In 2009, there was a big effort on the Federal level to establish a consensus among a varied group of information security experts from all sectors as to which information security controls were most effective in the modern computing and networking environment. This was driven by the perception that the Federal Information Security Management Act (FISMA) was ponderous and unable to effectively protect the confidentiality, integrity and availability of private information.
This effort initially led to the publication of the 20 Most Important Controls for Continuous Cyber Security Enforcement: Consensus Audit Guidelines. It also stimulated thinking among organizations and information security professionals about possible variations and adaptations of this guidance. One such effort was the MicroSolved 80/20 Rule of Information Security (2009). While very similar to the Consensus Audit Guidelines, the focus of the 80/20 Rule was to establish a group of security control projects that provided the most “bang for the buck” for the small and medium-sized organizations that don’t typically have the resources of the Federal Government or other large organizations.
With this goal in mind, MicroSolved (MSI) took as inspiration the Pareto Principle of Joseph M. Juran (also known as the 80/20 Rule, hence the MSI name). The Pareto Principle states that the Law of the Vital Few and The Principle of Factor Sparsity shows that 80% of effects arise from 20% of causes. As applied to information security control, this means that an organization can expend 20% of the resources typically expended by similar organizations, yet still achieve 80% of their security results.
For the original 80/20 Rule, MSI chose the following 13 security projects designed to meet these goals:
- Asset, data flow and trust mapping. This project consisted of keeping current inventories of network assets (devices, software/firmware applications and operating systems), mapping data flows and mapping trust relationships among network entities.
- Conducting basic risk assessment and threat modeling. This project entailed conducting basic risk assessment and threat modeling when developing or changing network assets or policies/processes.
- Ongoing assessments of all network attack surfaces. This project entailed undertaking such processes as network vulnerability assessment, penetration testing, application security assessment, phishing exercises, denial of service testing, etc.
- Minimizing attack surfaces: This project entails minimizing all forms of external access and ensuring that all default credentials are eliminated.
- Implement egress filtering: This project entails restricting and monitoring information that leaves your network; a very effective DLP tool if implemented correctly.
- Implement enclaved computing: This project entailed completely segmenting assets in the network according to the principles of need to know and least privilege.
- Create anomaly detection capabilities: This project entailed performing logging and monitoring of network access and events, employing information security services/tools, etc.
- Define formal policies and processes: This project entailed ensuring that the organization has written policies and procedures that address all of their security practices.
- Undertake security awareness programs: This project entailed ensuring that all personnel receive recurrent information security training and awareness reminders.
- Harden assets and new systems: This project entailed ensuring that only those services needed for business purposes are available for use.
- Recruit, train and implement an incident response team: This project entailed developing policies and procedures as well as instituting the IR team.
- Identify security skill gaps and train staff: This project entailed ensuring that high-risk job titles such as network administrators and customer service representatives have the security skills necessary to perform their jobs securely.
- Deploy rational cryptography: This project entailed ensuring that cryptography is applied appropriately across the enterprise, and that proper key management is in place.
Since 2009, the information security picture has evolved, and conditions have changed somewhat. Consequently, MSI has updated the 80/20 Rule to better conform with the current environment, although many of the security projects remain very much the same. The current list of security projects for the MicroSolved 80/20 Rule of Information Security (2019) Follows:
- Maintain complete, current inventories of network assets: This is much the same as the first project in the previous 80/20 Rule version. It should be noted that the Consensus Group found inventory control the number one control in their Top 20 recommendation. Complete inventories not only help preclude the danger of unmaintained legacy systems, more importantly, it enables other crucial security projects such as security maintenance, configuration control, access control and more.
- Implement a comprehensive program of configuration control: To properly harden networks against attack, it is necessary to configure all network assets (software/firmware applications, operating systems and devices) securely. This should be done according to a common baseline configuration strategy. Obviously, complete and current inventories are needed to ensure that all network assets are configured correctly.
- Implement a comprehensive program of security maintenance: Security maintenance entails monitoring security and vendor sites for vulnerabilities affecting network assets, then ensuring that they are patched, updated or replaced as necessary. Once again, it is necessary to tie this process to inventory control to ensure that all assets are included.
- Implement a comprehensive program of change control: Security vulnerabilities often arise because of unmaintained or ill-considered changes to network security settings. For example, a direct connection to the internal network is granted to a third party to allow necessary work to be undertaken but is then not removed when the job is done. Such attack vectors are often employed by attackers to gain access to private networks. Changes should be fully documented, and regression to previous implementations should be planned in case unforeseen problems should arise. As was stated, the change control process should be linked with inventory control, configuration control and security maintenance. Such communication between people and processes is necessary to prevent confusion that could lead to security mistakes.
- Implement basic internal threat modeling and risk assessment: Basic threat modeling and risk assessment need not be a complex or time-consuming process. When making significant changes or additions to the network, simply consider the ways these changes (possible vulnerabilities) could be adversely manipulated by attackers (threats), and what the consequences of that manipulation could mean to the business (risk). Using this simple process among a representative group of technical, security, legal and management personnel will increase the accuracy of the risk determinations.
- Ongoing security assessments: Performing vulnerability assessment of external networks and internal networks can be performed in-house or by third party service providers. These assessments are recommended as they can expose vulnerabilities that have crept into the network by mistake or by nefarious intent. Security assessments of custom-coded software applications can expose vulnerability to such things as cross-site scripting. Other security assessments that could benefit the organization include penetration testing and social engineering exercises such as phishing tests.
- Implement logging and monitoring: Implementing this project entails turning on logging on all systems capable of it on the network. Tools are recommended for aggregating logs and doing basic log analysis. Logging and monitoring should be done on a continuous basis. Capable employees should be assigned to monitor, investigate and enhance automated and third-party security monitoring results.
- Implement Network Segmentation: Implementing this project entails segmenting the network logically or physically. Proper network segmentation can help stop attackers who have gained illicit internal access from moving laterally across the network and elevating their privileges to Domain Administrator level. At a minimum, “user space” should be segmented off from “server space.”
- Implement and maintain a written information security program: Written information security policies and processes are necessary to any effective information security program. Without them, organizational personnel can never be sure they are coordinating their efforts correctly, and it is true that information security programs are only truly effective when they are implemented as a seamless whole. In addition, written security and operating procedures are essential for business continuity/disaster recover purposes.
- Implement a security awareness and training program: Having good written policy and procedural documents is not enough. Organizational personnel must also be aware of these policies and their responsibilities in carrying them out. In addition, organizational personnel can be either security assets or security deficits. Training and awareness are the key to ensuring they become security assets. In addition to security training, personnel should be provided with security reminders and updates. Also, security skill gap training should be provided to personnel in high risk jobs such as network administration, help desk, etc.
- Recruit, train and implement an incident response team: Implementing this control entails developing incident response policies and methods, recruiting an incident response team, and practicing the skills needed to undertake the task. There is no such thing as perfect security. Any organization may suffer security incidents. Incident response programs can greatly reduce the adverse effects of security incidents such as data breaches on the organization and its clients.
- Employ MFA wherever possible on the network: Employing effective multi-factor authentication (MFA) for access to network assets can cure a host of security ills. Implementing this project does take will, as there is always push back from users and clients about the extra trouble involved in gaining access. At a minimum, MFA should be employed for high-risk access to the system such as administrative, remote or wireless access.
- Deploy rational cryptography: Encrypting data for transmission and storage minimizes a great deal of the risk inherent in working with sensitive or private information. This project is not easy to implement across the board, but when done properly can help foil attackers who have managed to gain access to private systems. The caveat with cryptography is that secure key management must also be implemented as the project matures. Without making, retiring and protecting these keys properly, encryption could actually become a liability rather than an asset.
Ensuring that your organization has implemented the control projects listed in the New 80/20 Rule should help ensure that private information on your systems is properly protected and available for authorized users. It can also help ensure that you are putting your information security dollars in the right places.