Q&A Monday: Starting a Cyber Security Program
I work for a small company and my boss recently tasked me to start to strengthen our defenses against a cyber attack, but I’m not a security expert, whats the best way to plan this out before I get started.
Thanks for the question, I’m glad you kept it at the planning level because it’s not something that you can do quickly, it’s a process that never ends. One of the places to start your planning is to (if you don’t already have it), draw out your attack surfaces. The systems and hardware that are externally available. You can’t start the planning process or even the process of prioritizing the work without getting a view of your attack surfaces.
Once you have your attack surface mapped out, then make sure you scan your systems to find the vulnerabilities in those systems. Once you know your attack surface and the vulnerabilities, then you need to sort those vulnerabilities from the most significant to the least and this will let you know what order you need to plan these systems. I’m sure business priorities and processes will play into the planning phase, where you might have to wait to take down some serious vulnerabilities if it’s part of a major system.
While you are working on the vulnerabilities, the best thing to do is work on improvements (or implementation) to your security practices and policies. One practice, that’s easy to do, but hard to implement if you don’t currently have it is a strong patching plan. Another good practice to get in the habit of is testing your backups…if you back up and don’t test..then you really don’t know if you need it…if it will work. If you can, make sure that you segment your network where you can, and stay away from flat network designs.
If you aren’t already doing it, or have the software, get a monitoring system. In the event someone does breach your systems, without a monitoring system (like a SIEM), you won’t be able to tell. This is also amazing at helping to see what is being changed in your environment.
With monitoring, should come the testing of systems. You should get some penetration testing software to test your systems. This goes hand in hand with the monitoring since you should be able to see the testing in the logs. If you don’t, means you need to retool your monitoring systems. Penetration tools will give you feedback that you can use to fill back in your vulnerability list.
Once you are comfortable with these systems in place (as I mentioned it’s an ongoing process), and you can convince your higher-ups, hiring an auditing company to audit your processes and systems is a great idea. Even the best security professionals need a second set of eyes to make sure they didn’t miss something. Tunnel vision often happens and the report at the end will help you guide the security program forward.
If you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at firstname.lastname@example.org, and he’ll try to answer your question. Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.