Chief security officers (and CIOs, CISOs) have never had it so tough. Not only do they have all the traditional responsibilities to take care of such as day-to-day operations safeguarding the corporation’s physical assets, and crisis management, but now all of that has to be done under a cyber security threat environment that’s orders of magnitude more dangerous than ever before.
Consider ransomware, which first appeared in 1989 when the AIDS Trojan was created by a biologist, Joseph L. Popp. He distributed 20,000 infected floppy disks to attendees of the World Health Organization’s AIDS conference. After recipients rebooted 90 times, this virus would encrypt the C: drive and demand $189 be sent to the PC Cyborg Corporation via a P.O. box in Panama. That said, the simple encryption method used meant it was fairly easy to recover the content without paying the ransom.
Fast forward to today and ransomware has become one of the greatest network security threats organizations have to deal with because it has become that much more complicated. It’s distributed at a high speed via the internet and private networks and uses military-grade encryption. Worse still, today’s threat actors demand multimillion-dollar ransoms and ransomware is expected to cost businesses around $20 billion this year and more than $265 billion by 2031. The biggest ransomware payout so far this year was from the insurance company, CNA Financial, ironically known for selling cyber insurance, who paid out $40 million for a single ransomware attack in March 2021.
But ransomware is only one of the many threats organizations have to deal with. There are also distributed denial of service (DDoS) attacks and Man in the Middle (MitM) attacks, social engineering, insider threats, malware or ransomware, spyware, password attacks, advanced persistent threats (APTs) and those are just the most common network security threats.
Planning for Security
So, what is a CSO to do? Here are seven strategies to make your organization (and your job) safer from the countless network security threats you’ll be facing in the near future:
1. Create a “Security First” Culture
The problem for CSOs is that while most employees have some basic knowledge of cyber security best practices, that is pretty much all they have. Without ongoing training, knowledge testing and awareness, staff behavior is one of the biggest security risks your organization faces.
A study by Accenture revealed that less than half of new employees receive cyber security training and regular updates throughout their career; only four in ten respondents said insider threat programs were a high priority; and even though almost three-quarters of respondents agreed that “cyber security staff and activities need to be dispersed throughout the organization,” cyber security is a centralized function in 74 percent of companies.
Creating a robust and distributed digital immune system with a radical re-engineering of staff behavior is required. Business leaders need to have accountability for security. Security teams need to collaborate with business leaders to create and implement security policies that will actually work, and those policies need to be routinely re-evaluated and tested.
2. Create a Continuous Security Education Program to Keep Staff Up to Date
A “security first” culture requires that all members of the culture appreciate the concept of network security threats but for that appreciation to actually have an impact, staff must be trained routinely to ensure that their knowledge is current.
3. Implement an Organization-wide Zero Trust Model
Well-trained staff and a monitored environment are crucial to the successful protection of any organization but without a foundational Zero Trust environment, defenses will be intrinsically weak.
The Zero Trust model is a strategy for preventing network security threats that all enterprises and governments should be using to defend their networks. It consists of four components:
- Network traffic control: Engineering networks to have micro-segments and micro-perimeters ensures that network traffic flow is restricted, and it limits the impact of overly broad user privileges and access. The goal is to allow only as much network access to services as is needed to get the job done. Anything beyond the minimum is a potential threat. In particular, micro-perimeters and full traffic visibility will help detect lateral movement and the infection of systems within the organization and help limit the damage to a small area of the network
- Instrumentation: The ability to monitor network traffic in-depth along with comprehensive analytics and response automation provides fast and effective incident detection.
- Multi-vendor network integration: Real networks aren’t limited to a single vendor and even if they could be, you’d still want additional tools to fill in the features that a single vendor won’t provide. The goal is getting all of the multi-vendor network components working together as seamlessly as possible to enable compliance and unified cyber security. This is a very difficult and complex project but keeping this strategic goal in mind as the network evolves will make the result far more effective in maintaining a strong security posture.
- Monitoring: Ensure comprehensive and centralized visibility into users, devices, data, the network, and workflows. This also includes visibility into all encrypted channels.
At its core, the Zero Trust model is based on not trusting anyone or anything on your network. This means that network access is never granted to anyone or anything without the network knowing exactly who or what that entity is. In addition, the use of micro-perimeters and monitoring access at multiple points throughout the network ensures that unauthorized users aren’t moving laterally through the network. To make a Zero Trust model work, in-depth traffic inspection and analytics are required to identify network security threats and fill in what is essentially the blind spot in the Zero Trust model.
4. Implement SSL Visibility – “Break and Inspect”
Key to monitoring a Zero Trust model implementation is the use of TLS/SSL inspection solutions that decrypt and analyze encrypted network traffic to ensure policy compliance and privacy standards.
TLS/SSL inspection, also called “break and inspect,” allows for the detection and removal of malware payloads and suspicious network communications, prevents the exfiltration of controlled data, for example, credit card and social security numbers, and makes it possible for the Zero Trust model to do what it’s supposed to do – provide in-depth and rigorous protection for networks from internal and external threats.
If your organization hasn’t adopted a Zero Trust strategy combined with deep TLS/SSL traffic inspection, now is the time to start rethinking your security posture because there are more threat actors, including hostile nation states and “professional” hackers with greater skills and resources appearing every day.
5. Review and Test Your Distributed Denial of Service Attack Defenses Regularly
Routine testing against a checklist of expected configurations and performance standards as well as random tests of security integrity are crucial to detecting a distributed denial of service attack. Moreover, all test scenarios must be seen by your solution and logged to verify that your instrumentation and logging are functioning as expected.
Network performance testing should be executed at least daily because a distributed denial of service attack isn’t always a full-bore assault; it can also be a low-volume attack designed to reduce but not remove connectivity.
6. Ensure that all Inbound and Outbound Network Traffic is Secured Using SSL/TLS Encryption
When users’ computers connect to resources over the internet, SSL/TLS creates a secure channel. There are three components to this: encryption, authentication, and integrity verification. Encryption hides data communications from third parties trying to eavesdrop while authentication ensures the parties exchanging information are who they claim to be and together they ensure the data has not been compromised.
If un-secured traffic is permitted, then it must be constrained to specific secured network segments and closely monitored.
7. Establish Disaster Recovery Plans and Validation Tests
A key part of a disaster recovery plan involves backups. However, it is surprising how often restoring from backup systems in real-world situations don’t perform as expected. For example, it’s important to know which digital assets are and are not included in backups and how long it will take to restore content. In addition, it’s important to plan the order in which resources are recovered and what the startup window will be.
The testing of backups should also be a routine IT task with specific validation checks to ensure that a recovery is possible.
The CSO’s job isn’t getting any easier but solid planning using the seven strategies will help ensure an organization’s digital safety. In addition, partnering with top-level enterprise security vendors helps ensure that critical security technology and best practices are central to your cyber security strategy.