| by Shawn D. Stewart | No comments

Cyber Defense – Kingdom Policies

OR I Told Him We Already Got One

coconut shells or imaginary horses

The organization is a kingdom and cybercrime has it under siege!  Did you know cybercrime is now the world’s third largest economy?  These enemies are state-funded and numerous, looking to steal your data, money, and put you completely out of business.

You need Policy, Education, and Technology working together, driven from the round table of the boardroom, to be successful.  While it may feel like a flying circus at times, this is your circus, and these are your monkeys.  Don your chainmail and mount your trusty stead.  Or just a grab a couple of migratory coconuts and ride with me as we set forth the policies to protect your kingdom from threats.

lady of the lake holding excalibur

No Basis for a Government – Corporate IT frameworks include several policies that may or may not be relevant for you organization.  Nearly everyone will need at least Acceptable Use, Disaster Recovery, and Incident Response policies, to name a few.  Policies should be an autonomous collective.  Don’t feel repressed by the governing body to follow frameworks to the letter.  Many will pull from different frameworks to match what they specifically need.

Why do you think I have this outrageous policy? – Acceptable Use policy explains in detail what employees and vendors can and cannot do with company-provided phones, laptops, email, and Internet connections.  Every employee from the mail room to the boardroom MUST accept the organization’s usage policy for corporate assets and Internet usage annually.  This includes login banners and access warnings on all devices.  Otherwise, hackers or naughty insiders can steal your data and you have no legal recourse because you didn’t tell them they couldn’t.  Pull the other one!  Seriously!

the black knightOnly a Flesh Wound? – All department heads, along with management and IT, should be involved in determining the most important computing assets in relation to the company.  How much would be lost if SalesForce is down for a day?  What about the Internet?  What about a breach of all customer and employee data?  Risk Assessment and Business Impact Analysis (BIA) give businesses monetary considerations for protection and budgets.

Let’s Not Bicker – Incidents are anything from mistakenly deleted files to data breaches, or Sally in Accounting requesting a new phone.  Incident Response encompasses Help Desk, Change Management, Disaster Recovery, and Business Continuity.  IR goes beyond IT, but is rooted in IT.  Planning is key and written plans eliminate ambiguity.

It’s Against Regulations – To reduce risk, changes must be fully detailed, scheduled, and approved through Change Management.  This allows relevant parties to understand changes, their impact, and what will be done to roll back the changes if they fail or cause issues.  By completing changes in specific windows, disruptions and downtime are avoided.

moose on a swedish vacation

Sacked a Moose on Swedish Vacation – Hope for the best but plan for the worst.  What is the policy if a data breach occurs?  Or if the intern deletes the customer database or can’t get the subtitles right?  A tornado relocates the office to another state?  The castle sinks into the swamp?  You can’t count on the llamas to come bail you out.  You need a plan!  Everyone needs to know their roles and tasks no matter what happens.  When possible, get the gang together for a table read.  Bribe them with food.  That always works.

unladen swallows

What’s the airspeed velocity of an unprotected password? – Multi-Factor Authentication is a must-have to prevent stolen passwords or replay attacks from allowing entry.  Using a secondary device, or something you have, a challenge is presented to those on the quest to gain entry.  What’s your favorite color or something about unladen swallows?  Unauthorized access will be denied even with a valid password.

the herring

With a Herring! – Does policy dictate the correct level of firewall and network segmentation required?  The processor should be strong enough to inspect encrypted traffic to and from the Internet in real time.  Integrated software should connect to a centralized, constantly updated threat network.  Configurations should block outbound traffic.  And the firewall should block unnecessary traffic between internal network segments.  Many Managed Service Providers (MSPs) and in-house IT departments provide a shrubbery when a solid stone wall with guards is required.

grail-shaped beaconBad Zoot! – For maximum security, businesses should have a whitelist of external locations on the Internet employees and vendors can access.  Access should only be allowed in relation to job function.  Social media, streaming, shopping, and anything NOT related to the business should be banned in written policy.  Social media is a breeding ground for drive-by-downloads and click-through scams that can deposit malware and ransomware inside your network.  Careful where you browse, you might catch something.

Think I’ll Go For a Walk – Working while away from the office holds a host of challenges.  CEO loses his phone in a cab.  Wandering eyes watch you fill in spreadsheets from the next seat.  Three-headed monster tries to swat you before tea.  Don’t chicken out!  Policies for VPN and mobile connectivity ensure your questing knights can get back remotely to silly Camelot through encrypted channels.

the castle argh or stalker

Aarrgghhh! – Love a good mystery?  Confound your attackers by requiring all data in your organization to be encrypted.  This does require more than just encryption at the hard drive level.  You must encrypt at rest, in transit, and while data is used.  Encryption policies prevent prying of stolen or intercepted data.

None Shall Pass – Cameras, door locks, security guards, and fences are great deterrents.  What happens when someone slips by them?  Many organizations have adopted policies to ensure identification is worn at all times and required for entry.  Every person scans their badge every time.  No group access into the office or secure locations, like the data center.

sword in a stone

Violence Inherent in the System – If you’re not monitoring, how do you know you are safe?  You have minutes once infiltrated to prevent a breach.  Slow monitoring equals no monitoring.  If insurance determines a breach or ransomware occurred due to failed monitoring or slow response, they won’t cover you!  READ YOUR POLICY CAREFULLY!  They ask 10 pages of questions every year for a reason.  If you see Lancelot running across the field and do nothing, you are negligent.  Once Lancelot gets inside…

Your people shouldn’t need divine intervention to understand their quest.  Looking away, apologizing, and groveling won’t matter if you don’t stay on task.  Dangers lurk everywhere and unless you want to be stone dead in a minute you must…

GET ON WITH IT!

Fine!  Gosh!  Next post will discuss Education and ask the question – What has Rome ever done for us?

Want to see an article on a specific subject?  Need help?  Reach out.  We are all in this together

Helpful Links! – Ready.govCybersecurity & Infrastructure Security Agency (US), National Institute of Standards and Technology (US)

Read More Great Posts!

*The creator of this blog would like it known that they have been sacked and , in case you haven’t figured it out, references above are from “Monty Python and the Holy Grail”. (Jones, T., & Gilliam, T. (1975). Monty Python and the Holy Grail. Cinema 5 Distributing.)

mm
Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a Masters in Cybersecurity, Bachelors in IT, a Minor in Professional Writing and is a published author.

Leave a Reply