The Pareto Principle, or 80/20 rule, holds that about 80 percent of effects are triggered by 20 percent of causes. For CIOs, CISOs, CTOs, and CSOs, the main takeaway from this rule is that not all cybersecurity risks are created equal. Therefore, security resources should be devoted to the risks that are likely to cause the most damage to your organization. Unfortunately, too many businesses adopt a one-size-fits-all approach, which results in resources being almost equally distributed between low and high-level risks. With the scale and sophistication of cyberattacks growing each year, such an inefficient security strategy is no longer tenable. Here’s a look at the five controls, originally outlined by the Center for Internet Security, that can prevent more than 80 percent of attacks and thus confirm the cybersecurity 80/20 rule.
1. Create an inventory of all devices (authorized and unauthorized)
It’s difficult to effectively defend your organization’s technology infrastructure if you do not have clarity on what devices are on it. Develop and manage an inventory of all devices including desktop computers, laptops, tablets, smartphones, servers, routers, switches, scanners, printers, VoIP phones, and IoT gadgets.
Fortunately, you don’t have to do this process manually. There are numerous tools that can automatically capture and list the devices. The tools vary in their sophistication. They range from free ones with basic functionality to expensive tools that have plenty of features. For small businesses, acquiring an inventory management system may not be necessary. The free tools will do the job with the resulting data being stored in a spreadsheet.
Capture as much information as you can for each device but have a standard set of columns that would make it easy to search and organize the data by a specific field (such as manufacturer, type, model, operating system, or location).
2. Create an inventory of all software (authorized or unauthorized)
The majority of cybercrime incidents are a result of software vulnerability exploitation. Application vendors will regularly release security updates meant to plug these vulnerabilities and reduce the likelihood of a successful attack. The frequency of patches, however, varies greatly between vendors. This means that organizations cannot wholly depend on each application vendor to unearth and fix security problems quickly. A software inventory can help you keep track of all software used in the enterprise, ensure patches are up-to-date, and that only authorized applications are installed.
If the device inventory is difficult to create, the software one is an even more daunting process since you have to capture the list of applications on every device. Like the device inventory though, there are sophisticated software inventory tools you can deploy to extract the information from each device fairly quickly. Once the inventory is complete, unauthorized applications must be identified and uninstalled from all devices. The cleaned inventory then becomes the benchmark for applications allowed by the business. Any application that doesn’t make the list must be removed.
3. Define secure configuration for servers, desktop computers, laptops, and mobile devices
There are vulnerabilities inherent in software. However, some gaps in application security come down to the configuration options chosen. Certain options can create avenues that attackers could use to infiltrate not just the application but the company’s network at large. For instance, the default settings of operating systems are meant to facilitate speedy installation and ease of use for first-time use. Security is a secondary consideration. Whereas the system’s patching may be current, the configuration could leave it vulnerable to attack.
Enterprise software and hardware configuration must, therefore, be hardened across devices. Define an organization-wide baseline of security controls for each type of hardware and software then apply it to all. The baseline images must be stored in a secure location that’s outside the network to ensure it isn’t infiltrated or replaced without authorization. The baseline isn’t static but must instead evolve as new vulnerabilities are discovered and new application versions are released.
4. Continuous risk assessment and vulnerability remediation
Hackers and cybercriminals aren’t resting on their laurels. They are constantly looking for security weaknesses they can take advantage of. For this reason, organizations should continuously be on the lookout for emerging cybersecurity threats and proactively fix them.
Sometimes, a vendor will become aware of a vulnerability before the information is in the public domain. This gives them time to develop and distribute a patch for it. However, there are instances when vulnerabilities enter the public domain weeks or months before a patch is released. This delay creates a window of opportunity that hackers won’t hesitate to exploit in full.
Continuous vulnerability scanning creates a mechanism for regularly checking whether your systems satisfy patching and configuration policies. The tools that run the scans must have administrator privileges to make the process as thorough as possible. Each scan must be compared with previous scans to identify any inconsistencies.
5. Restricted use of administrator privileges
Think of two organizations with an identical number of employees. In one of them, only two employees have administrator privileges on the enterprise network. In the other, all staff has administrator accounts. It’s not difficult to see why the second organization is in much greater danger of getting hacked or administrator privileges being abused.
While giving a large number of users administrative rights may have short-term gains such as speeding up system maintenance and troubleshooting, the risks greatly outweigh the merits. Administrative privileges must be granted strictly on a need basis. Some enterprises go one step further and ensure administrator passwords are split into two. This means two persons (usually one from IT and one from the business side) are needed to log in.
Administrator passwords should be extremely difficult to guess or break via a brute force attack. Best practice is for the password to exceed 15 characters that combine lower case letters, upper case letters, numbers, and symbols. This can be further complemented by implementing two-factor authentication. Alerts should be automatically sent out to IT management and the relevant business managers whenever an administrative account is created, changed, or deleted. The same should occur when there are two or more failed attempted logins.
Efficient controls with the cybersecurity 80/20 rule
There’s no single formula for winning the battle against cybercrime. However, the cybersecurity 80/20 rule provides practical guidance on how IT leaders can tackle this challenge efficiently. They must shift efforts and resources toward the threats that are most formidable before tackling those with a lower impact on the business. You still have to establish the appropriate measures for the remaining risks. But at 80 percent, the cybersecurity 80/20 rule means you’ll have covered all key bases.
Featured image: Shutterstock