It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.
Every journey has a starting point and cybersecurity doesn’t need to be as unapproachable as it’s often made out to be. There was a point in my career when I was suddenly responsible for the implementation of a security strategy and became a de facto security analyst overnight. The key is to look at it as a process and break it down, rather than as ’stuff’ that you purchase, or as some dark art that’s impossible for mere mortals to master. My sense is you have found yourself in this position too; or if not now, will at some point. This article shares helpful lessons I learned.
My path toward becoming a security analyst began then and there and wasn’t voluntary: nobody else was going to take the reins and the nascent threat of ransomware was looming over my company. This happened on the cusp of Wannacry when a series of SMB and processor related vulnerabilities were disclosed and millions of PCs were suddenly at risk. My primary argument for taking on this responsibility was that it was only a matter of time, and I was fortunate enough to have received C-level buy-in with a strong understanding of the risks involved, especially as the company was venturing into a growth phase with new products and investments made across the board.
I knew enough about security “to be dangerous” with significant interest and exposure to the industry and principles, but at this point in my career I had not run a security program in earnest. It was reasonable to ask my industry friends and our MSP partner for guidance. That led to a list of tactics without strategy and a torrent of security product recommendations rather than a plan. It was challenging to know where to start, let alone how to prioritize security against other company IT needs in support of its mission. Let’s begin by examining the situation that I found myself in at the onset.
Stumbling into a Cybersecurity Strategy
Our start was less than auspicious in hindsight: there was a parade of terribles we couldn’t buy our way out of. We initially took steps to change configurations, but were solution-minded. Truth be told, it was difficult to know where to start:
- Every PC had administrative rights with weak passwords
- Permission creep and lack of role-based access was endemic
- Users had no training and procedures were lacking (including IT admins regularly running with domain admin permissions to surf the web and logging into vital systems using the vendors’ default super user credentials)
- There was no monitoring/visibility into anything
- A full accounting of assets and vulnerabilities was nonexistent
- and much more…
Imagine logging into the user setup section of your ERP system and seeing roles named, “Jen” or “Lisa” rather than a listing of job functions.
Security Isn’t Unapproachable, It Just Takes Preparation and Learning
Starting in a situation where there wasn’t a blank slate was a challenging proposition, but preparation, learning. and prioritization are fundamental steps to take before acting. The process was initially confusing and frustrating, and my IT team at the time was uncooperative (and even seditious) when faced with reevaluating how we worked. My role was to be the change agent and I began to read, ask security engineer friends for guidance (who repeatedly told me to be more ‘proactive’), and embarked on becoming trained and certified with COMPTIA Security+.
You can read more about preparing to embark on a security program at the FCC’s SMB site.
Please note that we’ll share more about Security+ and other quality entry-level infosec certifications in an upcoming article. Those include GSEC, ECSS, and SSCP.
Learning to formulate a security process was still insufficient, because we remained driven by tactics and flash assessments. I was nose deep in a security problem on one occasion and failed to be responsive to a moderately important request from a department, which was wrong. That deficiency was resolved after I approached a process engineer and adopted and implemented a Priority Matrix that created a system for every activity that we undertook. It was an unfortunate necessity to find new people when the staff was an obstacle to this improvement.
The matrix ensures that the most important tasks receive the time and resources that they merit, and that “walk away tasks” — i.e the printer needs more paper — aren’t forgotten in the process. The latter builds trust and goodwill with users while the former brings organization and order to your activities as an IT department. These are the factors that determine prioritization:
- Requestor’s position (whether you decide to take on a ticket or otherwise)
- Resource expenditure (costing nothing or making a big budget impact this year, or next)
- Costs, divided by the number of users that could potentially be impacted
Security is a process
Working without a system was the wrong approach to run the department and that’s also true for security. Information security management involves policies, procedures, and user awareness. It entails everything from user onboarding, to disaster recovery, and how people enter a building. The days when purchasing antivirus for a PC solved the problem for SMEs are long past. Security is a constant balancing act of business enablement, processes, and technologies.
You ideally want to ensure that solutions are controlled and that you properly identify and manage security risks and threats on a continuous basis. Operational controls can detect weaknesses and security is a functional requirement for every single IT project that you undertake. Big vendors (and more recently Communication Service Providers) are making equally big promises to handle it all and are aggressively chasing those security dollars, but security problems still persist and all-encompassing solutions can create a safety mirage. No product, no matter how amazing, is a substitute for a process.
Security Isn’t ‘Stuff’
The worst pre-determination you can make is to have the mindset that buying security systems is cybersecurity. It’s my experience that failure to master those systems (and they often overlap in functionality) leads to silos of log files that forensic security analysts will examine in a post mortem and say, ‘there was the problem’. Automated ‘smart’ security features that ‘cry wolf’ too often just get turned off and are disregarded. There’s no replacement for human knowledge and intuition at present and for the foreseeable future, but the cost of running a true Security Operations Center (SOC) using enterprise systems is in the millions. Your spending should be tactical and address your highest risks, because it takes a combination of administrative, physical, and technical controls to contend with the threats that SMEs are facing and budgets aren’t endless.
Certifications, technical presentations, and academia supporting the dissemination of IT knowledge are all excellent resources to educate yourself, but nothing compares to learning from the experiences shared by your colleagues and peers. So please, learn from my missteps. Namely, my initial focus (before we used systems) went to the right places, but the eventual results were mixed, very ‘shoot from the hip,’ and too product-driven. One such example is when I made the self determination that having over 100 machines running with full admin rights was a recipe for disaster: ransomware or not. We examined some heavy-duty identity management solutions that the MSP recommended and independently examined products from within the Magic Quadrant. Meanwhile, an unacceptable risk remained.
Luckily, I swiftly came to the conclusion that we could just go around to each PC and remove admin rights by department using the Computer Management tool. That process was expanded outward following acceptance from designated groups of test users. I also understood the importance of removing the local admin username and password that was on every PC. That was a technical control that would have received the highest position on the Priority Matrix, and while that was a smart thing to do, you cannot pat yourself on the back for doing one good thing while matters inherently fly beneath the radar in absence of a system to manage them. One standout was a physical control: everyone within the immediate work area knew the door code for the server room and it too often remained open. No security software or IT wizardry was going to resolve that kind of exposure. Our Priority Matrix directed attention to those types of problems, which might otherwise have been neglected. Your knowledge, from preparation and learning, will guide you to apply the appropriate control(s).
There were a few more delays and stumbles while ‘stuff’ prevailed, including wasting company time and money on an overpowered centralized encryption platform when resources could have been better allocated elsewhere. It’s fortunate that we adopted the Priority Matrix before the lehway I had with senior management was exhausted, and easily could have been if somebody decided to step into the server room and take out their life’s frustrations on company hardware.
Assessing Your Acceptable Risks
Security is a spectrum and, like your budget, it isn’t limitless. Let risk be your guiding principle: some scenarios are acceptable and will occur; even more are crucial to avoid. You cannot stop every incident, because you will be compromised at some point regardless of your precautions. There are a series of formulas that are helpful to quantify and qualify risks. It mostly boils down to some common sense: eat the cost of losing a few laptops a year if that cost is less than an expensive system to track stolen property. You can’t prevent every loss or misfortunate in perpetuity. I overreacted and didn’t need that over-the-top encryption platform that demanded more resources and time than it saved in exfiltrated data. The risk just didn’t justify that purchase.
It’s a mistake to stereotype risk as a negative that prevents you from doing things. I’ve also seen it used (effectively) to inform the opinions of executives who will determine who or what gets funded. A simple chart that has buckets that are red, yellow, or green, with potential losses included, are a surefire way to grab eyeballs and build support for a security program. I didn’t use a chart, but had a receptive audience in the C-level that understood the potential perils. It’s fulfilling to be able to say that you ‘have a plan for that’ and understand when you have options.
Where Are You On Your Journey?
It’s been several years since my security journey began and I’ve since obtained credentials and an improved appreciation for the art of balancing risks against taking action and its effect on business enablement. The learning never stops, but if you’ve learned one thing today it’s that security isn’t unapproachable. It’s like eating the proverbial elephant: take it one bite at a time. I hope that this article has helped you on your journey toward becoming a security professional.
For those of you who are just starting your journey, or have maybe been on it for some time, I recommend checking out some of the more recent webinars hosted by JumpCloud. These offer a deep dive into a variety of security-focused and security-adjacent topics, and can set you off on a path of learning into an area previously unknown.