You can't protect what you don't know: this old(ish) cyber security maxim profoundly illustrates one of the biggest problems facing cyber security professionals today – how can I defend my organisation from attackers when I don’t even know what my cyber estate looks like? The traditional cyber perimeter is evolving so fast that most organisations struggle to determine where exactly their critical information assets reside; let alone put in place effective controls to ensure that business critical information and systems are secure. For the purposes of this article, I am going to focus on an area that most IT managers and Information Security professionals struggle with, namely, continuous visibility of cyber assets and the management of vulnerabilities thereon.
Using your physical offices as an analogy, do you have a programme or service in place to ensure that all your physical security measures are “on” and working optimally? Do you regularly test your alarm system and electric fence, do you have 24/7 security patrolling your perimeter to ensure that no intruders have breached your security and do you have access control to ensure only “known” entities are allowed to enter your premises? Do you routinely check that a hole has not been cut in your border fence and once aware of this vulnerability, do you not tend to it immediately? South Africans are acutely aware of the need for proper physical security, but why do we not treat our cyber security with the same degree of gravitas? Regardless of what business we are in, the vast majority of our IP and other critical business information resides on IT infrastructure or is contained within applications. So surely the threat posed by cyber criminals is now greater (and potentially more costly) than then that posed by physical criminals? There are also now multiple examples of the damage a single cyber breach can do to a company, and Equifax is a good example of how a 120 year old organisation may potentially shut its doors after a single breach.
So what practical measures can we put in place to ensure that we at least have visibility of our cyber estate, as well as whether there are any critical vulnerabilities that need to be addressed?
Camargue Underwriting Managers has partnered with Magix to offer vulnerability and web applications assessments, when a new cyber liability policy placed. This means that within a couple of hours, we are able to provide a report that shows what assets are “live” and connected to the internet, how vulnerable those systems are to attack (graded in terms of severity), and most importantly, how to remediate those vulnerabilities in the most effective manner. And with 75% of hacks happening at the application layer, we are also able to provide the exact same assessment on business critical web applications like websites, client portals or e-commerce sites. And whilst this is by no means the be all and end all of your cyber security practice, it does go a long way to providing the visibility required to better protect your cyber estate.