Axioms for Any Cybersecurity Program

Your personal cybersecurity shares some common aspects with the cybersecurity program at your friendly neighborhood restaurant, and even the Fortune 100 enterprise headquartered downtown. Here are five such axioms that you can use for yourself or your organization's cybersecurity.

Your Cybersecurity Begins and Ends With Inventory

There are plenty of ways to say this, but it all boils down to the concept that you can't secure what you don't know about. Whether it is the unsanctioned Gmail account your salespeople are using for business, or the Box account your spouse didn't tell you they have a text file with everybody's social security numbers in it, every environment needs to be aware of unapproved and unknown systems that can be security issues just waiting to occur. "Guest" systems on your network are also of concern, since you don't know how they've been secured.

It is more than that however. You need to be aware of your software inventory, especially including what software is out of support, since out of support software = instant security risk. In many environments this is further complicated by abandoned IoT things, including appliances, TVs, and other devices that don't publish reliable support schedules, or share details on when support has ended.

Never Underestimate the Human Element

Human beings have an amazing capacity for both brilliance and mistakes. After all, we both invented nuclear energy and fell for scam emails from a "Nigerian prince." The more you can do to "people-proof" your security the better. There are three approaches I recommend focusing on to help with this:

1. Train and educate your people (including yourself) - help them understand what to be wary of and how to address security issues.
2. Practice the principle of "least privilege" - don't give users (yourself included) access that you don't absolutely need. This may mean getting used to creating separate admin accounts (with stronger than normal security controls) even in a home environment, then using "regular user" accounts for your day-to-day activities.
3. Build in controls to protect people from themselves - some of your most important security controls will focus on protecting your users from that "oops" moment. DNS filtering, web filtering, and others are key to help make sure that the people in your environment can't harm themselves or your systems.

New Capabilities Require New Security

Whether you're about to launch a brand new SaaS solution to your customer base, or you just want to access your personal NAS from the Internet, every new capability you add to your environment requires a review and potential update to your security program. Don't simply assume your security is appropriate to the new capability, review to be sure it is.

There's No Such Thing As "Not a Target"

While you or your organization may not be a "strategic" target for hackers, you're always at least a target of opportunity. From being used for a large bot-net for other attacks to having your data held hostage by ransomware, any of us can find our environments in the crosshairs. This doesn't mean that every environment needs to be secured like a military base, but this fact needs to be taken into account as you assess your own risks and risk profile.

This means that you should have a default level of minimum protections for everything in your environment, even if you don't believe it is particularly valuable. I'd recommend these:

1. No inbound connections that aren't well defined. - You should know everything that is calling into your environment and what it is able to do. If not, don't let it in, find another way.
2. MFA for every external login. - If the user or system is logging in from outside your environment, use MFA to validate them. This is great practice for internal logins as well, but not necessarily reasonable for smaller organizations or at home.
3. Understand and limit cross-system connections. - Malware often propagates because we don't restrict communication between systems to necessary ports, protocols, and the like. A wide open internal network means that any infiltration through your external security has the potential to impact your whole environment. At a minimum, segregate any systems that can be accessed from the Internet by inbound connections from the rest of your systems.

The Difference Between Cybersecurity and Screwing Around Is Writing Things Down Logging

Yes, I paraphrased a Mythbuster with this one, but it is still appropriate. The most reliable way to detect a security issue is via thorough logging. This may seem like overkill in the home environment, but that really depends on your risk profile and concerns. In the business environment it is critically necessary, even to the point that ignoring logging borders on (if it isn't out-and-out) negligence. At the end of the day logs are the best evidence you have about what is happening in your environment and should not be overlooked or forgotten about.

Obviously the mere act of logging isn't going to keep your environment safe, but regularly reviewing those logs is the cornerstone of a detection and response program, which should be a formal activity in any commercial organization, and should be at least the subject of occasional review at home. No, really, check your logs folks.

Is That It? Am I Secure Now?

Of course not, don't be ridiculous. A good cybersecurity program is in the details, five axioms aren't going to be a panacea for your program. But their value is in using them to guide you as you face your cybersecurity needs day after day, week after week. Keep these in mind and you'll be prepared to dig into the details and get them right.