Policy and Controls – A Foundation for Threat Protection

In the previous blog in this series, we reviewed several types of attacks and threats, and some ways they are perpetrated. In this blog, we will become familiar with several methodologies that can be part enterprise protection plan.

Let’s first clarify “protection.” There is no silver bullet for preventing all attacks. Threats evolve with the ever-changing world that is IT. There is a cliché in the industry today: “It’s not a matter of if you are compromised, it’s a matter of when.” Even though it may seem like a daunting task to protect and detect in a dynamic threat landscape, it is still considered fundamental to define and deploy foundational security best practices and controls that become the first line of defense for an organization. Many of these methods require a security policy that forces security professionals to discover, audit, and understand their environment. A hacker will spend time surveying a potential target; if you can’t stop the attack, you must at least be able to detect and contain, and this isn’t possible if the placement, role, and configuration of the network and its assets are not well-defined. Also, in the event of attack, even a failure of your protection methods can be used during incident response and remediation planning.

Whenever a new asset or entity is added to a network, its role and access control levels should be clearly defined and fall into one of the following.

Discretionary Access Control (DAC): A security access control that authorizes object access via an access control policy that requires supplied credentials during authentication, such as username and password. This type of authorization is discretionary because the owner/admin determines object access privileges for each user. An example is an access control list (ACL) authorization based on user identification. A security check on this type of access control is commonly a limit on the number of failed authentications.

Mandatory Access Control (MAC): A set of specific security policies defined according to system classification, configuration, and authentication. MAC is characterized by the centralized enforcement of confidential security policy parameters under the control of identified system administrators. Because a MAC is so well-defined and policed, its policies reduce security errors and establish an action/owner audit trail in the event of an incident.

Non-discretionary Access Control: A means of access control where access is not explicitly mapped to a specific user. Instead, it is wider in scope and can be based on a set of rules, privileges, or roles to provide access. Some examples are a role-based access control (RBAC) that grants access to an admin login, and access to certain systems and applications during business hours only using a time-based ACL.

Once you’ve determined how an asset is accessed, the next step is planning a management lifecycle for that asset. Here are some key considerations.

Information Technology Asset Management (ITAM): Includes activities such as the tracking of software licensing, upgrades, and installations, as well as tracking actions and logon locations to provide an up-to-date timeline of asset state and usage. Missed updates can flag an asset for quarantine or restricted access. Making sure that all security updates are quickly performed and software version control can mitigate risk.

Configuration Management: A process-oriented and best practices approach for handling changes to a system in such a way that it maintains integrity over time. It usually employs automation through scripting or an orchestration application to uniformly apply changes to all systems, reducing the time required for updates and the possibility of introducing errors. In the event of a breach, a centralized configuration console can quickly shut down several systems until a remediation can be pushed out.

Patch Management: A strategy for managing patches or upgrades for software applications and technologies. A patch management plan can help a business or organization handle these changes efficiently. It is important that admins and stakeholders are well informed when it comes to patchable vulnerabilities through advisories from vendors. Success here depends on knowing which applications and versions are deployed on your assets and having a strategy to contain systems that have yet to be patched.

Vulnerability Management: The process in which vulnerabilities are identified and their risks evaluated. This evaluation leads to either removing the risk or accepting it based on an analysis of the impact of an attack versus the cost of correction and possible damages to the organization. Keeping abreast of the latest vulnerabilities that affect an organization requires the tracking of vendor-issued vulnerability notices as well as those advisories issued by industry groups such as PSIRT. These advisories offer more information about potential impacts as well as interim workarounds in cases where an update is not yet released or will take time to be deployed.

When something goes wrong, a well-defined security policy in terms of access and controls will help in the discovery and mitigation process. It’s often that forgotten unpatched server or a group of users with vulnerable applications that leave an organization open to potential threats. Be aware of your surroundings.

In the next blog, we will look at protection methods that are geared to some specific threats and also touch on how data science is becoming an important tool in the cybersecurity space.

Thwack - Symbolize TM, R, and C