Blog / CYBERSECURE CANADA Part II… An In-Depth Look at Security Controls 1 to 6
In the last newsletter I went over the new CYBERSECURE CANADA Certification for Small and Medium businesses. I went into a general overview and now I’m going to go into the specifics of the Security Controls they will be looking for. Since this will take multiple newsletters to cover, I’ll be doing them more often, until I’ve finished going over this topic.
Have an Incident Response Plan
This requirement is straight forward. You need to have or be working on an incident response plan. The plan doesn’t necessarily need to be complete, but should cover several key points:
I) A basic plan that covers breaches of various severity and outlines how you will proceed:
According to the updated PIPEDA regulations, all potential breaches of Security Safeguards need to be investigated and recorded. This rule has been in place for over a year (March 2018) and was covered in a previous newsletter:
For any municipal body, this means you should already be investigating and recording potential Security Safeguard breaches. You should also already have instructed your staff on this policy, with regards to whom and how incidents are evaluated and reported.
An Incident Response plan formalizes this process and should include the potential for the situation to escalate, as a result of information gathered from the investigation. So, your plan should cover issues that are simple errors that didn’t cause a breach of information, up to a serious possibly intentional leak of critical data.
II) If a breach goes beyond a company’s ability to investigate, there needs to be a plan to know who to contact:
As part of the plan you need to acknowledge that a situation may arise in which your organization no longer has the skills to investigate the situation on their own. Your plan needs to cover possible scenarios and describe who you will contact, should this happen.
Different situations may require contacting different authorities, so your plan should outline any feasible possibilities. I.E.: contacting the Police or RCMP (if criminal activity is discovered) or an outside IT organization, if situation requires it (along with proper contact info.)
III) The plan needs to include information about who is responsible for various tasks and include contact information:
The plan needs to contain a description of who is responsible for doing what activities, in the event of an investigation. This is important in order to organize the flow of information and to make the job of those sleuthing, easier. During any investigation, speed is king. So clearly defining who is responsible for what will help lead any investigation to a faster, more accurate conclusion.
IV) Cyber Insurance is something the organization should have or be evaluating:
Not every organization needs to have Cyber Insurance. At the same time, it’s something that should be considered. Don’t blindly get some out of fear or ignorance. Do an honest Cost/Benefit analysis and decide if purchasing it would be an asset to your organization, or not.
V) A Security Information and Event Management system should be considered and evaluated. If this is not pursued, the reasons for doing so should be documented:
A Security Information and Event Management (SIEM) system is a fancy name for Automatic Monitoring Software. An organization of any size should look at the feasibility of setting some automatic monitoring of important resources. This can include things like user logins or network activity spikes and more.
An SIEM system has various types of monitoring setups and, if it detects something out of the ordinary, will generate alerts intended to notify a human being to look at the matter. This alert is generally an email or text message. The idea is that there should be an automatic system setup and looking for issues all the time.
As this is an important decision for an organization, if one is not set-up then the reason this was not pursued needs to be recorded somewhere in official documentation.
Automatic patching of Operating Systems and Applications
Outdated software is a major risk in any organization. It’s not just the operating systems, but the software that goes along with it. In addition, you can’t forget about updating firmware.
For an organization of any real size, keeping a manual inventory of systems and software is unrealistic, due to the effort it requires. There needs to be an automatic system that is capable of handling as much of this updating as possible.
As part of setting-up such a system, any software that cannot be updated automatically should be investigated to see if it’s key to the organization. If it is not, then it should be removed or disabled.
Enable Security Software
This one is something that everyone should be doing already. In order to satisfy the requirement, you need to have some additional Security Software (I.E.: Anti-Malware) installed and running on every possible device.
The Security Software should be set-up to update automatically, and perform periodic scans.
Secure Device Configurations
Setting-up anything with the defaults is just asking for someone to come along and “hack” you. This applies to everything, from software to firewalls and network printers. The reason is that these default settings are publicly known, so failing to change them is the same as leaving the barn door open and wondering where all the cows went.
When a device is set-up, you should look at changing all the default settings; especially passwords. In addition, if you are not making use of all your devices’ capabilities, you should look at disabling the aspects that are not used, as well as enabling Security features that may be present (I.E.: Windows, Firewall).
Outside of the certification, having a documented, secure setup for commonly-used things, is a good idea. During Security Audits, I often recommend having a default, documented Windows 10 initial configuration.
Strong User Authentication
In order to qualify for this certification, you need to be using “Strong User Authentication.” Any organization that is currently compliant with PCI-DSS and/or PIPA/PIPEDA regulations, may think they this will be a cake walk. Unfortunately, that is not the case.
PCI-DSS and PIPA/PIPEDA use old-school password-thinking. So, passwords need a minimum length, should be complex and need to be changed often. The problem is that those requirements were put into place without any research. At the time, they were best guess. No one had bothered to investigate the situation, so there was no research of any sort to look at. These days, research has done, and it contradicts many of those ideas. The requirements for this certification currently conflict with PIPEDA and PCI-DSS. Hopefully, those regulations will have password requirements updated soon.
A) Use Multi-factor Authentication wherever possible:
This means that you don’t limit this to external usage but make use of it for internal logins as well. This makes perfect sense when you consider that once an attacker has compromised the credentials of a user and they can get internal access to the network, they can spread their influence very rapidly. If every login to Windows required two-factor Authentication, an attacker’s movement through the network would be slowed considerably.
B) Only enforce a password change when suspicious activity is detected:
This runs contrary to other regulations that require a password change at set intervals. Research has proven that changing your passwords often has a detrimental impact on Password Security. Users get tired of thinking-up new passwords over and over.
While it’s not explicitly stated in the certification, the question to ask is: “How does one detect suspicious login activity”? The answer is you need to be monitoring it. This can be done by manually examining logs, which is extremely tedious, or by setting-up a method for monitoring this automatically. I recommend automatic monitoring of some kind. I rarely find this when doing a Security Audit.
C) There should be clear policies regarding password reuse, length, use of password managers, and physically writing passwords down:
This doesn’t need much explanation. These days, all organizations should already have some sort of password policy. They may need some minor updating, to comply with this requirement.
Employee Awareness Training
The biggest recurring issue with breaches, is human error. Assuming employees have appropriate, or even basic skills when it comes to things like email or Social Media, can prove to be a costly mistake. Organizations should take an active role and invest in Cyber Security Awareness Training for their staff.
Such training should cover things like:
- Effective use of passwords complying with Company Policy
- Identifying malicious/fake link in emails
- Use of approved software
- Appropriate usage of the Internet
- Safe use of Social Media
Most of these items should be also be covered in various company policies (Password, etc.) Simply giving an employee a piece of paper to sign is not good enough. When it comes to things like effective passwords, Internet usage and Social Media, you need to have some real-world instruction as well. This is for your Security, as well as your employees’ benefit.
Out of all 13 Security Controls, this one will likely be the hardest to achieve. Depending on the skills available to the outfit, setting-up instruction and education for some of these topics internally may be unrealistic and require external resources. While I agree with the need, I can safely say that this is probably the only requirement that no organization has put any real effort or investment into.
That’s all for this newsletter. An in-depth look at all 13 controls would be a lot of reading all at once. Next time I’ll go into the rest of them.
If you have any questions about CYBERSECURE CANADA Certification, you can always reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyberman.