Maksim Kabakou - Fotolia
Security Think Tank: A three-pronged approach to application security
What should organisations be doing to address application layer attacks and reduce the likelihood of a breach through this type of attack?
The General Data Protection Regulation (GDPR) came into full force in May 2018. The key requirements of meeting GDPR and the UK’s new GDPR-aligned Data Protection Act include a solid well designed, maintained and operated IT estate, and data security processes and procedures covering not just IT but also paper files, video, desktop and other non-IT means of holding and processing data.
In October 2018, an article in Computer Weekly noted that “Most organisations (67%) believe hackers can still penetrate their network and 89% say they have had an application layer attack in the past year”. What can an organisation do to improve the security of their IT estate? I suggest a three-pronged approach:
- First, ensure the IT estate is designed and maintained to good security practices.
- Second, put in place tested and workable detection mechanisms of security noteworthy events.
- Third, implement an education programme that is ongoing.
Taking the first point, all software (operating system, applications, libraries etc.) should be a current supported version and maintained to the latest patch level.
Should any software be 12 months or less away from going out of supplier support, a project should be in place to update, replace or otherwise ensure continuing support.
Hardware likewise should be of a maintainable standard and it should go without saying that antivirus and anti-malware software and products including email, web and file transfer scanning applications should also be deployed either within the IT estate or taken as a service from an external third party.
Don’t forget that a good backup regime that is regularly tested for effectiveness is also a necessary ingredient of a well‑designed IT estate. Being able to recover from data lost due to a non-recoverable ransomware infection can be considered a part of GDPR compliance, as is having a formal “incidence reporting and handling” procedure.
Security Health Check
A full IT Security Health Check (ITSHC) of the IT estate should be undertaken at least annually, and must fully explore an IT estate internally as well as externally for vulnerabilities, correctness of firewall rule sets and ethernet switch configurations and the patching and release levels of software.
For organisations that are dynamic requiring regular changes to their IT estate, consideration should be given to undertaking such an ITSHC every six months, or a partial ITSHC following a major change.
All organisations should run internet-based testing every three months with consideration for monthly or weekly testing based on the organisation’s risk profile. Associated with a full ITSHC should be a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA). See the ICO website for more information.
To confirm to customers, clients, partner organisations and cyber insurance companies (and the ICO should things go wrong) that the IT estate is designed and maintained to current good practice levels, it is recommended that an organisation seek ISO 27001 certification. Smaller organisations could take the Cyber Essentials (CE) or Cyber Essentials Plus (CE+) route. See the Security Think Tank article on kick starting outcomes-based security covers CE and CE+.
The second point covers the security analytics and alert reporting associated with reviewing log files generated by servers, applications, firewalls and security monitoring products. There are a range of commercial and free log analysers, including the free version of Splunk and the free Microsoft Log Parser 2.2.
As log files get very large, it is essential to run these tools for a few months to identify legitimate traffic and so effectively “tune” them to the IT estate, and also to set appropriate alerting levels (for example, immediate SMS/pager alerts for urgent alerts, email for secondary alerts and email daily and weekly reports for a summary of alerts, plus a wall display of alerts in real time). For more information, see an earlier article on security analytics.
Education, the third point must not be ignored. Staff can be the final bastion to stop a phishing attack that got though all the defences. Education is not a one-off event; it needs to be an ongoing process. The “Get Safe Online” website is an excellent resource and there is a number of specialist information security training firms.
