IT security consulting by certified experts

Break & bold

How do I implement IT security in the enterprise

There are several different disciplines, which are also constantly evolving, that can take a holistic approach to IT security. An excellent overview is provided by the 18 sets of measures in the CIS Critical Security Controls.

01 – Enterprise IT inventory

A company can only protect an IT infrastructure if it knows what it consists of. For this purpose, an inventory of all hardware components used should be available. In particular, this includes all devices connected to the corporate network, such as clients (workstations, laptops, smartphones, and IoT devices) and servers. But it also includes cloud infrastructure.

02 – Inventory of software used

Since software vulnerabilities are a common gateway, a list of currently used software is important to identify potential risks to the deployment. Without such a software inventory, reliable updating and patching is not possible.

The logical step after building such an inventory is application whitelisting. In this process, only approved applications are still executable in the IT environment.

03 – Data security and privacy

Our data is no longer just within our own borders, but on mobile devices such as smartphones or laptops, or in the cloud – and often still shared with partners around the world. Without an understanding of who has access to what data, who can authorize such access, and how data is protected on mobile devices, it is difficult to protect against data loss (“data leak”). Data leakage can be very inconvenient for confidential customer data or trade secrets.

04 – Secure configuration of corporate IT as well as the software used.

Often, newly deployed hardware or software have default passwords and configurations with ease of use in the enterprise in mind rather than security. A comprehensive hardening and of all deployed clients, servers, firewalls should be done after each production deployment.

05 – User management

It is often easiest for an attacker to abuse an existing user account by using weak or phished passwords, active user accounts of people who have already left the company, test accounts, or the like can be used. To counter this, one must have an overview of the accounts currently in use and separate normal users from administrative accounts.

06 – Rights management

Building on 05, the rights used need to be managed. Multi-factor authorization should be used when accessing from remote or if possible when accessing with administrative rights.

Management of users and their access is called IAM (Identity Access Management) – based on this, management of privileged access is called PAM (Privileged Access Management).

07 – Vulnerability management

Swiftly patching security vulnerabilities and applying updates would have already prevented many data leaks. For this, a good look at the operating systems and also software used in the company is important.

08 – Audit Log Management

Log files of system and user events are important to find out – if the worst happens – what happened and which data has been stolen or changed. Also, this log data can be further processed in a SIEM (Security Information and Event Management) to trigger alerts in real time.

09 – Email and browser protection

Using up-to-date and fully supported software for email and browsers should be a given. More extensive protection such as a web proxy or DNS filter often makes sense.

10 – Malware protection

By using automatically updating anti-malware software, some basic protection is achievable. However, not all that glitters is gold here: keeping in mind that modern malware is naturally developed precisely so that the anti-malware software used (regardless of manufacturer…) does not provide its full protective effect is important.

So if malware does run on a system, it’s unpleasant, but often difficult to prevent completely in an organization. So it is even more important at this point that the malware finds itself in a restricted, non-administrative, user account on a fully-patched system in a hardened IT environment with no security holes to minimize the damage that can be done. Backups are also often irreplaceable at this point then to allow work to continue swiftly.

11 – Backups

Automated backups are not optional, they are a must. It is very important to isolate the backups from the running systems so that – for example in the event of an attack by ransomware – the backups are not encrypted or deleted at the same time. Cloud backup services or offline backups such as rolling USB hard drives can be suitable for this purpose.

12 – Network infrastructure management

A well thought-out enterprise network security architecture (zoning/firewalls) can help limit the movement of attackers. Often, for example, it is not necessary for the operational process to be able to access another client from one client – but for the attacker (lateral movement) this is very important.

13 – Network monitoring

For advanced IT security requirements, correlated analysis of audit logs and in a SIEM (security information and event management) coupled with solutions for host intrusion detection (HIDS), network intrusion detection (NIDS), packet filtering and traffic flow information can be useful.

14 – Security Awareness Trainings

Regular awareness training of employees ensures that the “human firewall” is active. Since currently most external attacks are based on social engineering techniques (often initially via phishing or by tapping user passwords), well-trained employees can be the most effective detection system of such attacks.

15 – Service provider management

In our interconnected world, organizations rely on vendors and partners to manage enterprise data and use external IT infrastructure for mission-critical applications. An inventory of the service providers used should be available (e.g., Microsoft if Office365/Exchange Online are used). The use of (cloud) service providers cannot be assessed across the board. The security precautions on the part of the service provider are often much higher than a medium-sized company could ever represent – but this shifts the attack surface in the direction of the company’s own employees.

16 – Security of software and web applications used.

Admittedly, application security is a broad field. The goal is always to ensure that the applications and services being used cannot be hacked, compromised, accessed without authorization or shut down. Depending on whether a company primarily buys and uses software or develops software itself, the focus and the measures implemented to achieve this can also be very different. As a minimum requirement, the handling of 07 vulnerability management should be established. If software is developed in-house, a process for secure software development should be used (SDLC, DevSecOps if applicable).

17 – Incident Response

Every organization should be prepared for security incidents. Clearly defined policies, plans, procedures, responsibilities, training and communications are the foundation to quickly identify and appropriately respond to security incidents.

18 – Penetration testing

A successful defense strategy requires a comprehensive program with effective strategies and governance, strong technical defenses, and appropriate user engagement. However, it is rarely perfect. In a complex IT environment where technology is constantly evolving and new attackers with new modus operandi emerge regularly, organizations should regularly test the measures in place to identify gaps and assess their own resilience.

This testing can be done from the perspective of the external network, the internal network, an application, the server or client. Social engineering and circumvention of physical access controls can also be included.