Guest column by Joseph Carson, Chief Security Scientist at Thycotic.
Chief Information Security Officers, CISOs, bear some of the heftiest weights on their shoulders of anyone in an organization. Single-handedly, depending on their security policies and the enforcement of them, they can be responsible for the success or downfall of an entire company.
It is, literally, a thankless position because usually nobody says a word until something goes completely wrong. CISOs have to balance the ability to maintain their internal team while protecting the organization’s data and infrastructure. In a single breach, whether due to an accident or lack of oversight, an entire organization can be brought to its knees with no chance of recovery. We think it’s crucial for CISOs at all levels to ensure that 5 essential security policies are implemented and strictly enforced.
This isn’t an exhaustive list, but it’s a great place to start—we constantly witness leadership struggling to implement these actions across the board.
Before we get started, it’s important to note that in order for your policies to be successful they have to be adopted, recognized, and appreciated by every person on the executive team. Corporate policy must state that failure for individual employees to follow the security policies that come out of the Information Security office may result in termination of employment. It must be taken seriously, because every single person in the organization is responsible for the security of the entire business.
Let’s get started with the top 5 security policies that every CISO must enforce.
This is number one. If you’re not operating under least privilege you are running the risk of compromising every other security system, policy, and procedure in place. You can have all of the greatest security systems, but if an administrative or privileged account is compromised then so are all your systems. The best way to ensure this doesn’t happen is to operate under a process called Least Privilege. This procedure, at its core, is about ensuring that every single person in and associated with your organization has the fewest number of privileges to do their day-to-day job.
For example, the employees in your marketing department do not need to have local administrative rights on their workstations. They may really want them, for many reasons, but they don’t actually need them to perform their day to day function.
Here are two aspects of privilege to explore (disclaimer: these are both ones that Thycotic can actually help you with). Separating all users from their permanent administrative, or privileged, access (yes, this even includes your IT and Security Admins); and removing all privileged access on endpoints and applications.
The first one will require a Privileged Account Management (PAM) solution, like our Secret Server, aimed at discovery, storing, managing, and protecting privileged accounts across your entire organization. Your administrators can log in to the system and checkout privileged accounts only when they absolutely need them. All of this access is completely auditable.
The second, removing administrative rights from endpoints and applications, is a tougher one for organizations to move towards. We often hear that senior executives are willing to accept a far greater cybersecurity risk to their organization than to burden regular employees with only having standard accounts.
Often the reason is the higher number of support/helpdesk tickets required when a regular user needs to install or update applications. Again, Thycotic can help here with our Privilege Manager for Windows and Mac solution. Privilege Manager allows you to quickly set up application based policies to allow approved software to run (application whitelisting) while denying and blocking all unknown applications. And for those applications without a policy, you can graylist them and allow users to submit an access request. Now users can install approved software and bypass UAC by elevating the application with privileges based on the policies you set for them.
This is one of the easiest, and oddly one of the most forgotten polices in an organization. If you operate under least privilege, and keep your systems up to date with the latest security and bug patches you are mitigating 99% of all potential threats in your organization. Perhaps I shouldn’t say “forgotten policies”, because we actually hear a lot from companies that choose not to update/patch their systems for various reasons. The number one reason for not doing so is because it may break existing applications that were built internally. We’ve all heard that before, organizations that are still on unsupported versions of Windows.
Once again, executive leadership is faced with the ‘Risk vs Reward’ dilemma. If they do patch their systems it could cost hours of downtime, resources, hours, and money. But if they don’t patch the systems, everything continues as normally, and they just hope that they are not the next target for a cyber attack.
Speaking of cyber attacks, the WannaCry ransomware is a great example of why it’s critical to keep systems patched and up to date. When vulnerabilities are discovered, hackers quickly attempt to build tools that take advantage of these vulnerabilities and attempt to exploit organizations that have not patched their systems from this vulnerability. Microsoft patched their systems months before the WannaCry ransomware was released. Attackers made WannaCry in an effort to exploit those organizations that did not keep their systems up to date—and there were thousands of them.
The weakest link in any security posture is always going to be the human, and that’s why I recommend taking the human out of the equation whenever possible (like using a centralized password manager, such as Secret Server, rather than requiring them to remember passwords). Even so, it’s important to ensure that every employee goes through quarterly security training. Interactive training is also helpful, such as running employees through a simulated phishing attack to see how they respond and be able to remediate those employees that fail the test.
Employees who continue to fail security training tests should be at risk of termination. Attackers are always trying to find the weakest points in a network, and there is nothing better than a regular employee who will fall victim to a phishing attack or social engineering in order to gain access to your network.
Security Emergency Drills
This is frequently overlooked in many organizations. Many IT and Security teams have back-up systems, disaster recovery procedures, emergency policies, etc., but still fail to actually test these systems out in a true drill.
At least once a quarter your team should run through exercises that simulate an attack or catastrophic event to your organization. Have them restore backups and ensure they’re working, or switch everything over to the failover systems in a Disaster Recovery scenario. All of your preparation and planning for events are useless if they don’t actually work, and if the team isn’t adequately prepared and experienced in how to get everything back up and running immediately.
How long would it take your organization to due to an act of nature or cyber attack? If you don’t know the answer to this, it might be time to run through some security emergency drills.
Document, Report, and Audit
Document everything you do, report on the success of your policies, and run internal audits against all of your systems. Even if you’re not an organization that is subject to regulatory considerations like PCI or HIPAA, it’s still extremely positive for you to face internal audits every quarter. Lastly, don’t schedule these audits either, conduct them unannounced. Checking in with surprise audits of your systems ensures that your IT and Security teams are always doing their best to ensure they’re following the policies that you have laid forth.
We hope these were helpful, not only if you are a CISO but for anyone in charge of leading the security and protection programs for their entire organization.