What CERT NZ's recommendations mean to you

CERT NZ has released their ten recommendations for controls that they believe will together provide the greatest reduction in cyber security risk. Like all such recommendations they are an excellent starting point, and based upon my experience in NZ most organisations will have already implemented a solid practice around many of these control areas. That said; in cyber security it is always a good idea to review the basics as well as ask the "What next?" question.

Here are some thoughts, aligned to each of the recommendations:

1 - Patch your software

Patching software is a bit like doing the laundry for a household of teenagers; no sooner have you finished one load and the next arrives, and it is also a thankless task that some users resent due to the interruption to their working day that patching sometimes entails. The three additional things to consider that will help are:

• An end user engagement program that explains the benefits of patching, engages everyone in the process and thus reduces user push-back. The most effective way to achieve this is to identify the major demographic groups in your organisation and get an ambassador from each to be your point of contact and spokesperson.
• Don't forget the configuration changes as well as the software patching. As software is patched sometimes defaults change, effecting your overall security stance.
• Consider how you will deal with systems you cannot patch - BYOD, embedded IT, and OT devices come to mind. can you separate them onto a different network? Can you place additional compensating controls around them?

2 - Upgrade or replace legacy systems

Like 'patching on steroids' and the same comments apply the addition that your end user BYOD policy perhaps needs to set a minimum baseline for devices allowed on the network.

In addition it is useful to flip this whole issue on its head and ask the questions: why do I have those legacy systems; what do they do for the business that it so important that we are otherwise tolerant of their antiquated state?

I know of one CSO who works for an organisation that had legacy desktops everywhere because the security controls did not adequately reduce risk if the workforce used mobile devices. After six months effort updating and expanding those controls he was able to start replacing those legacy desktops with Microsoft Surface devices - truly an example of security enabling IT transformation which in turn has enabled a transformation in how the workforce conducts their daily tasks.

3 - Disable unused services and protocols

The implication of this advice is that you know what you use, why you use it and what application needs what service and protocol. Many organisations do what they do because that is the way it has always been done and any concept of an IT asset register is a foreign one. If you cannot achieve the goal of disabling what you don't use set your target firmly on the goal of mapping the relationships between the IT infrastructure and the business applications, rating their relative importance to the business, and understanding how they work (and therefore what they need).

4 - Implement application whitelisting

Good advice however also slightly dangerous. RSA's Incident Response team often sees attackers using legitimate (and therefore whitelisted) applications to move laterally in the environment. Don't allow whitelisting to lull you into a false sense of security - layer on top of it the capability to perform alerting of a wide range of IOCs on all systems.

5 - Change default credentials

Including on your embedded IT, and your OT systems. Moreover, don't just change them once and then forget about them, do the following as well:

• Apply the same policy to regularly updating these credentials as you to all credentials (after all such credentials are almost certainly privileged).
• If you can, disable them entirely and instead have all sys-admins use unique credentials with equivalent privileges. If you can't do that and you have to have shared (default) credentials then strongly consider implementing a change control mechanism for recording who uses them and why.
• Monitor their use, and review who uses them and when they are used and why.

6 - Deploy multi-factor authentication

Especially if you have implemented SSO! Moreover remember that MFA is often deferred due to the cost and increased inconvenience to end users. The best MFA solution is one that is risk based - elevating the challenge requirements based on factors such as when and where the end user is connecting from, whether the device is trusted, which application is being accessed and so on.

7 - Enforce the principle of least privilege

Awesome advice - and don't forget the sys-admins despite their grumbling.

8 - Implement and test backups

AND....make sure that your retention period is long enough to allow you time to detect, analyse and respond to any and all cyber security incidents. If it takes your security team 200 days to detect and respond to an intrusion you're not going to have a guaranteed, clean restore point to reset to if your retention period is only 180 days.

While you're at it; war-room the handling of a major cyber security incident as part of your DR testing.

9 - Configure centralised logging

If you aren't logging today, why not? If you are logging today what else are you going to do this year to augment what you're already doing? Remember that centralised logging is only fed by whatever log events are generated by your systems and preventative controls. Remember that attackers work very hard to bypass those controls and slip into systems undetected, therefore no log event will be issued therefore you won't get an alert.

Logging is the foundation but not the whole building. It is useful to look at what CERT NZ itself says about the need for logging;

"Without good logging, it’s very difficult to discover the nature and extent of a compromise. This makes your efforts to contain and recover from an incident much harder. In many incidents reported to CERT NZ, a complete post-incident investigation has not been possible, due to lack of logs."

Replace the words "logging" and "logs" with the words "monitoring and threat hunting" and you'll be on the right track to achieving the end goal. Logging is a passive state of security visibility, whereas threat hunting is a forward leaning exercise that investigates indicators of compromise and suspicious behavior across all domains; the networks and the compute stacks.

10 - Manage your mobile devices

See points 1 and 2!

What all that said, cyber security is of course a journey and whether you have already implemented all of CERT NZ's advice or not, keep evaluating risk and keep improving.