Operational Security, Frameworks and Remote Working: Tips and Considerations

Nathan Allison, Head of Operational Security, Daisy Corporate Services, answers some timely questions around cybersecurity

Our current need to physically protect ourselves, others and our NHS, means that our mobility is limited to a life-changing extent. In this way, we can do less as individuals. As employees, however, many of us can do more than we ever could before, from the comfort of our own homes. With security experts predicting that COVID-19 presents the greatest ever cybersecurity threat, now is an excellent time for Nathan to share with you, his “frameworks first” approach to operational security…

Listen to the podcast here, or read on for the article

What is Operational Security?

The whole world of cybersecurity can be simplified into two main categories. Firstly, Information Security which is concerned with policy, standards, regulatory compliance and audits. Secondly, Operational Security which covers procedure and the governance of technical controls.

To make the distinction clear, I like to think of Information Security as the ‘why’, and Operational Security as the ‘how’. For example, the control might say you must implement a minimum password length.  Operational Security might define Microsoft Active Directory password controls are implemented, and to what level – the technical how.

The main elements of Operational Security are:

  • Identification of critical information
  • Analysis of threats
  • Analysis of vulnerabilities
  • Assessment of cyber risks
  • Application of appropriate countermeasures

Control frameworks perhaps bridge the gap between Information Security and Operational Security.

How can working within a framework help with operational security?

Achieving compliance and perhaps certification of any given control framework is a method of demonstrating various things. It indicates that you behave in a given fashion, that you can provide a level of assurance that you can be trusted with handling data and information (pertaining to customers, suppliers, partners and staff for example) in a way that meets specific expectations.  It’s the same as your local fish and chip shop displaying its Food Hygiene certificate so that customers can be assured that the parts of their business (that we can’t necessarily see) are up to the level that we are happy with as customers.

However, the overall aim doesn’t have to be to satisfy every objective within the framework (if you’re not mandated to do so, for example by industry regulation). Instead, perhaps the aim should be to use control frameworks to strengthen your security position, which can be done in a variety of ways.  The highlight is that frameworks provide an excellent insight into what IT managers, cyber defenders and chief information security officers (CISOs) should be thinking about.

What frameworks do you recommend to help organisations keep safe and secure?

Unfortunately, there is no ‘one size fits all’. Differences in industry sector and size of business, and differences in the value and types of information within the organisation, will all require different levels of controls for protection. In general, these controls tend to be less well-considered for smaller organisations but utilising control frameworks is a great way to help improve your security posture, whatever your size.

There are many frameworks that you can certificate against, including ISO27000 as a broad business certification, and a perfect one for the UK is Cyber Essentials. This is a baseline control framework sponsored by the National Cyber Security Centre (NCSC), part of CESG (the information security arm of GCHQ). This is an excellent, straightforward, five-step programme that Daisy actively supports. We have that certificate ourselves and help many of our customers attain and move towards this.

Cyber Essentials Framework

I would encourage all UK business to look at Cyber Essentials and think about adopting their goals:

  • Help to guard against the most common cyber threats
  • Simple, actionable standards to reduce risk
  • Applicable to all organisations, regardless of size
  • Protecting against known attack vectors

Is this more relevant right now, with organisations having a greater reliance on a remote workforce?

Absolutely, yes. And it can be utilised by any size of business. The basic five principles are quite straightforward and it might be that businesses are doing these things already but have never thought of them in the context or terminology of a control framework. The value is in bringing these actions together as a single entity and matching them against compliance.

At a high level, there are five elements covered by Cyber Essentials:

  • Boundary firewalls and internet gateways
    • Your perimeter is the doors and windows of your house, you need to make sure that your perimeter is secure. Make sure the doors and windows of your house are only open in the way you require – so for the thief carrying out his survey, they will be the locked doors and closed windows requiring more effort to get around to gain access. Boundary firewalls and internet gateways determine who has permission to access your system from the internet and allows you to control where your users can go.
    • With today’s situation and an extended remote workforce, you need to be thinking about how your perimeter has changed.
  • Secure configuration
    • This reduces the functionality of each computer or device to the minimum required for that user to operate. This will help prevent unauthorised actions being carried out. It also ensures each device discloses only the minimum information about themselves to internet. A scan can reveal opportunities for exploitation through insecure configuration.
    • In our current environment, this is about making sure that what you’re utilising is done safely. So for example make sure that the machinery your extended remote workforce has, is encrypted, because more data is at the edge of the organisation, than usual and so consideration about the security of the devices is obviously important.
  • Access Control
    • It is important to restrict access to a minimum. This is to prevent a hacker being presented with a series of unlocked doors allowing him access to all the information he is looking for. Administrator rights are the Holy Grail for a hacker.  Once he has possession of these he can effectively go everywhere and has full control. Administrator rights should be restricted for only administrator actions. Convenience sometimes results in many users having administrator rights and therefore creates opportunities for exploitation.
    • This is another key pillar of particular relevance now with increased remote working and it could be as simple as: do you have a password policy, what’s your minimum password length. Credential-stealing is the route of the majority of malware attacks so good password protection is essential.
  • Malware Protection
    • It is important to protect your business from malicious software which will seek to access files on your system. Once their software can access, they can steal confidential information, damage files or even lock them and prevent you accessing them unless you pay a ransom. Malware protection helps to identify and prevent or remove any potential threats from malicious software.
    • With a remote workforce, we need to make sure that the protections that we would offer our staff if they were working at their desks, are the same as we are offering them at home.
  • Patch Management
    • Cyber criminals often exploit widely known vulnerabilities in software or operating systems to gain access. These could be through poorly designed software which have known weaknesses. Updating software and operating systems will help to fix any of these known weaknesses. It is crucial to do this as quickly as possible to close down any opportunities which could be used to gain access.
    • We have all heard the horror stories of ransomware wiping out businesses and in the vast majority of cases, it could have been avoided, if systems were kept up to date, so patch management is absolutely essential. This is especially significant now because if we are in lockdown for months, there will be patching cycles for staff machines that will need to be considered and managed remotely.

If you’re considering this list and you work through the granular controls, you might find that without much effort, you’re not far away from compliance and it can provide, as a control framework, a priority list of how you should approach any gaps that you find.

You can self-certificate with Cyber Essentials – once you are satisfied that you reach the granular controls, or take a further step with Cyber Essentials Plus where an external auditor will verify that you meet the controls.

What’s the next big thing in Operational Security?

There is a live project, growing all the time, which constitutes a control framework of a slightly different fashion. It’s called Adversary Tactics, Techniques and Common Knowledge – abbreviated to the ATT&CK (pronounced; ‘Attack’) framework.

The ATT&CK framework is both a methodology and a programme that has been developed by the MITRE Corporation. You may know them from their common vulnerabilities and exposures (CVE) database and website, and the CVSS scoring system that has become the industry standard, providing cyber defenders a common understanding of the severity of vulnerabilities.

What is the ATT&CK framework?

The Head of Global Threat Hunting for one of the UK’s largest cybersecurity companies described ATT&CK framework as the ‘most significant development in cyber defence in a decade’.

Essentially, it’s a list of 12 dominoes, which are the stages that attackers must go through, to achieve their end game. For example, if the aim is stealing data from an organisation, there is a defined sequence of events that attackers must follow to get them to their end-goal. The first domino might be initial access, which might involve reconnaissance, probing, scanning the outside of your network. The next one might be access into your network, the next one, achieving privileged escalation, and so on. The attackers must take all of these steps in a specific order, so understanding this framework means that we are able to spot patterns.

ATT&CK Goals

To provide a database of the tools and techniques hackers use to attack, damage, and disrupt operations:

  • Break down and classify attacks in a consistent and clear way
  • Show the various stages of an attack
  • Present information so that it is globally understandable, between technical teams or different languages
  • Be relevant to organisations of many different sizes
  • Protect against known attack vectors

Leading technology vendors are developing solutions that plug into this with solutions such as intrusion detection, security information and event management (SEIM), next-generation firewalls. These solutions can reference ATT&CK framework and can spot the dominoes falling in sequence. This is a global breakthrough in being able to analyse attacks and facilitate quicker action to block them.

Information is the key to securing our information

Improving security is a driving goal for all of us. There are many businesses that are regulated to operate within guiding frameworks – but I would encourage all UK businesses to look at, consider and utilise the controls as lists to help you decide what you should be thinking about, and perhaps in what order. If making decisions about new technologies and things need renewing or upgrading, consider solutions that can utilise the ATT&CK framework.

Applying frameworks to a practical example, the adage of “we don’t know what we don’t know” comes down to a need for monitoring. We need to understand what we’ve got, so that we can best utilise these controls from the various frameworks. For example, if a control says maintain an asset register – which makes perfect sense as you need to know what you’ve got so that you can protect it – this may include a sensitive data asset register.  In this instance, you should ask, “What is my gold, what are my crown jewels?” and perhaps pay special attention to monitoring that type of data. Relating this back to the five pillars of Cyber Essentials, the straightforward, granular controls can act as excellent prompts, a sequence and give us priorities in how we tackle the sea of data that we’re faced with. This in turn can help you define your policies.

Key takeaways:

  • Even if you are not mandated to operate within any security frameworks, it’s a really good idea to use them as a method of understanding what to know, what to track, what to prioritise
  • Review the controls you have in place currently, even if you hadn’t previously thought of them as belonging to a particular framework – it might be that you comply to the CE controls without actually knowing it, or can achieve certification with only a small amount of additional effort
  • Choose new technologies when you are renewing, replacing or upgrading your security elements, that are able to interact with the MITRE ATT&CK framework

Before you go…

What single thing would you recommend to help organisations with security right now?

Multifactor Authentication

Prior to the coronavirus outbreak, Daisy was seeing an increase in customer requests to help with laptops to facilitate a more flexible working strategy. Staff with laptops do introduce risk back into the core corporate network and enabling multifactor authentication is one of the easiest but most effective methods of securing remote workers. Use of multifactor authentication is ramping up but worryingly, it’s not ramping up at the same pace as perhaps the extended remote workforce has had to over the last two or three weeks. If you can enable two factor or multifactor authentication, you will significantly improve your security.

 

About Nathan Allison

Nathan is a Certified Information Security Manager (CISM) and has over twenty years’ industry experience, with more than sixteen of those focused on Internet and cyber security. At Daisy he manages the Operational Security team responsible for customer security, working at our Security Operations Centre (SOC) in Leeds.

In his early career, Nathan worked for Kingston Communications and moved into the Security Implementation team at Planet Online which subsequently became Energis, implementing and configuring the security aspects of enterprise, highly available, e-commerce and collaborative solutions.

Nathan has an in-depth understanding of networking and security technologies from major vendors and how these can be applied to address specific business requirements and compliance objectives including approaches based on risk-based cost-benefit analysis.