Cryptocurrencies are both exciting and terrifying at the same time. They have received considerable attention lately, both positive and negative. The present state reminds me of the Dot Com Bubble from two decades ago (for those like me that remember it). Hopefully we have learned our lessons and temper our exuberance accordingly; history does not need to repeat. Like social media, FOMO seems to be driving a lot of our interest. Personally, I have no issue with cryptocurrency nor do I have any interest in having it but am extremely interested in the underpinning blockchain technology and its future potential.
Spectre and Meltdown give two points to consider. First, your defence in depth strategy leveraging patching is now more valuable than ever, especially in shared hosting environments which appear to be most at risk. Second, let us consider these vulnerabilities not for what they are but what they could become. Being local exploits, layers of defence that include physical, technical, logical, and administrative methods must be robust to mitigate access and exploitation of the vulnerabilities. While apparently “read only” vulnerabilities, information gained maliciously via these exploits could be used in future attacks. Stay informed, review your strategy, and apply updates.
What we may think are obsolete remain an integral part of defence in depth strategies. An antivirus system using heuristics and updated signatures provides another barrier between good and bad. Although viruses do not get the attention given modern threats, that does not negate their existence. Legacy viruses may be modified to deliver new threats if we let our guard down. They are like influenza, mutating year after year and finding new ways to remain deadly. We cannot afford to ignore them. Consider why spam emails supposedly from despot dictators still circulate globally despite being widely known: They still work.
One may argue the Cybersecurity skills gap is partly due to how we fill these roles by overlooking diversity. Thinking we must have a technical background and already be established in Information Technology works against us. While those skills are undoubtedly beneficial, we are missing out on untold numbers of highly skilled and experienced individuals with an aptitude and drive to be outstanding Cybersecurity professionals. We wrongly evaluate them for what they lack rather than possess. Ignoring what they have and denying them an opportunity to realise their potential in our industry ensures the only growth is the skills gap.
Patching Operating Systems is an Essential Eight strategy; hardening the OS itself goes a step further. Operating Systems, by default, are noisy and have insecure services enabled. As a rule, disable anything you do not absolutely need, especially legacy services, security protocols, and cipher suites. Use the most recent release of Operating Systems; vendors constantly improve security. Engage platform experts to help. Consider a Standard Operating Environment for workstations and servers. Consider Virtual Desktop Infrastructure with adequate resources. Remember to harden network devices and mobile devices; they have an OS as well. A consistent, secure environment reduces overhead and risk.
Server Application Hardening, unlike other system centric hardening, focuses on using the application rather than the application itself. Server to server and client to server transactions must remain secure. Like roadworks and policing, a route between destinations that are both secure does not mean the route itself is. Have a current application inventory and know what systems are used, how they are used, and the traffic they do and do not accept. Be wary of legacy cryptographic elements and dependent legacy systems. Consider both internal and external transactions and evaluate a Web Application Firewall solution. Undertake vulnerability assessments against applications.
Incident detection and response must be as important to your enterprise as the focus on prevention. Many organisations spend too much time and money on the “Before” of a security incident but are unable to respond when (not if) a critical incident occurs. Create, test, and implement an incident response plan. Understand your risk profile, assets, and resources. Acquire the technology and resources to accurately discover incidents. Ensure you have the ability to respond in a timely manner and with conviction. Ensure recovery after the incident to minimise disruption. Above all else, test your plan in anger at least annually.