Cybersecurity: which perimeters to protect?

Faced with the expansion and fragmentation of the information system, the CISO would dream of having the gift of ubiquity, to see and protect everything, within the company and beyond. In the absence of this ability, there remains the option of being vigilant in monitoring sometimes neglected areas, while carrying out meticulous mapping work. This pragmatic approach lays the foundations for a solid strategy, providing greater visibility so that priorities can be set.

Share

Spaces CISOs should be more wary of

Service providers, customers, central governance, SecOps, physical sites... in absolute terms, every point of entry into the IS is worth examining! In practice, however, it seems that the threat is particularly acute in certain areas.

 

Special attention to subsidiaries

Today, cybercriminals are well aware of the benefits of not targeting companies directly, but rather using intermediate attack surfaces (subcontractors, service providers, etc.). The risk seems to have been well identified, and ANSSI is currently working on a politique of requirements applicable to PAMS (secure administration and maintenance service providers).

On the other hand, there seems to be less vigilance when it comes to subsidiaries, even though they are just as likely to cause ricochet damage. Often far away, they are seldom visited and therefore easily forgotten, a phenomenon that is even more pronounced in organizations with a strong buying and selling dynamic. What can be done when a subsidiary seems to be particularly exposed to threats, yet has no means of dealing with them?

In our view, the CISO has only two options once he has presented the situation to his top management, stressing the risk of a "stray bullet": ask for the technical links to be cut to contain any attacks, or request sufficient resources to bring the subsidiary up to a satisfactory security level.

 

Business, project and application alerts

While managing cybersecurity through compliance is already an excellent basis for protecting the company, the method has its limits. Indeed, policies does not cover everything, and especially not what makes a company unique, i.e. its businesses and the way they operate.

But this blind spot can be a cause for concern, as the risks associated with Shadow IT are very often underestimated. In a tutorial on Cloud Discovery, Microsoft gives the following estimates.

  • When an IT administrator imagines that the various applications used by employees are of the order of 30 or 40, there are in fact 1,000 within the organization.
  • Of all the applications used, 80% have not been examined and may not comply with the security policy.

As these figures show, there's a real interest in focusing not only on business lines, but also on the applications that support them. This is all the more true as the consequences can be extremely far-reaching, as illustrated by the ransmoware attack suffered by Altran in January 2019. As CEO Dominique Cerruti explained, the attackers used a misconfigured web application with a default password as their entry point. This was followed by the blocking of all e-mails, phone lines and communication tools.

 

Mapping, the first step in any cybersecurity strategy

No matter how your organization operates, the CISO can never be everywhere. Should this be a concern for the company's security? Not necessarily, as long as the CISO has an overview that enables him or her to allocate resources to the right place.

 

A framework for every CISO

According to the Forrester study commissioned by Tenable in August 2020 (The Rise of Security Managers Aligned with Business Objectives), CISOs are still sorely lacking in visibility of corporate assets.

When it comes to applications, data, IT and cloud platforms, 70% consider themselves to have "high or complete visibility". However, the rate drops to 60% for IoT and mobile devices, as well as for employees working on site. It then drops to just over 50% when it comes to remote employees, service providers and third-party partners.

How can we understand risks globally under these conditions? The only solution is to map risks on an organization-wide scale, to get a macroscopic view. It's a painstaking, even laborious task, but absolutely essential if we are to avoid forgetting anything and avoid treating areas in silos.

So it's up to each CISO to map out his or her ecosystem and build his or her own framework. This overview will then serve as a basis for reflection on a range of questions.

  • What are the entry points into the information system?
  • What needs are common to the different areas identified?
  • What are the specific needs?
  • What is shared with the outside world (file data, applications, etc.) and with what level of security?

 

A true staff map

Because human and financial resources are limited, cybersecurity can only be based on a principle of heterogeneous protection of spaces. With an overall view, it becomes possible to identify the perimeters where the risk is greatest, either because it directly affects the company's business, or because it concerns its creative potential (R&D).

In this way, mapping helps build a meaningful cybersecurity strategy: the CISO identifies where efforts need to be focused, but also where risk can be considered acceptable. The exercise also has the added benefit of facilitating communication with management. Unsurprisingly, it's a lot easier to get buy-in (and budgets!) by providing a clear presentation of high-priority risks and the resources required to deal with them.

How to improve your visibility

Tenacy is an adaptable, collaborative Saas solution designed by CISOs for CISOs. It provides 360° insight, thanks to clear operational and strategic indicators. It also improves the day-to-day life of CISOs, saving them time on time-consuming, non-value-added tasks, while enabling the alignment of operations and objectives.

Contact us