Technology was not meant for evil practices. The technology innovators thought that technology will be used for good reasons. They were wrong. Maybe the innovators did not take seriously the famous idiom that every coin has two sides. So, the other side of the coin is the bad use of the technology, however, the good use of the technology is when it is used to improve the productivity and quality of life. The technology can, however be used by cyber-criminals in a destructive manner to cause damage, harm, theft, fraud and a lot more evil practices. Cyber-security issues have raised many eyebrows in the recent years, especially due to high-profile breaches that occur at various target organizations. Both general public as well as business world are disturbed by the increasing cyber-crimes that expose and even lead to loss of sensitive personal data as well as business disruptions among other numerous impacts. An increase in cyber-crimes is recorded day by day. Sober (2018) reports that 2017 statistics see over 135 major target breaches every year. The author further states that the number has been growing by 27% every year.
Notably, the risks associated to information system has increased, this may be due to ignorance, lack of knowledge concerning CSCs, deficiency of necessary resources to protect the system among other reasons. It is therefore important to look into critical security controls CSCs to help in mitigating the common attacks that are experienced by various organizations. Following this rationale, the intent of this particular article is to explore the CSCs in light of a real world case study “The Overloaded Security Professional’s Guide to Prioritizing Critical Security Controls.” The case study is about a company by the name Portland Design & SEO (Portland Design), a victim of cyber-attack. The organization provided web design, hosting and search engine optimization services to its customers. It experienced a severe attack which lead to lose of its customers’ important information as well as websites. We shall use this organization as a point of reference in exploring various security issues that are associated with the evolving technology as well as their mitigation techniques.
The security issues Portland Design Organization was facing before the breach.
- Deficiency of security management resources
As the cyber-attackers continually leverage the attack strategies which are increasingly innovative and damaging, supporting an enterprise with proper security resources is critical. However, organizations have experienced shortage of security resources and this problem is seen in Portland Design. The organization did not have adequate resources including but not limited to skilled personnel, every burden regarding the system security was laid on the shoulders of Mr. Johnson. The insufficiency of security resources is an issue that is dealt with by almost every organization across every industry. And as the security threat landscape continue to grow, the shortage in sophisticated resources for security management become a more pressing issue.
- Lack of management support
The lack of management support is another pressing issue experienced by the organization before the attack. It is a major contributor to poor cyber security in an organization. The organization management should comprehend the impact of cyber-attack to the corporate on its business operations. Despite the concern raised by Johnson regarding the wanting security status of the Portland Design Agency, the organization still needs to expand its business forgetting its information system security status. Management support is a very critical aspect of critical security control that should not be overlooked by any organization.
How the emerging technologies, such as IoT, Cloud, and Block Chain, complicate the task of protecting valuable assets
There is overabundance of the Internet of Things IoT as well as protocols which may lead to security blind spots. The ecosystem of today’s IoT involves a complex web of industry-specific devices as well as use cases that deploy various communication protocols like CoAP that enable the edged devices to communicate with gateways, cloud services and software interfaces (Greengard, 2015). The fragmented approach may lead to interoperability problems when integrating multiple internet of things enabled devices into an enterprise architecture. The interoperability issues may yield complexity which may consequently increase vulnerability and security threats resulting from the difficulty in applying critical security controls across all devices and protocols in the system.
In cloud, the skillsets essential for effective management of traditional critical infrastructures in a premise and cloud based infrastructures are totally different. A research conducted by Tufin (2018) suggest that the increased adoption of the cloud has changed the cloud security skills. The cloud security skills are way down as the industry experience shortage of skilled security personnel that can keep the pace of the increasing adoption of the platform (Jansen, 2011).
Despite the fact that blockchain is known to be having not any point of failure, organizations can still face risks from external events which are out of their control. There are insufficient privacy control in the current generation of the blockchain technology (Yli-Huumo, Ko, Choi, Park & Smolander, 2016). Blockchain may be utilized by attackers to compromise the encryption keys and utilize its lack of scalability due to unforeseen issues to gain access into the system.
The 20 critical security controls that can be used to apply the defense in-depth the Portland Organization
The following shows the top 20 critical security controls according to Tarala, (2011) and Greene (2015):
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Incident Response and Management
- Application Software Security
- Penetration Tests and Red Team Exercises
Among the 20 CSCs, data recovery capability is the most essential that the organization should give priority. The organization should ensure that all its critical infrastructures and data are backed up properly at minimum once a week (Radanliev et al. 2018). Along with this, the organization should have a proven methodology for data recovery so that when an incident experienced by the Portland Design Corporation occur, the organization can have their data safe.
The impact of breach to the organization
The impacts associated with data breach in a cyber-attack incidents can lead to detrimental effects on an organization in various ways as seen in Portland Design Organization’s case. The data breach that occur in the organization damaged the organization’s reputations. Loss of an organization’s customers and stakeholders trust is one of the most harmful impacts of a cyber-attack. This is due to the fact that a good number of individuals would not like to do business with an organization that have suffered data breach if the corporate failed to protect its customers data. As a result, the organization may lose its business as well as the devaluation of the brand it has worked hard to achieve.
Another impact of the breach faced by the organization is theft. The cyber-attack lead to monitory loss of the organization’s assets to the attacker. It was only after the attacker invaded the system that Mr. Johnson discovered 92% of the websites were already missing while trying to rescue the remaining websites from the dangerous attack.
The recommended decision and a list of the appropriate security controls
Data breaches from cyber-attacks normally happen with regularities. Companies that have fallen victims have learned many lessons. Due to the fact that data breaches are not the same, there are different response for security risks to each situation of an attack. The following shows the recommendations for decisions to mitigate the attacks from the issues identified in the Portland Design enterprise, deficiency in management resources and lack of management support.
- Deficiency in management resources
Portland Design Agency should not let the lack of resources compromise its cyber security. The organization can overcome the risk of deficiency in resources by making its employees “watch dogs” to protect its system. By this, the employees should be given proper tools and education on safety measures (Joinson & Steen, 2018; Von Solms, & Van Niekerk, 2013). Providing pertinent information regarding cyber security as well as best practices along with arming employees with few tips can help the organization in mitigating and even preventing cyber-attacks (Korpela, 015).
To accomplish the above mentioned, the organization should observe the following controls:
- Supervise the organization’s employees to ensure the correct use of the limited organization resources as it mitigate the security threat as documented in the company’s policy and procedures.
- An assessment should be done to evaluate the effectiveness of the security management strategy.
- The organization should screen candidates for hire and repeat the screening process at a regular interval to ensure quality personnel who can use the limited resources to ensure effective security.
- Lack of management support
The lack of management support is another manageable risk that the Portland Design organization should not succumb to. Mr. Johnson, as a computer security specialist can help in mitigating such risks by persuading the organization’s management through training and awareness on the significant of security management. He can accomplish this by taking the security matters and the need for support from the organization management to board meetings.
The following controls will support this approach:
- Document the security incidents that previously occur as a rationale for the need of the management support.
- Ensure training and awareness sessions majorly focus on the reinforcing cyber-security to ensure safety of the organization system.
How BYOD policy works
The BYOD policy involves controls that allow the use of personal devices including laptops, mobile phones and many other devices by an organization’s employees (Bratthall Tideman & Lindström, 2018). The trend associated with BYOD including powering employees to use their own devices while helping the organization to save, this is known for proliferation of the devices. However, giving employees chance to use their own devices is not without its drawbacks.
The main drawback of BYOD is that the loss of any device can be a major risk. The organization’s sensitive information may get accessed if a device is stolen or lost (Freedman, 2015). This can compromise the integrity and confidentiality of the organization’s security system thus diminishing its image. Another potential drawback of BYOD is that the organization can be liable on the actions of its employees on their devices even when they are using them out of the organization.
Following the aforementioned risks, the BYOD is not recommendable for the organization as the policy has many the policy has many vulnerabilities that can be exploited by an attacker to access the organization’s sensitive data. The physical security is minimal hence the user devices can get stolen by hackers for malicious gains.
How penetration test may complicate the risk management
Penetration testing is a very significant security management strategy. However, it can lead to serious complications in risk management. Various distributions contain pre—configured set of tools for penetration testing (McGann, Bradley, Taylor, Wotherspoon & Cubrinovski, 2015). Hunting down each individual tool by a penetration tester might increase the complications like compiling errors, configuration errors and dependency issues which may compromise the system.
Bratthall Tideman, J., & Lindström, J. (2018). Key components when utilising BYOD within organisations-A framework for developing the BYOD policy.
Freedman, A. (2015). Managing personal device use in the workplace: How to avoid data security issues and to dig yourself out of your failed BYOD policy. Suffolk J. Trial & App. Adv, 20, 284-361.
Greene, T. (2015). SANS: 20 critical security controls you need to add. Network, 10, 34.
Greengard, S. (2015). The internet of things. MIT Press.
Jansen, W. A. (2011, January). Cloud hooks: Security and privacy issues in cloud computing. In 2011 44th Hawaii International Conference on System Sciences (pp. 1-10). IEEE.
Joinson, A., & Steen, T. V. (2018). Human aspects of cyber security: Behaviour or culture change?. Cyber Security: A Peer-Reviewed Journal, 1(4), 351-360.
Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1-3), 72-77.
McGann, C. R., Bradley, B. A., Taylor, M. L., Wotherspoon, L. M., & Cubrinovski, M. (2015). Development of an empirical correlation for predicting shear wave velocity of Christchurch soils from cone penetration test data. Soil Dynamics and Earthquake Engineering, 75, 66-75.
Radanliev, P., De Roure, D., Nurse, J. R., Nicolescu, R., Huth, M., Cannady, S., & Montalvo, R. M. (2018). Integration of cyber security frameworks, models and approaches for building design principles for the Internet-of-Things in Industry 4.0.
Sober, R. (2018). 60 Must-Know Cybersecurity Statistics for 2018. Retrieved on 1st Novermber 2018 from: <https://www.varonis.com/blog/cybersecurity-statistics/>
Tarala, J. (2011). Implementing the 20 critical controls with security information and event management (SIEM) systems. SANS Whitepaper.
Tufin, (2018). ESG Research Spotlight and Network Security Operations Transformation. Retrieved on 11th November 2018 from: < https://web.tufin.com/esg-research-perspectives-paper-cloud-computing-and-network-security-operations-transformation-0-0 >
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & security, 38, 97-102.
Yli-Huumo, J., Ko, D., Choi, S., Park, S., & Smolander, K. (2016). Where is current research on blockchain technology?—a systematic review. PloS one, 11(10), e0163477.