Cyber Threats: Strategies to become a Cybersecurity Jedi?

Cyber Threats: Strategies to become a Cybersecurity Jedi?

In a context where the threat is becoming increasingly multidimensional (ransomware, phishing, the professionalisation of attacks), it has become urgent to apply a coherent strategy which combines anticipation, defence and resilience. Let’s take a look at what Jedi Masters recommend to defeat the dark side of the cyber world.

  • Basic best practice – “Much to learn you still have…my old padawan.”

As any expert, any institution or any provider will tell you, these few rules comprise the fundamentals. I won’t spend too long on this advice as you’ve probably already read and heard it many times.

- Set strong passwords (at least 12 numeric, alphanumeric, special, lowercase, and uppercase characters which exclude names and whole words)

- Use different passwords for each service

- Make sure your email address has not been compromised in a data breach (Have I Been Pwned?)

- Keep software up to date

- Make regular backups using the 3-2-1 strategy

- Do not click on a link from an unknown sender

- Only install programs from publishers’ official websites

- Do not connect to an unknown Wi-Fi network

  • ENISA’s recommendations – “Jedi Knights are the guardians of peace and justice in the Digital Republic.”

To go a little further, let’s look at a few key recommendations developed jointly by ENISA, the EU Agency for Cybersecurity, and CERT-EU, the CERT (Computer Emergency Response Team) of the institutions and agencies of the European Union. These bodies highlight certain technologies and practices that may at times seem elementary but are still not adopted by all organisations.

Multi-factor authentication (MFA)

Besides having a strong password, multi-factor authentication is a practice that should be widely adopted, at least for any remotely accessible service. Hackers often break into networks by stealing credentials. Using a second mode of identification, such as a FIDO2 key, makes identity theft much more complicated for a hacker. More generally, these bodies recommend disabling protocols that do not support MFA.

The Content Delivery Network (CDN)

It is less prominent right now but still remains dangerous. A Denial of Service (DDoS) attack is used both as a way of harming a business and of carrying out geopolitical actions. The CDN is a tried and tested solution to distribute the load of the attack across a large number of geographically dispersed servers and thus protect the targeted web service.

Network segmentation

This is a case-by-case policy. It is not because a person has authenticated themselves in one location on the network that they should be able to access it in another, or because they have identified themselves on a particular day that they should be able to access the IT system the next day. The network must be segmented in order to limit access to what is strictly necessary and make access conditional on the context. Depending on the type of device used (professional PC or personal smartphone?), the connection time (Monday at 2 pm or Saturday at 3 am?) or the network in question (corporate LAN or public Wi-Fi), access can either be granted or refused. 

Privileged Account Management (PAM)

User training is often (rightly) referred to as a key element of cybersecurity. But the training of IT professionals is equally important since they have greater access to IT resources. System and network administrators need to use their tools and privileged accounts with great caution and in compliance with the company’s security policies. PAM tools allow effective monitoring of this type of access.

  • The NIST Framework – “When you're a Jedi Master, you can make the plan.”

Now let’s zoom out a little, with what is probably one of the most reputable sets of cybersecurity guidelines. The NIST framework (National Institute of Standards and Technology) defines a framework to implement within organisations to tackle cyber risk as a whole. It is divided into five key functions. However, it is important to clarify that these five functions are not a path that needs to be worked through to arrive at a state that could be considered safe. They are five parts of the same strategy that must be pursued simultaneously and on an ongoing basis. In any case, you will see that they are often dependent on each other.

Identify: Knowing your information system is key in order to knowing how to protect it. The identification work must cover the devices, software and people. Who accesses what, how and for what purpose? These are the questions that need to be answered in order to identify the technological components that enable your business to operate and to determine the right level of security to implement based on criticality. Software is available on the market able to scan your network and identify the software used. UEM (Unified Endpoint Management) tools are also useful for managing devices.

Protect: This involves building the defensive elements of your information system. Not in the perimetric meaning of the word, because the strategy of a castle is no longer suited to the mobile and multicloud world in which we operate. Protection now requires a Zero Trust approach. Closely related to identification, Zero Trust architecture involves granting access to data and applications only to those systems, devices and users duly authenticated and whose security level matches the company’s requirements. Identity and Access Management (IAM) technologies should be considered here. Backups are obviously a fundamental element of this protection strategy. With regard to protection against ransomware, the NIST particularly recommends that a backup infrastructure should be put in place that is separated from the network.

Detect: On many occasions, we have seen attacks unleashed where the hackers had been hidden in the IT system for months. In terms of tooling, SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) solutions are now widely used to analyse the behaviour of the IT system and detect anomalies that may reveal an intrusion. Increasingly, these technologies rely on artificial intelligence to process increasingly large amounts of data more quickly.

Respond: However, the human aspect remains essential in interpreting signals and triggering the response. Organisations must prepare incident response plans, and remember to test them regularly to validate their effectiveness and create reflexes in the event of a real attack. Setting up a SOC (Security Operations Center) may be useful, for detection, but also for triggering the right measures and coordinating actions, since managing a cyber crisis involves a very diverse range of personnel from both the IT and business teams. It is therefore important here to clearly define the rules of governance and each person’s responsibilities. And given the shortage of cybersecurity experts, the SOC-as-a-Service model, where monitoring of the IT system is entrusted to an external provider, may also be appropriate, especially for SMEs. 

Recover: This is the issue that is on everyone’s lips today: resilience. In other words, the ability to restart the activity, or ideally not to stop it, after a cyberattack. The identification work and the protective measures put in place must allow a return to the last known stable state via restore processes. But that’s not all. The recovery plan must also include an improvement component, to learn lessons from the attack and to strengthen the strategy for the future, and communication. The actions implemented must indeed be communicated to the ecosystem (partners, providers, customers, etc.) in order to create a coordinated response, but also externally. Public relations must be involved in the recovery operation in order to preserve the company’s reputation.

A few takeaways – “Do or do not. There is no try.”

  • Start by training your employees in cybersecurity best practices. Your entire protection policy can come crashing down with just one click on a link.
  • Before deploying dozens of innovative protection solutions, make sure you have implemented the recognized and proven basics.
  • Implement a continuous protection process! The cybersecurity strategy cannot be carried out in project mode, with a beginning and an end. These are actions that must be carried out continuously and tested and reassessed regularly.
  • Assume you are going to be attacked. Because you will be! Your cybersecurity strategy must prevent risk, but also anticipate the actions to be implemented to maintain activity in the event of a successful attack.

“May the force be with you.”

Mike van Dijk

Sales Director Western Europe | SAP security

1 年

Great post Segundo! This part is so true: "Assume you are going to be attacked. Because you will be!" Work on prevention but also think how to stay in business in the event of a successful attack.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了