Some people may wonder why there are so many cyberincidents that take place. After all, in theory, everyone could follow a blueprint and design network security to be bulletproof. Unfortunately, there is no single method to make network security invincible—and there likely never will be. In fact, 没有可以采取行动的途径, money spent or technologies utilized that can remove all risk associated with cybersecurity. Sources and degrees of risk are constantly changing along with the threat landscape, 威胁行为者继续部署新技术并利用新发现的漏洞.
网络安全熵
网络世界类似于熵的概念1 in physics. 熵是系统无序度的度量. The higher the entropy, the more disorganized the system becomes. Generally, with entropy, all things become less organized with time. 在保护网络安全时,这当然是正确的. 随着时间的推移,威胁行为者通常会变得更加有组织,为了跟上步伐,需要降低风险.
实际上,每个网络都会经历安全熵. Even if an enterprise has done everything possible to reduce risk, with time, 更多的漏洞(以及由此产生的风险)被暴露出来. Data try to escape and things that have been stable become unstable—in other words, 它们经历熵. 系统和安全措施变得更缺乏组织性,更混乱,并受到更多的熵.
Even if an enterprise has done everything possible to reduce risk, with time, 更多的漏洞(以及由此产生的风险)被暴露出来.
70层防御
可以问70个问题来确定澳门赌场官方下载是否涵盖了大多数防御原则,并已采取措施降低与网络安全相关的风险(和熵).
如果你对以下70个问题的回答是肯定的, 那么你就大大降低了网络安全风险. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy.
以下70个问题排名不分先后:
Training
1. Do you conduct robust and frequent end user cybersecurity awareness training?
2. Have you taught everyone how to securely store passwords or passphrases?
3. Do you conduct quarterly anti-phishing, smishing and vishing campaigns?2
4. Does everyone in your organization understand the risk associated with cybersecurity, 威胁行为者使用的常见策略以及如何报告任何可疑活动以进行进一步调查?
Access Control
5. 是否所有供应商默认帐户都已更改或禁用?
6. 是否只有必要的服务、协议、守护进程3 以及启用的功能?
7. 是否删除或禁用了所有不必要的功能?
8. Are all accounts immediately disabled or deleted upon termination of employment?
9. Are all screen idle times set for 15 minutes, and do they require reauthentication to unlock?
End User
10. 您是否为终端用户提供保存所有密码的工具(最好是基于云的家庭和工作使用工具)??
11. 您是否开发了管理员(admin)和用户密码或口令策略,以避免使用常见或易于猜测的密码?
End Points
12. 是否所有端点日志都由基于威胁参与者活动和启发式的威胁情报和人工智能(AI)的智能技术摄取?
13. Do you harden all endpoints and remove everything that is not needed for job functionality?
14. 你有下一代反恶意软件保护(e)吗.g., 管理检测和响应, 扩展探测和响应, 端点检测与响应4 在使用基于威胁情报的安全分析平台和内置安全上下文的所有端点上?
15. 您是否阻止非澳门赌场官方下载控制和安全设备连接到您的网络的任何部分?
16. 当不连接到澳门赌场官方下载网络时,是否所有端点都有用于访问Internet的个人防火墙?
17. 是否所有端点都安装了防病毒软件,该软件不能被禁用,并在有新的更新可用时自动更新?
18. Do all end points have a next generation anti-malware application installed?
Event Management
19. 所有日志是否保存至少2年?
20. 是否所有设备都产生日志?
21. Are all logs being reviewed daily by inside and/or outside sources?
22. 您是否有一个成熟且组织良好的网络安全事件响应(内部或与第三方联合)来彻底调查所有事件?
安全体系结构
23. Do you only give employees the tools and access needed to perform their job functions, and nothing else?
24. 你是否利用了最小特权原则?
25. 您是否部署了零信任模型?
26. Do you require multifactor authentication (MFA) for all connections outside of the network?
27. 您是否需要MFA让内部经过身份验证的网络用户访问网络中的关键基础设施和数据(i.e., the crown jewels)?
28. 您是否按照允许您快速为网络上的每个帐户进行密码重置的顺序管理所有凭据? (这包括服务帐户.)
29. 您最近是否评估了活动目录以确保其正确配置和安全?
30. Are you actively monitoring the security of your Active Directory?
31. Do your perimeter firewalls have a deny-all rule unless otherwise authorized?
32. 您的非军事区(DMZ)是否安全?
33. Has it been ensured that there are no data, databases or stored accounts on the DMZ?
34. Do you deploy anti-spoofing technology to prevent forged IP addresses from entering the network?
35. Do you prevent the disclosure of internal IP address and routing information on the Internet?
36. Do you segment key infrastructure from other parts of the network with restrictive firewalls (e.g., segmenting WiFi, confidential data, virtual machines and printers away from crown jewels)?
Cryptography
37. 是否定义和实施程序来保护用于保护存储数据的加密密钥免遭泄露和滥用?
38. Are cryptographic keys stored in the fewest possible locations with at least dual custodians?
39. Do you utilize full disk encryption on all appropriate drives?
40. Do you use secure encryption in motion—at least Transport Layer Security (TLS) 1.1 or higher?
41. Is all nonconsole administrative access encrypted using strong cryptography?
Threats
42. 你们会定期执行目标威胁搜索吗?
43. 你是否吸收了当前的威胁情报(最好是来自多个来源),并有一个程序来实施基于良好威胁情报的快速对策?
44. 它是否包括执行常规的暗网侦察,以了解暗网上存在的关于你的品牌和澳门赌场官方下载结构的信息?
45. 你们是否密切监控所有供应商和第三方供应链的合规性和不良问题?
Testing
46. Do you conduct at least 1 penetration test annually, performed by a third party?
47. 您是否进行常规漏洞扫描并在30天内修复所有具有通用漏洞评分系统(CVSS) 4分或以上的漏洞, 在90天内修复所有其他漏洞?
48. Do you routinely scan your Internet-facing infrastructure for penetration and vulnerabilities?
49. 你是否与内部和外部审计师进行年度业务影响分析/风险分析报告?
Policy
50. 您是否有至少每年更新一次的澳门赌场官方下载安全策略,并且适用该策略的各方都能理解该策略?
51. 你有正式的变更控制政策吗?
Physical
52. Are processes and mechanisms for restricting physical access to servers, consoles, backup and network equipment in place and properly safeguarded?
53. 是否实施了物理和/或逻辑控制来限制设施内公共网络插口的使用?
Plans
54. Do you have a good cyberincident response plan (CIRP) that is reviewed and practiced yearly? CIRP应定期更新, 核心和扩展事件响应团队应至少每年使用桌面或功能网络安全演习进行响应.
55. Do you have playbooks with technical instructions for handling common cybersecurity incidents?
Inventory
56. Do you have thorough diagrams of the entire network, including WiFi?
57. Do you have a complete inventory of all assets that includes business criticality levels, owners, 共有人与修复? Does this inventory include instructions with time periods to recover?
58. 你有一整套数据流程图吗?
Data Management
59. Do you utilize file integrity monitoring (FIM) of the crown jewels of the organization?
60. 机密数据的存储是否保持在最低限度,并在不再需要时安全地删除?
61. 您是否需要对整个网络进行数据分类?
62. 您是否在任何有机密数据的地方部署了网络和基于云的数据丢失预防(DLP)程序?
63. 您是否防止机密数据被复制到外部设备和外部设备连接到端点?
软件开发
64. 开发和维护安全系统和软件的过程和机制是否被定义和理解?
65. 软件开发人员是否定义并使用软件工程技术或其他方法来防止或减轻所有软件中的常见软件攻击和相关漏洞?
66. 关于面向公众的web应用程序, are new threats and vulnerabilities addressed on an ongoing basis?
67. 这些应用程序是否受到攻击保护?
68. Are preproduction environments separated from production environments, 是否通过访问控制来强制分离?
Mobile Devices
69. Are all mobile devices governed by effective mobile device management (MDM) policies?
70. 您是否禁止任何不受澳门赌场官方下载安全机制控制的移动设备的连接?
Conclusion
那么,你找到熵了吗? 您是否发现了可以包含在深度防御(Did)中的额外保护层?5 网络安全策略? Remember, your answers to these questions reflect merely a single point in time. 事物随时间变化,熵发生了. Technologies change, strategies change, and threat actors continue to make progress and hone their skills.
It is also worth remembering that while each of the items on the list reduces risk, 即使你能自信地肯定地回答所有70个问题, 你还没有消除所有的风险. 如果还有没有解决的问题, they are likely worth adding to your cybersecurity road map as soon as possible.
Endnotes
1 OpenStax, “12.热力学第二定律:熵,” Physics
2 互联网安全中心(CIS)钓鱼和钓鱼:你需要知道的,” February 2023
3 Brans, P.; “Daemon,” TechTarget
4 Hayes, N.; “EDR vs. MDR vs. XDRCrowdStrike, 2023年4月18日
5 互联网安全中心,”选举安全焦点深度防御(DiD)”
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for Secureworks. 他拥有超过30年的网络安全专业经验,专门从事网络工程,专注于安全. In previous roles, 他曾担任首席信息安全官(CISO)和首席信息官(CIO),并曾在一家大型金融澳门赌场官方下载担任副总裁. Barnett热衷于看到网络安全得到正确的处理,并致力于帮助组织制定适当的政策, procedures and mechanisms to respond to security events of any size.