How To Prevent The Next Equifax?

Over 143 million people have been affected and the industry is still struggling to grasp the impact of what could be one of the largest Cybersecurity breach of all times - the recent Equifax Cyber breach. 

It is always difficult to measure the consequences of a breach, in term of financial impact, customer satisfaction and company’s reputation damage. 

I have said it time and again, it is critical to be proactive in Cybersecurity. Preventing breaches is possible, while difficult. The costs of a Cybersecurity breach are incredibly high but you can mitigate those risks.

Cybersecurity is moving at an incredibly fast pace, and I agree that it is difficult for anyone to keep up with technology changes and disruptive innovations. 

Unfortunately, I too often meet a “Cybersecurity Senior Executive”, including at the highest levels of our federal agencies, that introduce themselves to me by saying “yes I am in Cybersecurity but I am not technical.”.

I have some bad news for you. I’m afraid you are NOT (really) in Cybersecurity. Cybersecurity is NOT about compliance (let’s actually forget about compliance and care about actual security), a degree (whether it was in Music or something else), or your fancy certification that you passed by reading a couple of books and "memorizing" Cybersecurity terms without ever implementing any actual Cybersecurity control.

Breaking news, this does not make you a Cybersecurity expert. 

Cybersecurity is TECHNICAL, as it should be. Let’s stop kidding ourselves.

This has to be addressed. CISOs and their teams must have a good understanding of technology to adequately protect our critical systems.

I meet "Cybersecurity experts" every day that have no knowledge of the concepts behind Software Defined Perimeter or BeyondCorp. No big deal, they're just the most disruptive Cybersecurity concepts in the last 20 years since the firewall was created.

In order to provide tangible solutions to our stakeholders, I was tasked with designing a holistic Cybersecurity architecture. While far from simple, we ended up with 36 technical capabilities. 

To avoid the next "Equifax", I wanted to share with you what we called the 14 core capabilities that any Cybersecurity architecture should immediately implement:

1. Network Segmentation: Ensure networks are properly segmented, particularly separating the business side from the infrastructure networks. Move away from solutions that only focus on “on-premise” segmentation and deploy network segmentation solutions, such as Software Defined Perimeter, that allow for granular role-based segmentation of “on-premise” and Cloud-based systems, including legacy systems. If you want to learn more about SDP, see my article: “Traditional Perimeter controls are dying. Time to move to Software Defined Perimeters.”

2. Network Security: Leverage Intrusion Detection and Prevention Systems (IDS/IPS) across enterprise boundaries, including using Cloud-based appliances whenever possible to monitor Cloud traffic. 

• Select solutions that can protect both “on-premise”and Cloud-based traffic and consolidate alerts/logs on a single dashboard
• Consider deploying Cloud-Based Access Security Brokers (CASBs) at Cloud boundaries
• Consider specific Distributed Denial of Service(DDoS) protections to protect servers, applications, and networks 
• Consider solutions that protect against Denial of Service (TDoS) and DDoS attacks 

3. Asset Management: Identify assets by leveraging automated tools and discovery solutions (to also discover rogue systems), including:

• Installed software (including on endpoints, mobile and servers)
• Deployed hardware (including endpoints, mobile, Cloud, and “on-premise” systems)

4. Identity Management: Manage user access and roles by:

• Deploying a centralized identity management solution
• Leveraging a Single Sign-On solution across the enterprise and its applications 
• Deploying multi-factor authentication across the organization, particularly for critical systems and privilege access.
• Using identity management best practices to ensure “need to know” and “least privilege” 
• Properly disabling or deleting accounts according to the organization’s policy

5. Privilege Access: Privilege Access Management solutions should be deployed to manage and control critical infrastructure systems’ administrative accounts, including:

• Requiring multi-factor authentication for all administrative accounts, including on servers and endpoints
• Using solutions, such as Software Defined Perimeter, to enforce multi-factor authentication policies across the enterprise while implementing patching, need to know, and least privilege, among others

6. Patching and Vulnerability Management:

• Conduct proper monitoring and patch installation, including testing prior to patch deployments
• Prioritize patches based on risk and critical impact
• Regularly perform Automated Scanning (daily ideal or weekly), including credentialed, internal, and external scans
• Install agents on servers and endpoints to facilitate scans whenever possible 
• Scan applications both statically and dynamically 
• Perform source code review when necessary.

7. Continuous Monitoring/Security Information and Event Management (SIEM): Continuous monitoring is recommended 24 hours a day, 7 days a week, including:

• Employ alerts and SIEM solutions with a customized dashboard to monitor critical systems using proper Log Management
• Create a Security Operation Center to continuously monitor critical systems

8. Endpoint Protection: Employ endpoint protection solutions to:

• Mitigate against viruses, ransomware, and malware using solutions such as Advanced Endpoint Protection, Application Sandboxing and Micro Virtual Machine (VM) isolation. 
• Deploy these solutions across all endpoints and servers, including mobile devices

9. Public Key Infrastructure (PKI)/Key Management: Deploy both symmetric and asymmetric encryption key management solutions, including:

• Managing public and private keys used for Application Programming Interfaces (APIs), email signing, and encryption using a PKI solution 
• Employing key management solutions to store keys, including Secure Shell (SSH) keys and other encryption keys

10. Log Management: Centralize and consolidate logs, including:

• Ingress and egress logs
• Application logs
• Endpoint protection logs
• Firewall logs, 
• IDS/IPS logs.

11. Phishing protections, reporting and campaign solutions: Implement phishing training and plugin solutions, including:

• Mandating regular phishing training for all employees, including senior executives
• Deploying phishing plugin solutions on email servers and endpoints to allow phishing email detection, prevention, and reporting 
• Conducting real-life phishing campaigns with all your employees to measure openings/clicks, and target training to employees opening those emails

12. Configuration Management/Whitelisting: Adopt a configuration management solution to properly enforce configuration requirements on servers and endpoints, including:

• Prioritizing solutions that can synchronize logs with SIEM and that support multiple Operating Systems
• Leveraging application whitelisting solutions to limit access to necessary applications on endpoints and mobile devices. Whitelisting is recommended instead of blacklisting because new malicious software are too difficult to track

13. Data Loss Prevention: Properly protect data, in particular Personally Identifiable Information (PII), Personal Health Information (PHI), Payment Card Industry (PCI), sensitive, classified, and/or financial data, by:

• Leveraging solutions to detect and prevent data leaks and massive data exports on servers, databases, and endpoints when possible

14. Data Security: Implement solutions to secure data, including: 

• Deploying backup solutions across the organization endpoints, servers, databases, and critical systems 
• Establishing off-site backup, whether in a separate data center or on the Cloud
• Mandating encryption for all PII, PHI, PCI, sensitive, and confidential data whenever possible. Including, requiring full disk encryption solutions for mobile devices, laptops, and removable media and using encryption on databases and files whenever required.

Implementing those 14 core capabilities is not the silver bullet but it will certainly straighten your Cybersecurity posture. 

Unfortunately some CISOs are not given the proper tools to succeed. It is time Cybersecurity is taken seriously before it is too late. This means CISOs should no longer report to CIOs, they should be reporting to CFOs & CEOs to manage this business risk.

Please let me know your thoughts by sharing your comments below!

(Opinions are my own.)