Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
Arguably, most business types will be impacted by regulations, standards, or best practices. Even niche professions like cinema editors are guided by best practices set forth by professional organizations.<ref name="ACEBest17">{{cite web |url=https://americancinemaeditors.org/best-practices-guide/ |title=ACE Best Practices Guide for Post Production |publisher=American Cinema Editors |date=2017 |accessdate=23 July 2020}}</ref> In the case of laboratories, multiple regulations and standards apply to operations, including information management and privacy practices. Presumably one or more executives in your business are familiar with the legal and professional aspects of how the business should be run. If not, significant research and outside consultant help may be required. Regardless, when approaching this task, ensure everyone understands the distinctions among "regulation," "standard," and "best practice."
This step is actually closely tied to the next step concerning gap analysis. As such, you may wish to address both steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?<ref name="KumarDiscover16">{{cite web |url=https://resources.infosecinstitute.com/discovering-entry-points/ |title=Discovering Entry Points |author=Kumar, A.J. |publisher=InfoSec Institute |date=06 September 2016 |accessdate=23 July 2020}}</ref><ref name="AhmedIndustrial19">{{cite web |url=https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/ |title=Industrial control system (ICS) cybersecurity advice, best practices |author=Ahmed, O.; Rehman, A.; Habib, A. |work=Control Engineering |publisher=CFE Media LLC |date=12 May 2019 |accessdate=23 July 2020}}</ref><ref name="BonderudPodcast19">{{cite web |url=https://securityintelligence.com/media/podcast-lateral-movement-combating-high-risk-low-noise-threats/ |title=Podcast: Lateral Movement: Combating High-Risk, Low-Noise Threats |author=Bonderud, D. |work=SecurityIntelligence |publisher=IBM |date=11 June 2019 |accessdate=23 July 2020}}</ref><ref name="VerizonIncident19">{{cite web |url=https://enterprise.verizon.com/resources/reports/dbir/2019/incident-classification-patterns-subsets/ |title=Incident Classification Patterns and Subsets |work=2019 Data Breach Investigations Report |publisher=Verizon |date=2019 |accessdate=23 July 2020}}</ref>


Remember that while regulators may dictate how you manage your cybersecurity assets, setting policy that goes above and beyond regulation is occasionally detrimental to your business. Data retention requirements, for example, are important to consider, not only for regulatory purposes but also data management and security reasons. To be sure, numerous U.S. Code of Federal Regulations (e.g., 21 CFR Part 11, 40 CFR Part 141, and 45 CFR Part 164), European Union regulations (e.g., E.U. Annex 11 and E.U. Commission Directive 2003/94/EC), and even global entities (e.g., WHO Technical Report Series, #986, Annex 2) address the need for record retention. However, as AHIMA points out, records shouldn't be kept forever<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref>:
* Inbound network-based attacks through software, network gateways, and online repositories
* Inbound network-based attacks through misconfigured firewalls and gateways
* Access to systems using stolen credentials (networked and physical)
* Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network


<blockquote>Healthcare organizations have been storing and maintaining records and information well beyond record retention requirements. This creates significant additional security risks as systems and records must be maintained, patched, backed up, and provisioned (access) for longer than necessary or required by law ... In the era of big data the idea of keeping “everything forever” must end. It simply is not feasible, practical, or economical to secure legacy and older systems forever.</blockquote>
From email and enterprise resource planning (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref><ref name="VerizonIncident19" /> This is where training and internal random testing (addressed later) come into play.<ref name="DowningAHIMA17" />


This example illustrates the idea that while regulatory compliance is imperative, going well beyond compliance limits has its own costs, not only financially but also by increasing cybersecurity risk.
Physical access to system components and data also represent a significant attack vector, more so in particular industries and network set-ups. For example, industrial control systems in manufacturing plants may require extra consideration, with some control system vendors now offering an added layer of physical security in the form of physical locks that prevent code from being executed on the controller.<ref name="AhmedIndustrial19" /> Cloud-based data centers and field-based monitoring systems represent other specialist situations requiring added physical controls.<ref name="DowningAHIMA17" /><ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=23 July 2020}}</ref> That's not to say that even small businesses shouldn't worry about physical security; their workstations, laptops, USB drives, mobile devices, etc. can be compromised if made easy for the general public to access offices and other work spaces.<ref name="CopelandHowToDev18" /> In regulated environments, physical access controls and facility monitoring may even be mandated.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 15:58, 16 February 2022

This step is actually closely tied to the next step concerning gap analysis. As such, you may wish to address both steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?[1][2][3][4]

  • Inbound network-based attacks through software, network gateways, and online repositories
  • Inbound network-based attacks through misconfigured firewalls and gateways
  • Access to systems using stolen credentials (networked and physical)
  • Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network

From email and enterprise resource planning (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.[5][4] This is where training and internal random testing (addressed later) come into play.[5]

Physical access to system components and data also represent a significant attack vector, more so in particular industries and network set-ups. For example, industrial control systems in manufacturing plants may require extra consideration, with some control system vendors now offering an added layer of physical security in the form of physical locks that prevent code from being executed on the controller.[2] Cloud-based data centers and field-based monitoring systems represent other specialist situations requiring added physical controls.[5][6][7] That's not to say that even small businesses shouldn't worry about physical security; their workstations, laptops, USB drives, mobile devices, etc. can be compromised if made easy for the general public to access offices and other work spaces.[7] In regulated environments, physical access controls and facility monitoring may even be mandated.

References

  1. Kumar, A.J. (6 September 2016). "Discovering Entry Points". InfoSec Institute. https://resources.infosecinstitute.com/discovering-entry-points/. Retrieved 23 July 2020. 
  2. 2.0 2.1 Ahmed, O.; Rehman, A.; Habib, A. (12 May 2019). "Industrial control system (ICS) cybersecurity advice, best practices". Control Engineering. CFE Media LLC. https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/. Retrieved 23 July 2020. 
  3. Bonderud, D. (11 June 2019). "Podcast: Lateral Movement: Combating High-Risk, Low-Noise Threats". SecurityIntelligence. IBM. https://securityintelligence.com/media/podcast-lateral-movement-combating-high-risk-low-noise-threats/. Retrieved 23 July 2020. 
  4. 4.0 4.1 "Incident Classification Patterns and Subsets". 2019 Data Breach Investigations Report. Verizon. 2019. https://enterprise.verizon.com/resources/reports/dbir/2019/incident-classification-patterns-subsets/. Retrieved 23 July 2020. 
  5. 5.0 5.1 5.2 Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 23 July 2020. 
  6. Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020. 
  7. 7.0 7.1 "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 23 July 2020.