TODAY where information security breaches, attacks and all the vulnerabilities that lead to these unfortunate incidents are becoming an almost daily affair, information security professionals are often asked the question: “What can I do so I won’t get hit?”
The right way is to have an information security risk assessment. You won’t know what security systems and processes you would need to implement unless you know what you currently have (or not). Also, you need to determine which of your technology and information assets are of most value to your organization and henceforth should get more priority in the “ecosystem of protection”. An information security risk assessment will uncover all of these and will give you a clearer picture of what your organization’s current security posture is.
Unfortunately, information security risk assessments take time. And while we want to go with the proper route, the smell of fear because of the recent attacks on the Commission on Elections, Bangladesh Bank, FBI and the like have already reached Mount Olympus (read: management) and they are now screaming for reports and status of how “robust” your IT systems are. The clients who were before nonchalant about security have all become experts overnight and are demanding immediate implementation of FWs, IDS, MFA, OTP, SSL and other fancy-sounding three-letter acronyms they have heard of which purportedly provides them magical immunity from hackers.
Well, fear not. There is a way to get protected and implement security systems without the worry that it might be too little or too much. It has to be in such a manner that whatever efforts (and expenses) incurred would still be useable after the information security risk assessment would have been made and the areas of priority have been determined.
Enter Australia’s Defense Signal Directorate. The Department of Defense from our friends Down Under have come up with a “Strategy to Mitigate Targeted Cyber Intrusions”. This strategy comprises 35 security controls which are ranked according to its urgency and effectiveness. The top four of these controls are dubbed the “Catch-Patch-Match” strategy that if properly implemented could mitigate 85 percent of targeted cyber-intrusions. This is based on all of the incidents and issues that they have gathered and resolved since the project started in 2012. It is widely accepted and has proven its effectiveness that it earned the US Cybersecurity Innovation award and has also been made mandatory for all government offices of Australia since 2013.
If you want to have an immediate but effective game plan to protect your technology and information assets, a set of practical and implementable security controls that can ward off most of the bad guys, and have a semblance of peace (hey, 85 percent is a good number!), all before you get that information security risk assessment going, this is your best bet.
The Catch-Patch-Match strategy’s top four controls are the following:
1. Application Whitelisting
2. Patching Operating Systems
3. Patching Applications
4. Restricting Administrative Privileges
It would take a lot of time to discuss all of them in detail but in a nutshell:
Application Whitelisting is implemented by specialized security software (from a number of vendors) that limits the use of not only the application itself but the components that run on memory as well.
Patching Operating Systems is making sure your Windows, Unix or Linux OS are running the up-to-date versions which are free from vulnerabilities.
Patching Applications is the same as patching OS but this time the programs that you use on your computer like Microsoft Word, Adobe Reader, Outlook and the like are updated as well.
Lastly, Restricting Admin privileges has been on the top of almost any security to-do list since time immemorial. You can give users administrative privilege to access special software or programs to run them without giving them the administrator level. This is done by privilege access managers that allows safe usage of applications which requires higher privileges to run but doesn’t need to be elevated to a global admin level.
The funny thing about the Catch-Patch-Match strategy is that it is very true. If you look at and analyze the root causes of the recent spate of security incidents, all of them actually could have been prevented if the top four controls were put into place! The strategy works and because it is practical and easily enforceable, you can reap immediate benefits while all your other assessments are taking place. Furthermore, all your efforts will not go to waste as these controls map directly to almost all available global standards and best practices.
The complete list of controls of the Australian DSD’s Strategy for Mitigating Targeted Cyber Attacks actually runs down to 35 controls. As stated, the first four are the most essential and with the rest, implementable in phases. The levels of importance or priorities are recommendations and, as always, your decision which one to implement first should be based on the impact of a particular attack or incident to your organization.
Another good thing with this is that all of the information on implementing this, including complete guidelines and even sample implementations and product recommendations are available online and are free of charge! The site is non-proprietary and is a reassuring trove of information. They have even put forth their awareness campaign for organizations to adopt.
Look for the Australian Signal Defense Directorate’s Strategies for Mitigating Targeted Cyber Attacks here ->https://www.asd.gov.au/infosec/mitigationstrategies.htm