Ten Principles for Highly Effective Cybersecurity Programs

August 25, 2015  |  Marcus Carey

I’ll start this post with the Rifleman’s Creed.

This is my rifle. There are many like it, but this one is mine.

My rifle is my best friend. It is my life. I must master it as I must master my life.

My rifle, without me, is useless. Without my rifle, I am useless. I must fire my rifle true. I must shoot straighter than my enemy who is trying to kill me. I must shoot him before he shoots me. I will...

My rifle and I know that what counts in war is not the rounds we fire, the noise of our burst, nor the smoke we make. We know that it is the hits that count. We will hit...

My rifle is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weaknesses, its strength, its parts, its accessories, its sights and its barrel. I will keep my rifle clean and ready, even as I am clean and ready. We will become part of each other. We will...

Before God, I swear this creed. My rifle and I are the defenders of my country. We are the masters of our enemy. We are the saviors of my life.

So be it, until victory is America's and there is no enemy, but peace!

You could almost substitute rifle with network throughout.

1. DO NOT be overly concerned with another organization's Security Policy

One of my favorite movie scenes ever is when the recruits recite the Rifleman’s Creed in Full Metal Jacket. Especially the line, "This is my rifle, there are many like it but this one is mine". This is the same as your organization's cybersecurity program. Every organization and network is different. Just because something worked for someone else or on their environment only means it worked for them. Good cybersecurity “hygiene” is important to everyone, but your organization’s needs and vulnerabilities are unique.

2. Limit administrative privileged accounts

The quickest way to reduce massive infestations of malware and breaches is to limit administrative accounts throughout your organization. This is quite possibly the biggest bang for you buck when implementing security controls. I have seen first hand that this makes the number of enterprise network compromises nose dive. When an administrative level user is compromised the attacker immediately has the keys to the kingdom and the ability to install malware, pivot, etc. Administrative privileges must be limited at all costs.

3. Patch vulnerable systems and software

There are two things guaranteed in cybersecurity: vulnerabilities and breaches. In order to limit breaches organizations must find and remediate vulnerabilities on their network. It sounds simple, but it requires an organizational process that holds people accountable for implementing patches and other fixes.

4. Do not use unauthorized systems or software

Yes, people still use bootleg software. The main problem with bootleg software is it usually is out of date and filled with vulnerabilities. This is why countries like China, Russia, and India are filled with compromised machines.

5. Do not use inappropriate content

Things like this should go without saying but it’s still a major problem. Pornography sites are the quickest way to get compromised on the Internet. Organizations should make it very clear not to use corporate email accounts for dating and hookup sites. It goes without saying that these sites can derail companies, careers, and families. The Internet has a memory greater than that of an elephant.

6. Develop Incident Response and Forensics capabilities

Organizations should develop internal incident response and forensics capabilities. I recommend forming incident response teams comprising all technical disciplines, management, and a public relations/communications lead. At a minimum, organizations should participate in quarterly tabletop exercises to review incident response procedures. Ensure your organization is ready to defend itself. This leads to the next principle.

7. Keep all logs in a forensic-friendly manner

In order to perform accurate incident response and digital forensics, organizations need to have a comprehensive log monitoring solution. It should also be easily searchable, perform correlations, and people need to know how to use it. The first time many organizations look at their log management capabilities is after a breach and that’s the wrong time to find out it doesn’t work.

8. Know your DNS activity

Many organizations can only focus and excel at a few disciplines. When it comes to logging activity for effective incident response, DNS monitoring is one of the most critical elements, yet it’s hard to find many people focusing on it. File DNS monitoring under the “most bang for your buck” category. Organizations can’t do proper incident response and intrusion scope analysis without understanding what is going on with DNS.

9. Continuously test your defense in depth architecture

One of my favorite commercials features a clip of former NFL coach rant saying, “They are what we thought they were!”.

Problem is his team lost the game and he was frustrated. My question for your organization: is your network what you think it is? If an attacker was on you network could you successfully defend it?

Networks change all the time and most organizations aren’t the best at updating documentation on how their network is implemented. One day the network tap was in exactly the right place then you implement new core switches that cause all the traffic to bypass that choke point. Then something changed in your network and it wasn’t.

The more devices and sensors you add to the equation, the more systems that aren’t doing what they should do. Organizations need to implement security controls testing processes to make sure your defense-in-depth is doing what you think it is.

10. Be transparent and show people rather than tell them

The best cybersecurity professionals should be able to implement a majority of security controls and configurations themselves. It’s not good enough to shout at the Linux administrator and hit them over the head with your vulnerability scan report.

Security professionals should strive to be able to explain exactly why the control exists and even help the Linux administrator implement it at the command line if necessary. This gives security professionals so much credibility with their technical colleagues. I’m a country boy and I firmly believe you can show people better than you can tell them in many cases.

About the Author

Marcus is founder & CTO of vThreat, Inc. Marcus is a hacker who helps people not suck at cybersecurity. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA). vThreat is a software as a service platform that simulates attacker tactics, techniques, and procedures to allow organizations to validate their defense in depth infrastructure.

Twitter: https://twitter.com/marcusjcarey
Web: https://www.vthreat.com

Share this with others


Get price Free trial