Seems like nowadays, everybody’s got an opinion on how to protect your data and assets from threats like ransomware, supply chain attacks, and good old exploitation of vulnerable Internet-facing services.
That’s not really a bad thing, to be honest. At the heart of any responsible, mature security program is a set of fundamental principles—least privilege access, defense in depth, etc.—as well as basic practices like vulnerability management and security monitoring. The more voices we have urging organizations to adopt them, the better.
One significant voice in the last few months has been the White House. In May, we saw the President issue an executive order directing new security requirements for federal agencies as well as their suppliers. Key among these requirements:
- Service providers will have to share information about threats they’ve observed and breaches they’ve experienced, and to store logs and telemetry for use in breach investigations.
- Suppliers of software to the federal government will have to adhere to new requirements around secure software development. They will need to use administratively-separate build environments, audit trust relationships, and implement risk-based multifactor authentication (MFA). Additionally, they will need to document and minimize software dependencies in the build process, use encryption, and monitor the environment for threats.
- Federal agencies themselves will have to migrate to a zero trust network architecture, roll out endpoint detection and response (EDR) tools, and implement MFA and stronger encryption on data at rest and in transit. Furthermore, they will have to adopt a new framework to share threat and incident information with each other.
The technologies listed here—MFA, EDR, and zero trust—are more than just fancy new industry buzzwords (although they sure are used that way). They represent some of the most effective modern security controls available. It’s encouraging to see the White House push their use.
Read more about Zero Trust Networks (ZTN): What are they and how do I implement one?
The Biden administration has been vocal about the recent spate of high-profile ransomware attacks, too. In response, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, published a memo to business leaders—not just federal contractors, but any business operating a computer network—urging them to invest in some of these same technologies.
The guidance lays out a set of valuable practices that can help address ransomware as well as many other potential threats:
- Implement MFA, to protect against stolen credentials.
- Implement EDR, to identify suspicious activity in your environment and respond quickly.
- Encrypt your data (note that while ransomware attackers also encrypt data, this control prevents them from publishing stolen data, a more common tactic observed by these attackers).
- Patch your operating systems and applications.
- Back up your systems, test the backups, and use offline backups.
- Run tabletop exercises to test your incident response plan.
- Use a third-party penetration testing firm to determine if your defenses will withstand an actual attack.
- Segment your networks to limit internal access to critical systems and data.
While we agree with this guidance, and the effectiveness of these technologies and practices—indeed, our security team can help with solution selection, design, implementation, testing, and tabletop exercises—we feel they are best accomplished not as a set of standalone projects, but as the effort of what Neuberger calls a “skilled, empowered security team” that is the core of your business’ information security program.
We talk a lot about security programs around here, and we’d love to talk to you about how to build yours!
Read more: Car parts and cybersecurity: what is Google dorking?