There are many resources to help IT professionals develop a security program. One example is the Center for Internet Sec
Building a Security Program for Small to Medium Businesses Wilson Bautista Jr. Director of Information Technology and Information Security i3 Microsystems, a division of i3 Electronics According to a recent study from 2017 by the Enterprise Strategy Group1, 45 percent of organizations have a critical shortage of cybersecurity skills. This impacts the ability of IT teams supporting small and medium businesses (SMB) to acquire talent to fill their cybersecurity gaps. As more organizations are improving their third-party risk assessment programs, there is a need to develop internal employees with a cybersecurity skill set sufficient to protect their organizations and prove that the organization does not present a risk to customers or partners.
Understanding Information Security Basics There are many resources to help IT professionals develop a security program. One example is the Center for Internet Security’s (CIS) Top 20 Critical Security Controls (CSC)2. These controls are prioritized to help organizations understand where to start. By establishing and maintaining the Basic CIS CSC Controls, organizations can mitigate risks and improve their security posture. • CIS CSC Control 1: ○○ Inventory and Control of Hardware Assets
Perform a Strength, Weakness, Opportunity, and Threat (SWOT) Analysis of Your Capabilities and Your Team SWOT analyses are used to identify opportunities and improve the win potential for an organization. Information security professionals can use these analyses as a method for self-improvement. Information security teams can critically look at their members and begin to identify their gaps in training. Using SWOT analyses, organizations can gauge themselves against each of the CIS CSC Controls. Here are some examples: • CIS CSC Control 1: ○○ Do we have an accurate inventory of our hardware? ○○ Do we have an onboarding process? ○○ Do we have a decommissioning process? • CIS CSC Control 2: ○○ Do we have control over what software is installed on our systems?
• CIS CSC Control 2: ○○ Inventory and Control of Software Assets
○○ Do we have a list of approved software for our systems?
• CIS CSC Control 3: ○○ Continuous Vulnerability Management
○○ Are we able to view what software is installed?
• CIS CSC Control 4: ○○ Controlled Use of Administrative Privileges • CIS CSC Control 5: ○○ Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • CIS CSC Control 6: ○○ Maintenance, Monitoring, and Analysis of Audit Logs
36
United States Cybersecurity Magazine
• CIS CSC Control 3: ○○ What frequency are we scanning for vulnerabilities? ○○ Who is receiving the vulnerability reports? ○○ Who is mitigating the vulnerabilities and how are they reporting back? • CIS CSC Control 4: ○○ Do we have a list of privileged users? How is this maintained? ○○ What are the criteria for a user to have elevated privileges?
○○ How do we coordinate with HR when a privileged user is terminated? • CIS CSC Control 5: ○○ Do we have a standard hardware and software configuration for mobile devices, laptops, workstations, and servers? ○○ If so, are they in line with current best practices? ○○ How often do we update our baselines?
• CIS CSC Control 3: ○○ By Y date, we will establish weekly vulnerability scans in areas A, B, and C and provide reports to identified stakeholders for risk mitigation. • CIS CSC Control 5: ○○ By Z date, we will develop security baselines for all Windows and Linux operating systems.
○○ How are we going to look at all of this information?
By developing high level SMART goals, organizations can further break these requirements to “work packages” as there will be multiple “products” to fulfill the task.
○○ Who is going to review and maintain this?
Examples:
• CIS CSC Control 6: ○○ What information is important for us to log?
Developing SMART Goals Even by narrowing the focus of the CIS Top 20 control to six, the number of questions that are developed in comparison to the SWOT analysis can still be crushing. As of now, the questions become requirements, and leaders must establish projects with specific, measurable, achievable, relevant, and time limited (SMART) milestones for completion. • Specific: A defined and expected result of the what, why, and how. • Measurable: Tangible evidence that the goal is complete. • Achievable: Assurance that it is set within reason regarding resourcing and constraints, the scope. • Relevant: A compelling argument on how this provides value to the organization. • Time Limited: A defined timeframe for completion.
Examples of SMART Goals • CIS CSC Control 1: ○○ By X date, we will consolidate all of our asset inventories into a central repository so that we have an accurate account of our systems.
• CIS CSC Control 1 SMART Goal: ○○ Work Package 1: Identify and document current inventory databases. ○○ Work Package 2: Identify and decide on the central repository solution. ○○ Work Package 3: Prioritize migration schedule. • CIS CSC Control 5 SMART Goal: ○○ Work Package 1: Identify all flavors of Windows and Linux OS that reside on enterprise. ○○ Work Package 2: Identify standard security baselines and best practices for each identified OS. ○○ Work Package 3: Develop controls, determine their applicability to our environment, document required controls, and send for validation to stakeholder. Organizations can now look at their SMART goals, their associated packages, and begin to define milestones that can be used to gauge progress. As each SMART goal has a defined completion date, organizations can gauge progress by the completion of work packages. IT Teams can view the end-product of each work package to be a capability that will enable and improve their organization’s security posture.
Summer 2018 | www.uscybersecurity.net
37
Security Training for Small IT Teams There are many security certifications available. Although certifications provide employers with a tangible way to recognize knowledge in a particular topic, the cost to gain and maintain certifications can be prohibitive. There are other cost-effective ways to train IT teams with little impact to an organization’s budget. CIS CSC Controls 1 and 2 do not directly deal with security tools and are an exercise in maturing established processes of commissioning and decommissioning hardware and software. CIS CSC Controls 3-6 are security specific and set a good foundation for training IT personnel. Teams can begin by looking at what the National Institute for Standards and Technology (NIST) has developed with special publications on these topics as well as other leading information security institutions. Vulnerability Management: • NIST SP-800-40 Guide to Enterprise Patch Management Technologies: ○○ https://csrc.nist.gov/publications/detail/sp/80040/rev-3/final Controlled Use of Administrative Privileges • US-CERT- Article: ○○ Least Privilege: ○○ https://www.us-cert.gov/bsi/articles/knowledge/ principles/least-privilege • Microsoft: ○○ Implementing Least-Privilege Administrative Models: ○○ https://docs.microsoft.com/en-us/windows-server/ identity/ad-ds/plan/security-best-practices/ implementing-least-privilege-administrativemodels Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Center for Internet Security Benchmarks: ○○ https://www.cisecurity.org/cis-benchmarks/ • Defense Information Systems Agency- Security Technical Implementation Guides: ○○ https://iase.disa.mil/stigs/Pages/a-z.aspx 38
United States Cybersecurity Magazine
Maintenance, Monitoring and Analysis of Audit Logs • NIST SP 800-92 Guide to Computer Security Log Management ○○ https://www.nist.gov/publications/guidecomputer-security-log-management
Conclusion Although large corporations are in the limelight whenever a breach happens, smaller businesses are also impacted by threats. The CIS CSC Controls give SMBs a path to establishing a security capability within their organization and IT leaders can use SWOT analyses to identify gaps for each control. By identifying the gaps, SMBs can create requirements which are systematically achieved by developing milestones in projects that align with organizational needs. These milestones can include modifying process, training, and adopting frameworks with references that are readily available through NIST, US-CERT, CIS, and vendor technology best practice documentation. All of the items mentioned consume time and human resources with minimal impact to budgets, especially if the organization decides to use open source tooling for vulnerability management like OpenVAS and/or log maintenance like Gray Log. Once these controls are in place, SMBs can move further down the CIS CSCs to continue to mature their information security programs. About the Author Wilson Bautista is a retired military officer and the Director of IT and InfoSec at i3 Microsystems. His expertise is in InfoSec leadership, policy, architecture, compliance, and risk. He holds multiple InfoSec and IT certifications as well as a MS in Information Systems from Boston University. He is an INTP on the Myers-Brigg Type Indicator test with a Driver-Driver personality. As a practitioner of Agile and SecDevOps, he develops innovative, integrated, enterprisescale cybersecurity solutions that provide high microsystems value to businesses.
i3
Sources 1. http://www.esg-global.com/esg-issa-research-report-2017 2. https://www.cisecurity.org/controls/
