For as long as I have been a technical writer in the
world of Cybersecurity, I have never been asked this one question: “What is a control?” I was asked this when I was walking down the Prairie
Path, a beautiful preserve located here in Chicago. Someone stopped me to say “hi”, and the conversation
started as to what we do.
When I told him I was in Cyber, that that was the first
question that came out of his mouth. So, I answered: “Well, a control is defensive mechanism that
is put into place to protect your digital assets”. He scratched his head even more and just walked
away. I did not forget about this, on the
way back, even I started thinking: “What
exactly is a control”? “What does it
even look like?”
So that gave me the inspiration for today’s blog. Keep in mind that this is just an overview,
more specifics about controls will come in future blogs. Generally speaking, there three different ones:
1) The
Preventative:
In this kind of scenario,
you have a CISO and an IT Security team that is initiative-taking in their job
responsibilities. Meaning, they want to
get the controls out and deploy them before the Cyberattacker can break through
the lines of defense.
2) The
Detective:
This is where you implement a
control where you will alert you only after a Cyberattacker has broken
through. Obviously, this is not a situation
that you ideally want to be in, but at least it will allow your IT Security
Team to get an early jump on containing any damage that could have already been
started.
3) The
Corrective:
This is the situation in which
you have been hit by a security breach and are scrambling quickly to deploy any
kind of control that you can to avoid further fires. Obviously, this is a situation that you
never, ever want to be in!!!
So now the next
question comes up: “When do you deploy
controls when you don’t even know what tomorrow looks like?” The truth of the matter is that the deployment
of controls is not an exact science.
Rather, it is an art. IMHO, controls
should be deployed immediately once a Risk Assessment has been conducted has
been done, and you know what your most vulnerable digital assets are.
But there are other steps that you, and your IT Security
team can also take in conjunction with the deployment of controls to further
help beef your lines of defenses. According
to can article I read this morning (which also further inspired me to write about
controls), this can be compared to “avoiding potholes on the road”. So, here are some ideas:
1) Minimization:
I have always talked about
one of the best ways to keep your attack surface to as little as possible is to
use only those devices that you absolutely need but place them
strategically. This especially holds
true for network security devices.
Instead of getting ten of them, why not try and use just three? Another area where “bloat” can be eliminated
is in the software builds that you engage in.
For example, rather than using extra components that add more bells and
whistles, why don’t you just create something that is much leaner, but also,
delivers what the customer is looking for?
By having “bloated” applications, you are simply putting in more points
of entry for the Cyberattacker, thus putting your customer at an even graver
risk. This is where the importance of a
Software Bill of Materials (also known as an “SBOM”) comes into critical play.
2) Use
What Is Given:
It happens to be the case
that your entire IT and Network Infrastructure is in Cloud; you are given a
wide array of security tools that you can work with. This is especially true of Microsoft Azure.
They give a lot, so make use of it, because there should not be an extra charge
for them (it is part of your monthly subscription). But keep in mind that you are
responsible for the proper configuration of them!!! If you are not sure how to do
this, is it always best to work with a Cloud Service Provider (also known as a “CSP”).
3) Generative
AI:
With this explosion, a new
trend has started, and that is to make use of what are known as “Non-Human
Identities”, or “NHIs”. These are, they
are like small robots that have been created by Generative AI to help automate
certain processes. While the common
thinking is that they can access anything at any time, the truth is that they also
need to be given login credentials as well.
So in this regard, it is also that you maintain a strong security policy
here as well and even go to the point of using Password Managers that has. been
created exclusively for these “agents”.
They should also be given access only when it is absolutely needed (in the
world of Privileged Access Management, this is technically known as “Just in Time”). It should be noted here also that up to 95%
of businesses use these small robots today, thus the need to further them even
more is now of paramount importance as well.
(SOURCE : https://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report)
My Thoughts On This :
While the discussion
of controls will be covered in future blogs, the CISO and the IT Security team
should not just be obsessed with just them.
Remember, they are just one part of creating that great Cybersecurity
machine that will always be a work in process.
No comments:
Post a Comment