Importance of the approach
Besides the obvious goal of trying to achieve Return On Security Investment (ROSI), it is important to be legally defensible or risk facing the consequences. A critical approach from the perspective of being laser-focused will help deliver value on investment, while creating safeguards in the form of non-tamperable evidence about the measures put in place.
Keep it simple – use a framework, a risk assessment model to assess, prioritize, and communicate an information security roadmap. Ask basic, but key, questions:
- What is the current state?
- What is the future state?
- When will we get there?
- How much will it cost?
What standard to use?
I recommend mastering the CIS before blowing time on other risk assessment frameworks. The road starts at making the policy. The CIS Community Defense Model can be accessed at https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0. As per the Community Defense Model 2.0, the top 6 things you can do to get ROSI are:
- Establish and Maintain a Secure Configuration Process
- Establish an Access Granting Process
- Establish an Access Revoking Process
- Remediate Penetration Test Findings
- Define and Maintain Role-Based Access Control
- Manage Default Accounts on Enterprise Assets and Software
The bare minimum for Vulnerability Management
Vulnerability management is NOT patch management! It’s not about patches, it is about multi-layered vulnerability management. Are you doing at least these?
- GPO central store
- Software and asset reconciliation monthly
- EOL/EOS removal
- Continuous vuln assessment internal/external
- Assess CIS gaps compliance
- iDrac, bios, firmware, drivers, OMSA, DSU, DCU
- Unique bios admin
- Full disk encryption
- Business line apps - no patch automation
- SSRS hardening
- NTLM disable, LLMNR, samRPC
- SMB ver control
- PowerShell upgrade
- Krbtgt roll
- Tiered access control
- PAWs and microsegmentation
- PBX, cams, door controllers, speakers, NAS
- Hypervisor, backup software
Check out this podcast where Felicia King and Dan Moyer talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately:
10 InfoSec rabbit-approved Best Cyber Hygiene Practices
- Run continuous IT asset scans and monitor hardware and software
- Perform vulnerability scans every day, assess detected vulnerabilities, and remediate them
- Patch OSs, un-updated software, and critical vulnerabilities on time
- Ensure antivirus software is installed and updated regularly in all endpoints
- Impose strict password policies and prevent users from setting weak passwords
- Identify deviated system settings and harden endpoints to meet security compliance standards
- Evaluate system health, user login credentials, services, and processes regularly
- Analyze software usage, blacklist rogue assets, and manage license violations
- Block rogue applications and unwanted USB devices that pose security threats
- Detect and respond to indicators of attacks and compromise immediately