By Chuck McGann, Salient CRGT
Cyber security tools can’t solve all problems: KISSME (Keep IT Security Simple, Manageable, and Effective)
Reports indicate the OPM breach resulted from a successful Phishing attack, which compromised logon credentials eventually allowing the theft of 21 million records. The Target department store breach was the result of a third party support account allowed to remain active. Anthem Health Insurance Company was a victim of a credential theft and the United States Postal Service (USPS) attack was a credential theft resulting in access to unprotected employee data. Unfortunately, many of these types of instances are identified by existing tools but not acted on appropriately or timely.
Cyber Security Tools Are Not a Substitute for Good Practices
In the examination of these recent attacks and data breaches, we have noted that some basic security practices for protecting systems and networks are not being applied in favor of dependence on security tools.
That’s not to say that tools are bad, they are not. Cyber security professionals are continually adopting new tools and new analytic capabilities to help protect their organizations. But these tools do not seem to be having significant impact on improving the overall security posture and reducing the number of breaches or exposures. To be effective, these tools must be used within the structure of good security practices, with outputs reviewed in the context of business needs.
The Human Touch Is Still Necessary
New cyber security tools including log file analysis, SEIMs, behavior analytics, and access management to name a few, allow for much higher volumes of data ingestion and correlation at near real-time speed.
Log file analysis is a good example. With everything that is being logged and the storage space it takes on a system, the log may be overwritten before it’s off-loaded for inspection. Consequently, when a Security Analyst needs to look at the raw data, it’s unavailable or difficult to assess because of the volume of data stored.
Log file analysis tools are effective but can only do so much. In the end, a person still has to make “the call” as to whether something is a false positive, security event, or potential/reportable breach. The overwhelming speed and volume of data allows us to get distracted from the basics, the core of where cyber security starts.
We need to go back to the basics and solidify our security foundation in order to move forward. Here are some principles of basic security settings:
- Logon and access control for third-party suppliers should be limited to specific instances needing support.
- Access management should indicate if logons are active and being used outside of work hours or service needs.
- Multiple logon sessions for a single user should not be allowed to prevent possible account misuse.
- Asset management and sensitive PII data should be protected by encryption and access control.
Solidify the Cyber Security Foundation with KISSME
There is a new acronym that encapsulates the central tenets of a successful cyber security program: KISSME. By following the “Keep IT Security Simple, Manageable, and Effective” guidelines, cyber security teams can effectively protect their systems without sleepless nights and staggering costs.
The KISSME guidelines are:
- Keep it Simple – Use standard configurations whenever possible and be consistent across platforms.
- Keep it Manageable – Know what is on your network and why. Know who is (and should be) accessing those systems and devices.
- Keep it Effective – Unenforceable policy is a waste of ink and enforcement cost that is higher than the value of the data is a waste of money.
I will add another guideline here:
- Keep it Current – Apply patches when they become available and remember to update all systems. Look out for dependent patches; if the OS has a patch, your protection tools most likely will have one soon.
We must remain diligent and ensure that the foundational cyber security practices are addressed and monitored effectively. It’s easy to get caught up in the business needs of global access for everyone on any device. Everything is great until somebody loses a server full of data that nobody knew existed or even who had access to the data.
How Do We Implement KISSME? Control Access and Assets
As an example of putting these guidelines into practice, let’s look at access management. Elevated privileges can increase exposure to inappropriate system access, data loss, or unauthorized software installations.
The principle of least privilege (PoLP) is a cornerstone of access and data protection control. Only allow the access rights needed to do the job—nothing more and nothing less, and only for the period of time the job is being done. Monitoring privileged credentials should be a regular periodic occurrence specific to your organizational needs.
Another area of lost control is asset identification and management. It’s difficult to protect assets that you don’t know about, and it’s even more difficult to manage those devices when they have non-standard configurations.
In the old days we used “Gold Tape” or “Gold Disc” configurations. It was the organization standard. Every deployed system looked the same and only specialized systems carried modifications. If a system became compromised, it was rebuilt from the “Gold Disc” and brought back into the corporate standard.
This was the foundation for solid control and configuration management, which helped secure the organization. Over time, and with the well-intentioned desire to quickly support business and end user needs, that control has eroded.
Safeguard your assets and data using KISSME principles
Some closing thoughts on what you can do to be cyber secure.
Know what devices are in your environment, who is using them, what that user is doing and why, and what data are they touching. A refocus on the KISSME principles will solidify your security foundation upon which new and advanced tools can more effectively be leveraged to meet the daily challenges we face today.
Related: CRGT Inc. Appoints Former USPS Corporate Information Security Officer Charles McGann as Chief Cyber Strategist, Guest Column: Becoming Digitally and Cyber Security Aware: It’s a team sport!