Focusing on a few core pillars rather than a wide range of security domains is key to a successful cyber security program, according to leading Australian IT services provider Interactive.
Interactive chief information security officer Fred Thiele, who has run security programs for a small company and a large government agency as well as Interactive, said addressing the three pillars of asset and data management, vulnerability management and identity management could “take care” of a large portion of the issues covered by regulatory compliance or cyber security frameworks.
“If you look at these frameworks, there are about 20 pieces or components you could follow,” Thiele said.
To address the three pillars, cyber security leaders needed to implement a discovery process spanning their environment, the type of data they had and how they collected, stored and classified it. This process ran hand-in-hand with asset management.
The second piece was vulnerability management and “while this had been around since the dawn of time, it was something very few people get right,” said Thiele.
A review of annual reports showed companies were being compromised in a number of ways. “There is the social engineering aspect which is all about training and awareness, but there are also quite a lot of cases in which a hacker got into an environment, through a vulnerability, with a weaponised exploit,” said Thiele. “In these cases, if only the company had patched the vulnerability, they wouldn’t have experienced a problem.
Shifting from protecting endpoints to protecting identities
Identity management is the third pillar and according to Thiele, comes from a shift away from protecting endpoints to protecting identities. However, the problem has emerged that many identities have excessive privileges assigned to them, which increases the potential damage to the organisation if even a low-level identity is breached.
Businesses can minimise identity risk in three ways, said Thiele. The first is to be consistent about the way they evaluate identities in their environment, with every identity authenticated back to a role-based access control matrix. The second is to understand the user context, and Thiele cites the example of a worker being allowed to log in from a foreign destination when that may not be appropriate from a security perspective. The third is continuously evaluating access privileges and making changes in accordance with changes to a person’s status or circumstances within the business.
“If we did asset and data management, vulnerability management and identity management correctly, a large number of our issues would go away,” Thiele concluded.
About Author
