Step 1: Map Out Your Attack Surface
Cybercrime has become an everyday companion to organizations worldwide and cybersecurity risk should be a major consideration for business resilience. With more and more business data and infrastructure residing in the cloud, the crucial first step is knowing what you have out there, who needs to access it, and how you need to secure it. Because it is so easy to spin up new applications and add web-accessible resources, accounts, services, and all kinds of devices (including notoriously insecure IoT systems), mapping out your entire online presence and external attack surface is a daunting task.
In large organizations, you may need to build a central inventory of all your websites and applications. One way to get started with this is with a web asset discovery service such as Invicti’s built-in discovery module. This helps you quickly find web-facing assets associated with your organization and provides a starting point for assessing your cyberrisk for web applications. As a bonus, Invicti also detects web technologies that are in use across your environment and flags out-of-date versions that may be vulnerable to cyberattacks.
An even bigger challenge could be finding all your data. With so many data breaches caused by cloud storage misconfigurations, keeping track of business data online and enforcing cloud security policies is critical to maintaining data privacy and protecting your intellectual property. Because information is the primary target for cybercriminals, keeping tabs on all your data also gives you a good idea of where the attackers may strike.
Step 2: Define and Enforce a Cybersecurity Strategy
Once you know what you have, the next step is to define what you should have and what security controls you need – in other words, to build a proper cybersecurity strategy. This will normally be done by the CISO to provide a formal framework for all cybersecurity efforts in the organization. You can use the NIST framework or another cybersecurity framework as a starting point, picking and mixing controls and security best practices that apply to your organization, strategy, and business requirements.
At a minimum, your cybersecurity strategy should cover the 5 main stages set out in the NIST framework: Identify, Protect, Detect, Respond, and Recover. Depending on your business and regulatory requirements, the Identify phase can be as formal or informal as you like. For organizations that require a formal risk management process for all business risks, cybersecurity risk definitely needs to be on the list, perhaps with formal threat modeling to quantify cyberthreats.
Step 3: Maintain Cybersecurity Incident Response Plans
Even the most complete cybersecurity strategy is only a document. To turn policy into action, you also need effective incident response and recovery plans to ensure cyberresilience across a variety of anticipated incidents. Plans must be regularly tested and updated so that when things do go wrong, everyone knows what to do and what the recovery targets are. This might include running simulated incidents to assess the effectiveness of response and recovery processes and identify any gaps.
Ideally, each critical cybersecurity risk identified earlier should have a response and recovery plan. The typical example would be the risk of data loss, which should be addressed by a suitable data backup policy with realistic and acceptable recovery point and recovery time objectives. Periodic recovery testing is crucial to make sure that valid backups are always available and can be restored to the required level and in the required time.
Step 4: Make Security Everyone’s Business
The popular and media-reinforced image of cybercriminals is that of “highly advanced and sophisticated” evil hackers. While these certainly do exist and operate (as evidenced by last year’s SolarWinds hack), the everyday truth of cybersecurity is far more mundane. In reality, the majority of cybersecurity incidents are related to malware and ransomware infections and are usually initiated by someone in the company clicking a phishing link.
This is the defender’s dilemma in action: no matter how great your cybersecurity strategy and how well-staffed and funded your IT team, the bad guys only need one gap in your defenses to get through. In these days of business-critical web applications, remote work, and single sign-on, one session hijack could be enough to compromise an entire organization. People are a vital component of security, so cybersecurity awareness and education must be an everyday part of your company culture for every single employee and contractor.
Step 5: Build Security Testing into Development and Operations
For better or worse, any sizable organization is now a software company because it develops and maintains at least some of its own websites and applications. Many companies from a variety of industries develop their own business applications in a DevOps model to minimize costs while maintaining agility. In the rush to get new features into production, security testing can fall behind, leaving applications and the entire business vulnerable to attack.
Using periodic penetration testing or vulnerability assessments is definitely a best practice, but if the application changes between security tests (and it usually does), you are still leaving a window of opportunity for attackers. The only systematic solution is to integrate security testing into the application development process itself and automate it as much as possible, moving to an integrated DevSecOps approach. A modern DAST product such as Invicti can deliver accurate scan results and help you secure hundreds or even thousands of websites with a small security team.