Cybersecurity in Luxembourg: whatever the sector of activity, all departments of the company are concerned by IT security.
Very small business or large international group, same struggle: cybersecurity is a major issue for all organizations. There is nothing to see in the press: sequestration of data in hospitals, shutdowns of factories, identity theft…
When viewed as an SME, the arsenal of security solutions that one can afford or manage is often incomplete. You then become the target of haphazard and often automatic attacks by hackers. This can bring your entire company to its knees for a period of several days to several weeks, depending on your ability to calm the storm.
In a large company, the means available are much more important. But, is this the guarantee of flawless computer security? Unfortunately no. The allocated budgets are larger than in an SME, but you are still a prime target for hackers (industrial espionage, ransom demands, etc.). Not only huge sums are at stake, but also the reputation of your business!
There are plenty of arguments. Cybersecurity is a critical issue and everyone’s business.
Faced with a plethora of offers on the market in terms of solutions (anti-virus, anti-spam, firewall, IDS, etc.), how do you make the right choices? It is customary to try to put out the fire first, but you are not immune to everything igniting again. The classic example: you have been impacted by a virus in your company and you want to prevent it from happening again at all costs. You then install an antivirus to solve the problem.
Unfortunately, the situation is more complex than it looks and the lasting resolution of such an issue will also be complex.
To try to put it simply, here is the (fairly usual) scenario that may have occurred: your users are not sufficiently trained, your password management policy is not robust enough or even , access rights, in particular administrator rights, are virtually self-service on some of your machines. All these reasons added together generate many loopholes that have opened the door to the virus.
What you have to understand is that this is not just a matter of tools, like an antivirus in this example. We are clearly facing a generalized problem, which concerns both the technical and the human. It is important to tackle cybersecurity in depth and at scale.
To help you, I therefore suggest that you focus your thoughts on the overall approach. There are a lot of methods, but personally, I like to move forward by trying to take a pragmatic approach with “quick-wins”.
Here is one: The Center for Internet Security (CIS) is a non-profit entity founded in 2000, whose mission is to “identify, develop, validate, promote and support recommended solutions for cyber defense”. I suggest that you support your security improvement strategy based on the maturity levels recommended by the CIS.
What you don’t manage, you don’t control. What could be worse than an old Windows XP station, riddled with loopholes, lying in the back of a closet and hosting a web server? The ideal infection vector for attackers! The idea is therefore to verify that you are aware of your fleet of active equipment. It will also be an opportunity to check that all this equipment is still associated with a maintenance and support contract, which will allow you to anticipate your operating costs and above all, to provide you with support if you experience a breakdown or a hack. .
Same old story for your software: what you don’t manage, you don’t control. In other words, start by taking an inventory of all the applications available to the company. This will allow you to define and keep up to date in your internal catalog the list of software in which you trust.
Having such a base will also allow you to maintain a satisfactory vision of your technical perimeter, a perimeter that can serve as a basis for defining training areas for your staff or to more easily identify the technical skills of the next members of your team.
Ongoing vulnerability management is all about tracking down vulnerabilities in your IT infrastructure and fixing and fixing them as they are identified. With the advent of agile methods, software has increasingly frequent development cycles and it is not uncommon to run a program that does not have the latest update, so fast the pace. Each update usually causes its share of security vulnerability fixes, but also brings new features… The vulnerabilities of which are unknown until now.
It is therefore essential to regularly scan your IT infrastructure for new flaws and to correct them. The ideal frequency is in my opinion once a month, but, depending on the criticality of your industry, a minimum of once a year may be suitable.
Having administrator rights is often seen as a very practical benefit for the user. Free of any restrictions, he can install whatever he needs to work as he pleases. If this is allowed by the company’s security policy, why deny it, since “everything works”?
Only, there you have it, that poses a problem. If you can log in as an administrator, then all of your operations will be performed with this same level of authority, whether conscious or unconscious. Typical example of an unconscious operation: you open an email attachment and it is infected with a virus. It then uses your administrator rights to easily deploy on your computer, get warm and try to replicate itself to other workstations on the same network.
And then, if the users in your company can log in as an administrator, then they can install whatever software they want. You will then lose control of the inventory and the control I previously advocated. In short, administrator rights are just for administration operations!
As provided by manufacturers and resellers, default operating system and application configurations are normally oriented for ease of deployment and use – not security.
Even if a strong and secure initial configuration is developed and then installed, it must be administered on an ongoing basis to avoid security “degradation” as the software is updated or patched.
The audit log is a record of everything that happens in the system. This makes it possible to detect failures, but also attacks. Often, audit logs are not configured or do not record activities in sufficient detail. So the first thing to do is to activate them.
Sometimes the audit log remains the only evidence of a successful attack. Many organizations keep them for compliance, but attackers trust the fact that organizations rarely see them and are unaware that their systems have been compromised.
It’s not easy to know where to place your cybersecurity priorities! The important thing to remember is, on the one hand, that there is no such thing as a perfect tool and on the other hand, that just putting them in place is not enough. It is about thinking about security in its entirety and moving towards the most relevant and efficient, taking into account the specificities of your business.
Hence the importance of approaching security through an approach that allows you to make the best choices. The first level of maturity described by the CIS can then be extended with defense measures against viruses, the integration of perimeter protections or even restores in the event of data loss.
Ah, one last tip for the road: hiring the services of a specialist company can be particularly beneficial.
Article written by Yvan Barnabaux.