1. DID = Defense In Depth: Don't rely on one security mechanism but have a multitude of protection.
Think back for a moment and imagine a castle, which had a door that was protected by a drawbridge,
a moat and a team of guards, who guarded from a watch tower and the exterior.
Today, a system of technology needs an obstacle course of security to keep the bad guys out.
For example, start by adding MFA (multi-factor authentication), add EDR (endpoint detection and
remediation) and MDM (mobile device management), put up firewalls (traffic control), check
vulnerabilities, then encrypt. This way if your system fails, it fails safely, and everything still works.
DID is the type of protection necessary in today's world of technology to keep your systems safe.
Many of these security measures we have discussed in previous emails. Review related topics
at ITC University.
The 5 Business Principles of Cyber Security
2. Least Privilege = ONLY give access rights to people that need it to do their job or are authorized, and ONLY give access for the duration of their needs. Don’t give access to them forever, and remove the user if the job is complete or they no longer need access.
Hardening the system: a web server, turns on an ftp server, ssh and http. If the ftp and ssh are not being used, remove them. Then check all id's on server and change them and all default passwords.
Stop the privilege creep and "just in case" principle by running an annual recertification campaign. Some companies may need to do so more frequently, whatever the case, look at all users and make sure they have a justified need or are authorized. Cease their access if they don’t have a need or are not authorized.
3. SOD = Separation Of Duties. Try to avoid a single point of control or collusion. For example, imagine two doors, and two people have a key to each of the doors. Only one person can get into the door they have a key to, unless they work together, then, they have access to both doors.
Therefore, separate the duties, the person needing access to a system is the requester, and they send a request to an approver to gain access. The requester cannot be the same person as the approver, and this will help to avoid a single point of control and collusion.
The 5 Principles YOU NEED TO KNOW Are In SBD
4. SBD = Secure By Design. Consider designing and erecting a building in a hurricane zone. You aren't going to build the building, then wonder if it is hurricane safe because the safety and security begins in the requirements stage and continues in all stages thereafter. The same with computer technology, there should be no after thoughts. Build the system from start to finish the right way, and think outside of the box. Use the following five principles as your road map.
A. Begin with the requirements.
B. Design according to specific needs.
C. Code, then install the architecture.
D. Test the design and architecture.
E. Deploy the Production.
Then, loop back to requirements to recheck the cycle's security because security is in all five principles A - E.
(A) Security starts at the requirements stage.
(B) Build security into design.
(C) Code the security into the architecture. Install security at every level and end point.
(D) Test the security.
(E) Put security into production.
5. KISS = Keep It Simple Stupid: If you make it harder to do the right thing then it is to do the wrong thing, people are going to do the wrong thing. Think of complexity as the enemy of security. Remember DID (defense in depth). Create the obstacle course for the bad guy not the good guys.
Introduce password rules that are as easy as ABC:
A. You have to do a password this way ... one upper case, one lower case, one character, one number,
must be 8 digits and etc.
B. Change password on a frequent basis (after x amount of log in's).
C. You must use a different password for every system and application.
The moral to the five business principles of cyber security is - don't rely on obscurity or secret knowledge to make
a system safe. Secrecy and security are not the same thing.
Think of it as a glass box, clear text goes into crypto algorithms AES and RSA, which can create cyber text and
clear text, but the only secret is the key. Know everything about the system, except for the key. Information about the five principles is what IBM recommends in this YouTube video.
