Brent’s Interview About His Most Recent Book

 

Introduction

In today’s digital age, the importance of cyber-security cannot be overstated. With threats evolving at an unprecedented rate, organizations need to be proactive in their approach to safeguarding their assets. “We Need To Talk: 52 Weeks To Better Cyber-Security” by L. Brent Huston offers a comprehensive guide to navigating the complex world of cyber-security. We sat down with the author to delve deeper into the inspiration, content, and significance of this book.

Interview

Q1: What inspired you to write “We Need To Talk: 52 Weeks To Better Cyber-Security”?

A1: As a virtual CISO and 30+ year security practitioner, I know how important it is to keep the security team engaged with one another, encourage open discussions, and do continual learning. I wrote the book to give security teams a good basis for these discussions every week for a year. Covering the basics and letting the team discuss sticking points and areas for improvement has led my clients to identify some interesting trends and rapidly mature their security programs. I think, literally, “We Need To Talk”. We need it as practitioners, individuals, teams, and organizations. This is a stressful, detail-oriented, rapid-change business, and talking helps nearly everyone involved.

Q2: Why did you feel it was essential to provide such a comprehensive view of cyber-security?

A2: So much of what we do is complex and touches multiple areas of our organization that we must bring the basics to each. I picked the topics for discussion in the book to address the high-level, technical, and procedural controls that almost every organization needs. I threw in some of the more tenacious topics I’ve encountered in my career and a few curve balls that have bitten us over the years. Information security and risk management are broad-spectrum careers, and we need a broad spectrum of topics to help security teams be successful.

Q3: Can you elaborate on how the structure of the book facilitates this year-long journey?

A3: This is a great question. The book idealizes a weekly security team meeting where the team discusses one of the topics and why it is relevant and then works through a series of questions to help them hone and refine their security program. The book includes a topic for each week, appropriate background information about that topic, and a set of questions for discussion by the team. As I piloted the book with my clients, it became clear that these were ultra-powerful discussions and led to some amazing insights. I knew then that I had to write and put the book out there to benefit security teams and practitioners.

Q4: How did leveraging AI tools shape the content and structure of the book?

A4: I used several AI tools to help generate the content of the book. It was written programmatically, in that I wrote some programming to leverage an AI backend to generate the questions and background information for each topic. I then adjusted the code and moderated the output until I got the book I wanted. It took a while, but it was fantastic when completed. I wanted to experiment with writing with AI tools, and since I knew the book I wanted to create had a specific format and content, it seemed like a good experiment. Ultimately, I learned much about working with AI and using Grammarly for editing and self-publishing. I have been absolutely thrilled with the response to the book and how the experiment turned out. In fact, it gave birth to another project that I am just beginning and will pave the way for some exciting new breakthroughs in how to work with AI tools in the coming years.

Q5: What is the one core message or lesson from your book that you’d like security teams to take away?

A5: The one takeaway I would have them consider is that discussion among the security team can really help a lot of the team members and the organization at large. We need to talk more about the work we do, both inside our teams and to the other teams we work with across the enterprise. The more we discuss, the more likely we can support each other and find the best solutions to our common problems and issues. Implementing the strategies, tactics, and insights we discover along the way might just be the change we need to make information security more effective, easier to manage, and even more fun!

Summary

L. Brent Huston’s “We Need To Talk: 52 Weeks To Better Cyber-Security” is more than just a book; it’s a roadmap for security teams to navigate the intricate maze of cyber-security. Through structured discussions, the book aims to foster collaboration, understanding, and growth among security professionals. With the unique blend of AI-generated content and Huston’s vast experience, this book promises to be an invaluable resource for those in the field.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

3 Essential Tips for Enhancing Site-to-Site VPN Security

 

Site-to-site VPNs are a crucial tool for securing communication between different network locations. To ensure the utmost security for your VPN connections, consider implementing these three key suggestions:

1. Select Strong Secrets or Secure Certificates

The foundation of any secure site-to-site VPN is the authentication mechanism. Opt for strong pre-shared keys or secure digital certificates when configuring your VPN. Using weak passwords or keys can leave your VPN vulnerable to attacks. Remember, a strong password should be lengthy, complex, and incorporate a mix of letters, numbers, and special characters. Alternatively, employing secure certificates provides an added layer of protection as they are difficult to intercept or guess.

2. Implement Modern, Peer-Reviewed Cryptography

Ensure that your site-to-site VPN employs modern encryption protocols have been rigorously reviewed by the security community. Protocols like IKEv2/IPsec are popular choices that offer robust encryption and authentication mechanisms. Peer-reviewed cryptography guarantees that the algorithms have undergone extensive scrutiny and are less likely to contain vulnerabilities or backdoors. Currently, AES is the suggested cryptographic mechanism for most VPNs. DES and 3DES should be eliminated wherever possible.

3. Create Proper Firewall Rules or ACLs

Managing traffic over your VPN connection is essential for maintaining a secure network environment. Utilize firewall rules or Access Control Lists (ACLs) to carefully regulate data flow between connected sites. You can prevent unauthorized access and potential breaches by explicitly defining what types of traffic are permitted and denied. Regularly review and update these rules to adapt to changing security requirements.

In Conclusion

Enhancing your site-to-site VPN’s security involves strong authentication, robust encryption, and intelligent traffic management. By selecting strong secrets or certificates, implementing modern cryptography, and creating well-defined firewall rules, you can significantly bolster the security of your VPN connections. Securing your network is an ongoing process, so staying updated on the latest security practices and adapting your configurations is essential.

Implement these tips today to build a resilient and secure site-to-site VPN that safeguards sensitive data and ensures seamless communication between your network locations.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

Preventing and Mitigating Ransomware Attacks Part Two

In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.

Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:

  • Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
  • Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
  • Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
  • Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.

The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:

  • Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
  • Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
  • Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.

The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:

  • Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
  • Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
  • Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.

Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.

Managing Risks Associated with Model Manipulation and Attacks in Generative AI Tools

In the rapidly evolving landscape of artificial intelligence (AI), one area that has garnered significant attention is the security risks associated with model manipulation and attacks. As organizations increasingly adopt generative AI tools, understanding and mitigating these risks becomes paramount.

1. Adversarial Attacks:

Example: Consider a facial recognition system. An attacker can subtly alter an image, making it unrecognizable to the AI model but still recognizable to the human eye. This can lead to unauthorized access or false rejections.

Mitigation Strategies:

Robust Model Training: Incorporate adversarial examples in the training data to make the model more resilient.
Real-time Monitoring: Implement continuous monitoring to detect and respond to unusual patterns.

2. Model Stealing:

Example: A competitor might create queries to a proprietary model hosted online and use the responses to recreate a similar model, bypassing intellectual property rights.

Mitigation Strategies:

Rate Limiting: Implement restrictions on the number of queries from a single source.
Query Obfuscation: Randomize responses slightly to make it harder to reverse-engineer the model.

Policies and Processes to Manage Risks:

1. Security Policy Framework:

Define: Clearly outline the acceptable use of AI models and the responsibilities of various stakeholders.
Implement: Enforce security controls through technical measures and regular audits.

2. Incident Response Plan:

Prepare: Develop a comprehensive plan to respond to potential attacks, including reporting mechanisms and escalation procedures.
Test: Regularly test the plan through simulated exercises to ensure effectiveness.

3. Regular Training and Awareness:

Educate: Conduct regular training sessions for staff to understand the risks and their role in mitigating them.
Update: Keep abreast of the latest threats and countermeasures through continuous learning.

4. Collaboration with Industry and Regulators:

Engage: Collaborate with industry peers, academia, and regulators to share knowledge and best practices.
Comply: Ensure alignment with legal and regulatory requirements related to AI and cybersecurity.

Conclusion:

Model manipulation and attacks in generative AI tools present real and evolving challenges. Organizations must adopt a proactive and layered approach, combining technical measures with robust policies and continuous education. By fostering a culture of security and collaboration, we can navigate the complexities of this dynamic field and harness the power of AI responsibly and securely.

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Preventing & Mitigating Ransomware Attacks Part One

In this paper, I will outline best practices for preventing and mitigating ransomware attacks as detailed in the #StopRansomware Guide published by the Multi-State Information Sharing & Analysis Center. In this guide, measures for preventing and mitigating ransomware attacks are grouped according to six initial attack vectors employed by cyber-criminals to worm their way into your network. The first of these attack vectors that the guide addresses is Internet-facing vulnerabilities and misconfigurations. Most organizations should be used to addressing vulnerability and configuration management by now. What is changing is the degree to which organizations need to rigorously discover and address vulnerabilities and misconfigurations in a timely manner. For this attack vector, the guide recommends:

  • Conducting regular vulnerability scanning to identify vulnerabilities on your networks. This is especially true of external, Internet-facing networks (in fact, we recommend employing continuous vulnerability scanning for these). We also strongly recommend that internal and wireless networks should also receive vulnerability scanning. In addition, we recommend penetration testing of your networks to help identify cascading failures and other subtle security flaws that simple vulnerability testing cannot identify.
  • Ensuring that all entities on your networks (operating systems, software/firmware applications and hardware devices) are regularly patched and updated to the latest versions. They also recommend prioritizing patching of internet-facing servers that operate software for processing internet data. Organizations should especially employ CISA’s Known Exploitable Vulnerabilities Catalogue available at their website to ensure they are addressing the most serious vulnerabilities. In addition, the guide recommends that organizations that have trouble keeping up with this process should consider migrating systems to reputable “managed” cloud providers to reduce, not eliminate, system maintenance roles for identity and email systems.
  • Ensuring that all devices (on-premises, cloud services, mobile and personal) are properly configured and that security features are enabled. They recommend reducing or eliminating manual deployments and codifying cloud resource configuration through IaC. IaC templates should receive security testing prior to deployment. They further recommend that checking configuration drift routinely to identify resources that were changed or introduced outside of template deployment.
  • Limiting the use of RDP and other remote desktop services, and if they must be used, applying best practices security measures to help ensure they are not misused. They also recommend regularly updating VPNs, network infrastructure devices, and devices being used to remote in to work environments with the latest software patches and security configurations. MFA should be used for VPN and all remote access.
  • Disabling SMB protocols 1 and 2 and upgrading to version 3 after mitigating existing dependencies (on the part of existing systems or applications) that may break when disabled.

The second initial attack vector listed in the #StopRansomware Guide is compromised credentials. To prevent and mitigate successful attacks from this vector, the guide recommends:

  • Implementing phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. They further recommend employing password-less MFA that replaces passwords with two or more verification factors such as fingerprints or facial recognition.
  • Considering subscribing to credential monitoring services that monitor the dark web for compromised credentials.
  • Implementing identity and access management (IAM) systems.
  • Implementing zero trust access control measures.
  • Changing all default admin user names and passwords.
  • Not using root access accounts for day-to-day operations, and rather creating users, groups and roles to carry out tasks.
  • Ensuring that passwords of at least 15 characters are used. We further recommend using passphrases that are longer and harder to break, but that are easier to remember.
  • Enforcing account lockout policies, and monitoring login attempts for brute force password cracking and password spraying.
  • Storing passwords in a secured database and using strong hashing algorithms.
  • Implementing local administrator password solution (LAPS) wherever possible.
  • Protecting against local security authority subsystem service (LSASS) duping by implementing ASR for LSASS and credential guard for Windows 10 and Server 2016.
  • Educating all employees on proper password security in your annual security training.
  • Using Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted Admin Mode as feasible when establishing a remote connection to avoid direct exposure of credentials.
  • Ensuring that administrators use separate access accounts for administrative duties and simple network access.

The third initial attack vector listed in the guide is phishing. As all of us know by this point, phishing attacks are one of the most common and successful attack methods employed by cyber-criminals. To prevent and mitigate ransomware attacks using this vector, they recommend:

  • Including guidance on how to identify and report suspicious activity or incidents in regular user security awareness training.
  • Implementing flagging external emails in email clients.
  • Implementing filters at the email gateway to filter out emails with known malicious indicators.
  • Enabling common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
  • Implementing domain-based message authentication, reporting and conformance (DMARC) policy and verification.
  • Ensuring macro scripts are disabled for Microsoft Office files transmitted via email.
  • Disabling Windows script host (WHS).

These are only the first three of the six initial attack vectors included in the guide. In my next paper I will outline the last three vector which include precursor malware infections, advanced forms of social engineering, and one of the most fearsome attack vectors currently plaguing us all: third parties and managed service providers.

Ensure Your Organization is Prepared for Ransomware Attacks

In this paper I will outline the steps recommended in the recently updated MS-ISAC #StopRansomware Guide for preparing your organization for preventing ransomware attacks. Being well prepared for ransomware attacks is not only common sense for the organization, it may deter cyber criminals from even attempting their attacks. Cyber criminals universally look for and attack those organizations that have the weakest information security programs.

In general, the first step in preparing for ransomware attacks is ensuring that you have a well-rounded and effective information security program in place. Specific to ransomware, you should ensure that your incident response plan has specific policies and processes in place that address ransomware attacks. It is also important to ensure that your incident response plan includes communication plans and templates. The incident response team should reach a consensus on what level of detail about the incident is appropriate to share with staff, regulators, law enforcement and the public, and how this information should flow. After conducting numerous incident response table-top exercises with organizations of all types, we at MSI have found that if the response team does not have communications planned in detail in advance, their incident response will be chaotic. Other plan preparation guidance found in the #StopRansomware Guide includes:

  • Ensuring that your data breach notification procedures adhere to applicable state laws. If you are unsure about your state notification laws, see: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
  • If your organization has electronic health information on the network, you may also need to notify the FTC (see: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule) or HHS (see: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). In addition to the above guidance, I would recommend that your organization should include any other regulatory or law enforcement agency that should be notified in your written incident response plans.
  • For any personally identifiable information that may be breached, you should be prepared to notify the individuals or businesses impacted about the type of information exposed, recommended remediation actions and relevant contact information.
  • You should ensure the incident response plan, including communications plans, are reviewed and approved by the CEO in writing, and that these plans are reviewed and understood across the chain of command. Your organization should also regularly review the latest ransomware incident response guidance available online to help ensure that you remain current.
  • Ensure that hard copies of the incident response plan are maintained, and that an offline version is also available.

Operational preparation guidance found in the #StopRansomware Guide includes:

  • Ensure that you maintain and test multiple encrypted backups of critical information, including offline backups.
  • Ensure that you maintain and regularly update “golden images” of critical systems. This should include image templates that have a preconfigured operating system and associated software applications that can be quickly deployed to rebuild a system such as a virtual machine or server.
  • Use infrastructure as code (IaC) to deploy and update cloud resources and keep backups of template files offline to quickly redeploy resources. IaC code should be version controlled and changes to the templates should be audited.
  • Store applicable source code or executables with offline backups.
  • Retain backup hardware to rebuild systems if rebuilding the primary system is not preferred.
  • Your organization should also consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.

As a final preparatory step, your organization should implement a zero trust architecture for you network (see https://www.cisa.gov/zero-trust-maturity-model). Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.

Implementing these processes and controls on your network will bring you up to date with current best practices for preparing your organization for dealing with ransomware attacks. In my next blog, I will outline the measures found in the #StopRansomware Guide for preventing and mitigating ransomware incidents.

CISA MS-ISAC Ransomware Guide Updated for 2023

Ransomware is the leading information security threat that has emerged in recent years, and it’s only getting worse! In the first six months of this year, 1,393 organizations have issued data breach notifications. If this keeps up, and there’s no reason to think it won’t, 2023 will beat the record set in 2021 of 1,862 data breaches reported. Ransomware is a big part of this sad total.

Back in 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released their first Ransomware Guide to try to help organizations respond effectively to this threat. In the last three years, however, ransomware has evolved greatly. Because of this, they have released an updated ransomware guide now titled #StopRansomware Guide. This guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by the CISA and FBI. The new title was instituted to incorporate the #StopRansomware effort into the title. (#StopRansomware is a one-stop hub for ransomware resources for individuals, businesses and other organizations. The new #StopRansomware.gov website is a collaborative effort across the federal government and is the first joint website created to help private and public organizations mitigate their ransomware risk. It contains all the latest ransomware information and advisories produced by federal authorities).

The #StopRansomware Guide has two parts: part 1 concerns ransomware and data extortion prevention best practices, and part 2 is a ransomware and data extortion response checklist. The two parts represent current best practices and recommendations based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the FBI (these are known as the authoring organizations). The changes made from the old guide to this current version include:

  • Added FBI and NSA as co-authors based on their contributions and operational insight.
  • Incorporated the #StopRansomware effort into the title.
  • Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Expanded the ransomware response checklist with threat hunting tips for detection and analysis.
  • Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

In my next series of blogs, I will go into detail about the latest best practices recommendations for ransomware prevention and response that are contained in new #StopRansomware Guide. To get started, here are the initial steps that the guide recommends that all organizations undertake to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

  • Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
    • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – learn.cisecurity.org/ms-isac-registration. MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
    • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations – learn.cisecurity.org/ei-isac-registration. (See the National Council of ISACs for more information).
  • Contact CISA at CISA.JCDC@cisa.dhs.gov to collaborate on information sharing, best practices, assessments, exercises, and more.
  • Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Remember, ransomware groups such a CLOP are ruthless, talented and waiting to pounce on any organization, government or private sector, that they are able to compromise. Get started today on educating your personnel and preparing to resist and respond to ransomware attacks.

5 Tips for User Access Auditing in Linux

User access auditing is a critical aspect of maintaining a secure and efficient computing environment. It provides a detailed record of user activities, helping administrators identify potential security risks, ensure compliance with access control policies, and detect any unauthorized or suspicious activities. Regular user access audits can also aid in troubleshooting, system optimization, and forensic investigations. In essence, user access auditing is not just about security, but also about gaining insights into user behavior and system usage, which are invaluable for improving system reliability and performance.

1. Understand the Basics of Linux Permissions: Linux permissions are the first line of defense in securing your system. They determine who can read, write, and execute files. The three types of Linux permissions are User (u), Group (g), and Others (o). Familiarize yourself with the `chmod` command to modify these permissions and the `ls -l` command to view them.

2. Use the `last` Command: The `last` command in Linux provides a list of the last logged-in users on your system. This is a great tool for auditing user access as it allows you to see who has been accessing your system and when. Regularly check this log to keep track of user activity.

3. Audit User Accounts with `cat /etc/passwd`: This command will display a list of all user accounts on your Linux system. Regularly auditing this list can help you identify any unauthorized or inactive accounts that should be removed or disabled to enhance system security.

4. Monitor User Activity with `w` and `who` Commands: The `w` command displays who is currently logged in and what they are doing, while the `who` command shows who is currently logged in. Regularly monitoring user activity can help you identify any suspicious behavior.

5. Leverage Linux Auditing System (Auditd): Auditd is a powerful tool that allows you to monitor almost any event on your Linux system. You can use it to track security-related events, record system calls, and log any changes to your system files. Regularly review the logs generated by Auditd to ensure there are no unauthorized changes or activities on your system.

Regular monitoring and auditing of user activities are crucial to maintaining a secure Linux environment.

 

*This article was written with the help of AI tools and Grammarly.

Maintaining a Well Developed Infosec Program? Piece of cake!

When you mention building a good information security program to most business employees, especially developing and maintaining written information security policies, you’ll see most of them cringe and get that far away look in their eyes. I can understand that completely! Developing and implementing a modern infosec program is a long and often difficult process. You have to go through assessments to ascertain the level of your current infosec program, you have to determine what level of infosec program you need to finally attain and you have to plan exactly how you are going to achieve your information security goals. For most even smallish to medium-size organizations, this can take three years or more. It can make you tired just thinking about it!

However, the unexpected good news about the whole thing is that, once the program is in place, it’s a piece of cake to maintain it! All that is needed is regular reviews and updates of the program particulars to ensure they remain current and effective. On top of that, having a good infosec program in place and well maintained can help you keep your current customers and entice new customers to utilize your services. This is especially true in the modern business environment which is plagued with oodles of very competent cyber-criminals and adversarial nation states who employ everything from malware and zero days to clever attack strategies and mechanisms such as social engineering techniques to steal your money and ruin your business reputation. Let’s face it, if your organization provides or uses business services in the age of supply chain attacks, you truly need to be able to demonstrate information security competency just to keep your head above water.

So how do you begin the process of developing your infosec program? There are so many steps in the process it is natural to feel overwhelmed by the scope of the whole thing. Luckily, there is a fine mechanism out there to help you get off to a good start in implementing your program; this is the Center for Internet Security (CIS) Critical Security Controls assessment. In this assessment, you first consult with the assessor to discuss the particular business and the information security goals you need to achieve to provide strong security. In the next stage of the process, the assessor meets with pertinent staff (usually by teleconference) to ascertain what CIS security controls you currently have in place and what level of maturity they are at. This usually is done in two or three meetings. The assessor then analyzes the results of the assessment and provides your organization with roadmaps for closing the control gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a typical three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months). These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary. As you can see, having this process and roadmaps in place, your organization will have a good start on implementing the program and will quickly lose that feeling of being overwhelmed.

High-Level Project Plan for CIS CSC Implementation

Overview:

Implementing the controls and safeguards outlined in the Center for Internet Security (CIS) Critical Security Controls (CSC) Version 8 is crucial for organizations to establish a robust cybersecurity framework. This article provides a concise project plan for implementing these controls, briefly describing the processes and steps involved.

Plan:

1. Establish a Governance Structure:

– Define roles and responsibilities for key stakeholders.

– Develop a governance framework for the implementation project.

– Create a project charter to outline the project’s scope, objectives, and timelines.

2. Conduct a Baseline Assessment:

– Perform a comprehensive assessment of the organization’s existing security posture.

– Identify gaps between the current state and the requirements of CIS CSC Version 8.

– Prioritize the controls that need immediate attention based on the assessment results.

3. Develop an Implementation Roadmap:

– Define a clear timeline for implementing each control, based on priority.

– Identify the necessary resources, including personnel, tools, and technologies.

– Establish milestones for monitoring progress throughout the implementation process.

4. Implement CIS CSC Version 8 Controls:

– Establish secure configurations for all systems and applications.

– Enable continuous vulnerability management and patching processes.

– Deploy strong access controls, including multi-factor authentication and privilege management.

5. Implement Continuous Monitoring and Incident Response:

– Establish a comprehensive incident response plan.

– Deploy intrusion detection and prevention systems.

– Develop a continuous monitoring program to identify and respond to security events.

6. Engage in Security Awareness Training:

– Train employees on security best practices, including email and social engineering awareness.

– Conduct periodic security awareness campaigns to reinforce good cybersecurity hygiene.

– Provide resources for reporting suspicious activities and encouraging a culture of security.

Summary:

Implementing the controls and safeguards outlined in CIS CSC Version 8 requires careful planning and execution. By establishing a governance structure, conducting a baseline assessment, developing an implementation roadmap, implementing the controls, continuous monitoring, and engaging in security awareness training, organizations can strengthen their security posture and mitigate cyber threats effectively. This concise project plan is a starting point for information security practitioners seeking a robust cybersecurity framework.

If you need assistance, get in touch. MSI is always happy to help folks with CIS CSC assessments, control design, or other advisory services. 

 

*This article was written with the help of AI tools and Grammarly.