating communication channels, internal and external.
- Delineating legal consequences of a breach(litigation costs, insurance costs, fines).
Prevention
A properly executed layered defense structure (a.k.a.Defense in Depth) of the Information Technology infrastructure (hardware/OS, applications, hosts, network components, people) should prevent a high percentage of breaches by unauthorized individuals. There are two important considerations when implementing defensive layers. First, more security layers should discourage the opportunistic hacker. They move around looking for easy targets; these hackers don’t want to invest time breaking into layers. Second, they should delay the progress of a successful attack long enough to be noticeable by the security group. These layers, at minimum, should consist of the following:
- Perimeter protection – Boundary firewalls and internet gateways should be configured to act as a barrier to keep unwanted traffic from entering the network.
- Network segmentation – If a breach happens, it may be easily contained inside a segment of the entire system.
- In-bound traffic – Utilize e-mail and web traffic filtering to block spam and malware attacks.
- Application whitelisting – Configure computers and networks to deny the execution of any non-approved application.
- Patch management – Monitor for and install vendor patches for breaches and vulnerabilities, a majority of which are likely already addressed by the software vendors.
- Access control policy – Should define the best access control model for local and remote access that best fits the internal functions of the organization.
- Network Access Control – Only devices that comply with security policies are able to access network resources.
- Physical security – Never forget about physical security; if an attacker has physical access to hardware, they own the hardware.
Monitoring
Probably the most important step of any security measure in place is a dedicated security group to monitor the behavior of your environment. Don’t forget Murphy’s laws, “If everything seems to be going well, you are missing something.” Any deviation from normal baselines should be investigated immediately. Some examples are unexpected server loads, an increase in the number of out-bound connections, connections lasting longer than expected, connections initiating at odd-hours, a sudden increase in the amount of data moving on exit points.
This step requires a lot of daily work, including creating baselines, collecting and reviewing system logs, keeping up-to-date with threats to the environment, understanding proper counter-measures. The good news is that there are many products available to help automate, organize and process these huge amounts of information. There is also the option to outsource this function to outside companies that provide the necessary knowledge, with the added benefits of monitoring your environment 24×7.
Resilience
There is a fact that needs to be clearly understood. An Advanced Persistent Threat (APT) mounted by sophisticated attackers will eventually defeat any security measures. Usually the two most common reasons for an attack are:
- To damage the company Information Technology infrastructure.
- To steal company data, Intellectual Property (IP)or customer information (PII).
For the first, a robust disaster recovery plan should help limit the extent of disruption and damage. For the latter, strong Data Loss Prevention (DLP) controls should help recognize and mitigate this risk. Either case shows that the resilience of any organization is directly proportional to the amount of work done in planning and preparing before a breach occurs.
There is no proverbial magic silver bullet to protect us from the dangerous world of cyber threats.There is only hard work and a lot of planning to properly implement security measures. The good news is that there are resources that can guide us in this process. Two of the best are:
- The ISO/IEC 27000, an information security management system (ISMS) standard published in October 2013 by the International Organization for Standardization (ISO).
- The NIST Cybersecurity Framework (NIST CSF) published by the U.S. National Institute of Standards and Technology in 2014
But one of the most valuable resources: your peers.We in the G&L Community should count on each other to ask and share best practices, insights, resources, etc. in order for our industry to improve security and stand against cyber threats.
Marlon Ortiz is the VP of IT for American Casino and Entertainment Properties in Las Vegas, Nevada. He has twenty-four years of Information Technology experience across multiple disciplines, the last six years his primary focus has been Information Assurance and Cyber-Security. He holds a Master of Professional Studies in Information Sciences from Penn State.