6 Cybersecurity Fundamentals Your Organization Needs
In December 2020, a significant number of organizations and US Government agencies were victims of a sophisticated cybersecurity attack started primarily by a trojan backdoor hidden in a routine update of SolarWinds Orion software. While experts are still uncovering details, they have concluded that the attackers successfully perpetrated a complex attack with multiple attack vectors.
The attack included compromising SolarWinds infrastructure with malware that monitored the build server of SolarWinds Orion software for commands authorizing a software build. Once this malware detected the build commands, it inserted code for the backdoor into a legitimate update of the Orion software. Subsequent to distribution of the trojanized software to many of the 18,000 SolarWinds customers, the attackers targeted specific customers by using the backdoor to infiltrate an infected computer and use this access to laterally move across the network to different systems.
While there certainly will be learnings that will be applied to future cybersecurity best practices, it is clear that organizations must, at a minimum, follow the fundamentals of cybersecurity in order to mitigate the risks of these types of attacks. Without implementation of these security practices, hackers will have an easier time achieving a successful attack and turn your organization into a tempting target. Even in medium-sized organizations, technology infrastructure tends to be as complex as larger organizations. The staff responsible for information security need to collaborate with systems and network engineers to conduct a thorough analysis of possible vectors and component vulnerabilities. From this analysis, organizations can formulate a plan that increases the overall security posture and establishes the best footing to mitigate future attacks.
Regardless of the size of an organization, any cybersecurity mitigation plan must include implementing basic techniques such those listed below:
- Employ Strong Credentials
Equip your users with high-assurance authentication factors. These credentials can include smartcards, bluetooth tokens, or soft tokens. There are many options and most likely you will need to support multiple options to cater to your users and use cases. The key to success will be a frictionless user experience that balances convenience with protection.
- Implement Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is crucial in ensuring that only authorized users gain access to critical networks, applications and data. It will be important that you implement an MFA solution that is as convenient as possible to achieve the widest adoption across your user population. Ideally you can implement an MFA solution that is compatible with the diverse needs of your users.
- Authenticate Everything
For the purpose of establishing an authentication strategy, assume there is no network boundary — the concept of a secure network does not exist. A device or a user is not trusted until authenticated. This is the concept of “Zero Trust” which usually translates into implementing a public key infrastructure (PKI) for the purpose of authenticating devices that connect to your network. There are multiple options for implementing a PKI, whether catering to a large complex organization or a smaller organization with limited resources. Zero Trust is achievable regardless of organization size.
- Manage the Credentialing Process
This involves having an ability to manage the lifecycle of diverse types of credentials issued to users in your organization, including physical access credentials. Ideally you have access to a suite of software and services that issue both logical and physical access credentials, manage their lifecycle, and monitor their usage.
- Secure Users Outside of Your Organization
Most organizations, information and computing resources are accessed by external users such as partners and/or suppliers. These users need to be secured with the same determination and control as your employees.
- Harmonize With the Organizations’ Objectives
A cybersecurity plan must take into account an organization’s objective and business model. If your organization allows its workforce to work remotely then your plan needs to cater to this scenario. If your organization requires compliance with external regulations and rules, these need to be factored into your plan.
The practices listed here are just a subset of those needed for a comprehensive cybersecurity plan. Check out our portfolio of identity and access management solutions to find an option to match your organization's cybersecurity needs.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).