A Security Framework that Anyone – and Everyone – Can Follow
By Shahin Kamruzzaman
In a business start-up, the entrepreneur usually is a one-person band, taking on all kinds of work including IT. As the business grows and becomes increasingly dependent on IT infrastructure, the entrepreneur may not be able or willing to handle the challenges of IT security, vulnerability, risk management framework and privacy law. To provide the new business owner guidance on security needs, I’ve created a simple approach to basic IT security. It’s a five-step framework to manage vulnerabilities and reduce risks as related to IT security. It works with any organization but is targeted for independent/privately held organizations with 500 to 5,000 employees that struggle with implementing information security into their existing IT infrastructures, whether done in-house or using outside consultants.
Creating the Framework
In information security, there are lot of models, recommendations, frameworks, guidelines and standards. They can be difficult for generalists to follow or map to existing real-world issues. In addition, there’s the challenge of assigning job responsibilities for the information security team. What they will do? How far do their roles extend into other lines of IT and business units? Who does patching — security, engineers or architects?
The framework for a basic IT security plan can be broken into five groups:
- Asset Management
- Asset Behavior
- Vulnerability Management
- Threat Detection
- Incident Response
Each section has requirements and measures to ensure the end result: security for the organization’s infrastructure.
What to Know and Do
- Know what you have - This is the foundation and while it may sound very basic, if you don’t know what you have, you cannot adequately protect the infrastructure. Considering that pretty much any device you can think of is connected to your network and/or the internet and that employees often bring their own devices to the office and connect via your WiFi network, it is imperative to develop a process to maintain the accurate and current count of assets, be it automated or manual. In a worst-case scenario, set up an employee weekend project to get the job done.
- Confirm device security - Once all devices are accounted for, check that they are all equipped with the latest company-required and approved security tools. Include in the inventory application software or devices excluded from specific security requirements for whatever reason. For example, databases may be excluded from real-time antivirus scanning. There should be a separate list maintained for this type of exception.
- Maintain service accounts - For those applications requiring a service account, a separate inventory should be maintained. Service account passwords should change at least yearly.
- Enforce asset policies - Many devices have maximum lifetimes. When a device is decommissioned, it should be removed from the inventory. Required data backups must be completed and inventoried before any device is wiped.
- Know the functionality - It’s crucial that you have the expertise on staff to manage the company’s assets. For example, the employee who manages the company’s firewall must have a good understanding of how it works and what changes can be made and when, as well as maintaining proper documentation.
- Track the location and configuration of all assets - Know which devices are inside the organization and which are perimeter devices provided by vendors. Perimeter devices should be properly configured following the vendor security guidelines or best practices aligned with organization-inside devices. There will always be different types of protection mechanisms and monitoring on perimeter devices over inside devices. For inside devices, either consultants can be hired or in-house staff can do the initial build.
- Establish ongoing maintenance and monitoring - Monitoring the device production is crucial, as is vendor support for required maintenance. It will be difficult to remediate any vulnerability by applying the patches without a minimum level of service agreement with the vendor.
- Know the assets’ limitations - Make sure every device has the optimal running condition in terms of environment, power, memory, processing, disk and network utilization. Let’s say the best temperature for the server room is 70°F and 95°F is the worst temperature. Document this for all critical assets and monitor or get alerts when, in the case of the server room, the optimal temperature is not maintained.
- Have the right (and best) people - Every organization is challenged to hire and retain expert people. Make sure the knowledge of the initial build is transferred to full-time staff when the experts leave. And in-house staff should receive regular training on asset updates.
Now that you know what assets you have, where they are and what they do for the organization, it’s time to think about vulnerability management.
- Think out of the box - It’s not just the potential vulnerability of your Windows workstations, server and network switches, routers and firewalls. Yes, they are crucial. Let’s say you have 10 smart TVs in your organization. Do you know their vulnerabilities and how to remediate them? Malicious actors can use the vulnerabilities of smart TVs to create a backdoor into your network. When you manage a vulnerability, think about all network-connected devices: appliances, IOT, UPS, camera, security, temperature, etc.
- Be alert for system weaknesses - Run monthly scans for vulnerabilities using available scanning software (e.g., Rapid 7, Nessus, etc.). Monthly scan reports need to be viewed and any problems remediated. After the remediation, run another scan to make sure the vulnerability is gone. Ensure that all patching is performed within mandatory timelines. Organizations can face challenges just to complete the Windows patching cycle within 30 days. Infrastructure, products, services and processes need to be updated to keep up with the 30-day patching cycle
- Get the latest hardware/software information - Sign up for vendor newsletters and get patches as soon as they are released. Purchasing a service contract can ensure timely patches. Monitoring vendor websites will provide updated information as will newsletters like US-CERT and NH-ISAC.
- Protect against incursions - Make sure your vendor complies with US-CERT disclosure rules. If any vulnerabilities are discovered in any U.S.-based company’s product or services, the supplier should notify US-CERT within a specific time. Make sure your vendor is aware of this. In-house, your enterprise should have a “red team” to test your security posture. For example, run a penetration test. Additionally, hire a professional “white hat” hacker to verify the security posture. Some testing should also be done without informing the incident response team in order to observe how the IR team responds.
Be ready to identify any anomalies or unexpected, unwanted or unusual events. You must have proper processes, people and technology in place — the sooner you detect, the faster you can remediate.
- Uncovering the threat - Know what devices and systems are key to protecting your infrastructure. Security Information Event Management (SIEM), Intrusion Prevention Management (IPS) and Intrusion Detection Systems (IDS) are important items for any IT security plan. Ensure that the systems are properly configured and monitored and that any threats or anomalies are properly and quickly investigated. Outside consultants may be needed. As there are always new threats and challenges, organizations may want to have their own honeypot on the internet to analyze or research the new attacking techniques or viruses.
- Sharing the knowledge - Regular reports and/or meetings about threat potentials including alerts are crucial to the organization’s health. Each member of the SIEM team should carefully investigate any relation or pattern arising from the SIEM logs. If the root cause of an alert cannot be found, escalation may be required.
Even though you have a good foundation, the malicious actor may still be able break in despite your protections.
- Establish a formal incident response plan (IRP) - You cannot wait to establish an Incident Response Plan until an incident happens or an auditor requests it. Be sure the IRP is active and all IRP team members know where it is and what their roles and responsibilities are. Keep the list of team members and their contact information up-to-date with phone numbers (mobile and home) and designate one or two “first responders.”
- Test the IRP - Practice your incident response with a tabletop exercise at least quarterly. Some organizations hire a semiprofessional actor to demonstrate the incident. Running “fire drills” or mock incidents will help you learn to handle the situation in the event of a real intrusion.
While this framework may sound like a lot of work, it does provide a guide to establishing a workable security plan for your organization.
Shahin Kamruzzaman, CISSP, PCIP, has worked in IT industry for 18 years. You can connect with him via LinkedIn at https://www.linkedin.com/in/shahinkamruzzaman/.
Profiles of Information Security Leaders
An abbreviated version of this Q&A appears in the March/April issue of InfoSecurity Professional.
Brencil Kaimba is a security consultant in Kenya who has spent the past year mentoring students interested in cybersecurity as a career. She’s also mentored girls on cyberbullying. Her devotion to helping others, as well as continuing to demonstrate expertise in both technical and non-technical skills as a lead risk expert at Serianu Limited, helped earn her the first Up-and-Coming Information Security Professional title at the inaugural (ISC)² EMEA Information Security Leadership Awards (ISLAs).
How did you transition from a degree in mechanical/manufacturing engineering to cybersecurity as a career?
The transition was hard, but my curiosity and need to succeed helped a lot. When I was in college, I didn’t know anything about cybersecurity. In fact, I was very passionate about mechanical engineering. After college, I started applying to various companies for a mechanical engineering position, while at the same time visiting schools to encourage students to pursue STEM-related courses. During this time, I met different people and one in particular, Mr. William Makatiani, introduced me to cybersecurity. I was really curious about this line of work and thankfully, he offered me an internship for three months to “test the waters.”
Initially, I really struggled with the different IT terms and felt really frustrated whenever I had a technical conversation with the technical teams. There was so much I did not understand, and I had to work twice as hard to reach the level of my other team members. I did a lot of research on cybersecurity trends, standards, best practices, etc., just to keep up.
After all is said and done, I have come to realize that the gap between cybersecurity and other technical fields is not that big. All one needs is the ability to think critically and have a great analytical mind. Cybersecurity is not just IT; it involves strategic thinking, business alignment and process reviews, none of which require extensive IT skills.
Are there many young women working in cybersecurity in Kenya?
No. Few women are involved in cybersecurity compared to men. This is a gap that we (and a few others in the country) are actively trying to close through training initiatives.
Is that number of women in the field growing?
Yes. We are seeing an increase, mainly because there are more initiatives focused on empowering young girls. Programs such as the Serianu-Africa Cyber Immersion program is one of these initiatives, where we intentionally include young girls. More and more hubs and coding camps are forming in Kenya, which has helped to increase the involvement of young girls.
You recently won one of the first EMEA ISLAs for both your work at Serianu Limited and for mentoring Kenyan students through the Cyber Security Training and Awareness for Young People program. What made you take the initiative with both of these organizations?
I was fortunate enough to go to a school where we had different people come and advise us on different aspects of our lives: academic excellence, religion, life, relationships, etc. This helped mold who I am today. Not many people have that. Many students in rural areas are very bright, but lack the guidance, exposure and motivation to help them realize their full potential. Most of these young people are also consumers of new technologies, but they don’t understand how to secure themselves while consuming these technologies.
I want to help these young women in the following areas:
Engage: To know their goals/aspirations/challenges and encourage them to meet these.
Educate: Educate them on the different cybersecurity concepts, both technical and non-technical, such as how to stay safe online, etc.
Empower: Let them understand that they can be what they want to be, including cybersecurity professionals. We also want to provide internships and mentoring as they pursue their dreams.
Can you tell us a little about the key role you played in facilitating a Cyber Immersion Program?
My team and I came up with a series of topics to train our students. They included security monitoring; cyber intelligence; and governance, risk and compliance (GRC). My focus was on GRC.
You also mentor young girls on cyberbullying. How big of a problem is cyberbullying in Kenya?
This is a big issue and has sometimes resulted in death.
What do you believe are the key traits every cybersecurity mentor must master to effectively lead others?
Patience and simplicity.
Patience because cybersecurity is a new field for most people, so it requires patience with others who are not as well versed in cybersecurity concepts. By simplicity, I mean to explain your concepts in the most simplified manner, as though you’re explaining to a 5-year-old. This is because not everyone knows cybersecurity, and if you’re going to mentor young people who have not been to an IT class, it helps to simplify things.
Of all of the training and awareness campaigns you’ve helped conduct at Serianu, which has been the easiest to implement? And the most difficult for end users to follow?
Easiest to implement: cyber immersion training. We had a great team of trainers and students who were very eager to learn.
Most difficult for end users has been cyber defense training. This was a very technical training conducted by Serianu for IT teams. It was difficult for end users to follow initially because of the new concepts we had introduced in the curriculum (packet analysis, malware analysis, etc.).
Your work is all about managing risk. What advice do you have for (ISC)2 members who need to become better risk managers in the coming year?
Be very strategic and intentional. Always ask the question: What is the worst-case scenario as it relates to the survivability of the organization?
This requires an understanding of the core function of the organization and what people/processes/technologies support it. Take a structured approach to defining the threats to your organization. I don’t mean general threats such as competitors, script kiddies, hacktivism groups or nations. I mean threats specific to your organizational goals. For example: An energy/power-producing organization relies on its production occurring on a continuous basis in order to generate revenue. An interruption to production will come at great cost to the organization. Hence, the greatest threat to the organization would be interruption to production. This is a threat to availability.
Once such a list of potential technical threats has been identified, those threats must be prioritized.