Home / Resources / News and Trends / Newsletters / AtIsaca / 2023 / Volume 38 / Factors to Consider When Establishing a Cyberdefense Part 1

Factors to Consider When Establishing a Cyberdefense: Part 1

Author: Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, CISO
Date Published: 20 September 2023

Many enterprises seek a reasonable cybersecurity starting point at a reasonable cost. A steppingstone to achieve this is by implementing a cybersecurity framework such as the US National Institute of Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is based on five strategic pillars:

  1. Identify and develop an organizational understanding to manage security risk to systems, assets, data and capabilities.
  2. Protect by developing and implementing the appropriate safeguards to ensure delivery of services.
  3. Detect the occurrence of a security event.
  4. Respond to attacks to minimize damage to their assets and possible harm to all stakeholders.
  5. Recover and restore and capabilities or services that were impaired due to an incident.

To realize the most benefits from the five pillars, it is crucial for an organization to know three things:

  1. What it wants to protect and which protections should be used
  2. Which tools are needed to implement those protections
  3. How much implementation costs

To identify these things, organizations can start with the basics. The Center for Internet Security (CIS) suggests beginning with 10 categories: asset management, data management, secure configurations, account and access control management, vulnerability management, log management, malware defense, data recovery, security training and incident response.

Asset Management

The first step to establishing a cyberdefense is to create policies for enterprise and software asset management. Many asset management tools track both enterprise and software assets. Common tools in asset management range from a spreadsheet all the way up to a fully automated tool. It is up to the enterprise to determine what type of tool best fits its needs. Common terms that an enterprise may come across during procurement include help desk software, IT asset management (ITAM) tools, IT inventory management tools, network inventory and discovery tools, or network IP scanners.

It is important to consider:

  • Approximately how many assets does the enterprise have on its network?
  • Are there any assets that are part of a bring-your-own-device (BYOD) policy?
  • Are there remote assets connected to the network (e.g., mobile or portable end user devices)?
  • In what type(s) of environment(s) are the assets (e.g., on-premises, cloud, hybrid)?
  • Is there an additional tool that is required to completely automate the process?
  • Does the tool perform other functions (e.g., vendor/contract management, establishment of secure configurations, vulnerability management)?
  • Is the tool agent-based or agentless?
  • Does the tool track both enterprise and software assets?

Data Management

A policy must be enforced regarding the data management process. The next step is to develop an inventory of data, particularly sensitive data. Efforts must also be made to encrypt the data to protect their confidentiality. Common tool names in the data management category include governance, risk and compliance (GRC) tools, data loss prevention (DLP) tools, or eDiscovery tools.

Questions to consider when procuring data management tools include:

  • What type(s) of data does the enterprise handle?
  • Where are the data stored (e.g., file server, database)?
  • What is the sensitivity level of the data?
  • In what type(s) of environment(s) are the data stored in (e.g., cloud, on-premises, hybrid)?
  • Is there a process and/or tool in place for disposing of the data?
  • Is device-level encryption available within the operating system itself or is a separate tool required?
  • Is tooling already in place to centrally manage encryption?
  • Is the enterprise legally required to comply with certain standards, laws or regulations?

Secure Configurations

Start with establishing a secure configuration process by creating a policy. The next step is to determine how to securely configure the devices. Whatever mechanism, guidelines or recommendations an enterprise adopts, it should ensure that it addresses basic security tenets such as removing/disabling default accounts, encryption, logging and protecting devices that are exposed directly to the Internet.

In addition to implementing secure configurations, this also includes managing configurations in a secure manner using protocols such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Another important area to focus on when securing an enterprise’s network is a firewall. This includes implementing a firewall for end user devices and servers.

Considerations to keep in mind when choosing the right tools include:

  • What type of deployment does the enterprise want (e.g., manual, fully automated, semi-automated)?
  • What environment(s) need to be securely configured (e.g., on-premises, cloud, hybrid)?
  • Are there vendor-provided secure configurations or are they provided by a third party?
  • Is the third party reputable?
  • Does the enterprise have a set of security configurations that are considered a baseline?
  • How does the enterprise plan on tracking configuration changes to the baseline?
  • How will the secure configuration be validated and maintained?
  • Does the enterprise need to comply with standards or regulations surrounding secure configurations?
  • Can the tool deploy configurations automatically, centrally or remotely?

Account and Access Control Management

Start with establishing an access and credential management policy. Ensure that a process is in place for granting and revoking accounts and privileges. Common tools for account and access control management include identity and access management (IAM) tools, privileged access management (PAM) tools, account discovery tools, identity management tools, user management tools, password managers or multifactor authentication (MFA).

Questions to ask when implementing controls in account and access control management include:

  • Does the enterprise have a policy in place for account and access management?
  • How many accounts does the enterprise currently manage?
  • Which type(s) of accounts are they (e.g., service, user, administrator)?
  • Which accounts require administrative privileges?
  • In what type(s) of environment(s) does the enterprise have accounts (e.g., on-premises, cloud, hybrid)?
  • Does the enterprise have a process in place for managing accounts and access controls upon onboarding and offboarding?

Vulnerability Management

A vulnerability management process is best established by first creating a policy. Additionally, a remediation process should be put into place to determine how often remediation should occur and how patches should be prioritized. Common tool names in the vulnerability management category may vary. Some alternative tool names that an enterprise may come across during procurement include vulnerability management tools, endpoint/client management tools or automatic updates.

Some considerations to keep in mind when implementing safeguards for patch management include:

  • How many devices does the enterprise currently have that will need regular patches?
  • Are there legacy systems that may be affected during the patch management life cycle?
  • Should/can those systems be rebuilt to receive patches?
  • What compensating controls need to be in place to reduce the risk of exploitation?
  • Will patches be deployed manually or automated?
  • Will patches be deployed and centrally managed?
  • Can patches be pushed to remote devices?
  • What type(s) of environments are being managed (e.g., cloud, on-premises, hybrid)?
  • How often will the enterprise deploy patches?
  • Will patches be tested prior to deployment?

Conclusion

The best tool for an enterprise largely depends on its needs and what its limits are in terms of budget, resources and time. There are several types of tools on the market including no-cost, commercially supported and open-source solutions. Regardless of the tool that is selected, to be successful, enterprises must weigh its risk and benefits prior to procurement.

Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-CDPO

Is an analytical thinker, writer, certified trainer, global mentor, and advisor in the areas of information and communications technology (ICT) governance, cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is a certified data protection officer and was awarded Chief Information Security Officer (CISO) of the Year awards in 2021 and 2022, granted by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively. He was also named a 2022 Certified Trainer of the Year by the Professional Evaluation and Certification Board (PECB). He is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, cybersecurity, and data privacy. He volunteers at the global level of ISACA® in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com.