5 mistakes CISOs must avoid in 2019
It’s that time of year again when you’re expected to review the past year and refine your resource protection strategies to avoid a data breach. The stakes are high. There is almost nothing more frightening than having to deal with the fallout of a cyber attack.
As you take stock of your resources, map out your plan, and set your priorities for the coming year, add the following checklist to your war-chest to make sure to never commit these five grievous cybersecurity errors – ever.
#1 – Manage Local User Accounts
If it were still the 1990s, we’d be managing Excel lists of users’ credentials and could fail to deactivate former employees’ accounts without much concern. Today, attackers are seeking to exploit accounts of former employees or current ones who moved around the company but still retain access to permissions to IT resources that they no longer need.
If you’re using local accounts and haven’t yet implemented single-sign-on (SSO) with an identity provider, such as Okta, Azure AD or Ping Identity, to centrally manages user accounts across your applications and services, you’re leaving your company vulnerable to attacks. CSO Online quotes Okta’s Director of Security Product, Joe Diamond, saying that having identity stores/silos across multiple solutions and managing separate identities, logins and passwords for many different applications, makes it impossible to ensure accurate entitlement and proper offboarding. That being the case, “SSO becomes, in a way, a prerequisite for organizations looking to adopt cloud solutions.”
#2 – Provide Wide Network Access to Your Datacenters
Your datacenters are protected by virtual lock and key and perhaps you’re sleeping well at night because you think your Fort-Knox-like security is impenetrable.
Yes, but no.
Outsiders might have a tough time gaining entry, but insiders have free access because, well, you let them. Just because internal users have passed authentication, it doesn’t mean that they should have access to all parts of your datacenter networks. Even if they are considered “trusted users,” they may still pose a security risk. By giving network-wide access to all users, if even one of your user’s accounts is compromised, it puts the entire datacenter – and all of the information in it – at great risk. Hackers could hold your data for ransom, or more likely, stay hidden inside your network over a long period of time to steal your data. Advanced persistent attacks like those could take months (and sometimes years) to discover. While managing tight entitlements for organizational users to IT resources in a large network can be a burden, there really is no way out of it. We recommend considering it as “cost of doing business” with modern IT infrastructures.
#3 – Hold on Tight to Your Perimeter Mentality
Not too long ago, we all knew where our networks started and finished. There was a nice big comforting wall around our network. ITProPortal puts it succinctly: The network perimeter has dissolved as employees and businesses have become more agile. It’s the advent of cloud computing, remote and mobile workforces, and BYOD that makes it impossible to define the inside of your network from the outside.
As the network walls crumbled in favor of cloud services, cybersecurity has become a major concern. Traditional security tools and techniques have become irrelevant. Cloud apps that are misconfigured can be the root cause of a major breach. There is no “castle and moat” architecture anymore. What we need is a different way to distinguish between who should be allowed in and who shouldn’t be. Strict controls that verify every user and every device on every session have become essential. Nobody should have access to everything at once; even senior / privileged users’ access need to be restricted.
#4 – Implement Static Access Policies Tied to Network Topology
Firewalls, being an example of mainstream network security controls, used to be great because they suited all types of users. While being a convenient set-and-forget system, static network-based access policies are bad practice. Every user needs to access different resources with different levels of permissions so a one-size-fits-all solution is inappropriate and can be dangerous.
Static policies and lack of governance were the reasons Nordcloud gave for data breaches of Amazon’s S3 cloud early in 2018: “It might be that some “convenient” pre-created S3 Bucket is used for multiple different types of data including sensitive data.” If you’re insisting on static access policies, you’re blocking your organization’s ability to enjoy the benefits of the cloud and be an agile, modern organization.
#5 – Act Overprotective With Employee-Owned Devices
With global, distributed workforces becoming the norm, employees use their own devices to do their jobs. On one hand, the adoption of BYOD increased employees’ flexibility and efficiency. But at the same time, it raised security challenges and concerns.
IT teams quickly realized that BYOD strips them of control over the devices being used to access company resources. The knee-jerk reaction may be to over-protect company resources, limit access to company-managed devices only, often making it hard for legitimate users to access the networks and applications they need to perform their daily tasks. Not surprisingly, this results in frustrated employees and lowered efficiency, greatly offsetting any benefits gained from BYOD.
Avoid the Breach Headlines for 2019
So how’s it going to look for you in 2019? Were you about to make these mistakes too or do you have your plans in shape to stand behind an updated, solid cybersecurity strategy? Good. You’ll buy yourself organizational kudos and peace-of-mind.
*** This is a Security Bloggers Network syndicated blog from Luminate Blog authored by Leonid Belkind. Read the original post at: https://blog.luminate.io/5-mistakes-cisos-must-avoid-in-2019
