This article discusses the preventive, mitigation and recovery strategies for protecting the infrastructure. These strategies include:
There will be no malware infection unless the user opens an infected email, browses a compromised website, or opens an unknown file on a removable storage media. Hence, the organization has to deploy dedicated software to monitor, detect and disable the malware.
The minimum requirement is to:
To protect organizational information, applications, and computers within the internal network against unauthorized access and disclosure from the internet, boundary firewalls, internet gateways, or equivalent network devices are used.
Cyber security attacks can gain access to the organization’s computers and acquire information easily if a boundary firewall, internet gateway, or equivalent network device is not installed.
Commodity cyber security threats – attacks based on capabilities and techniques (HM Government, 2014) that are freely available on the internet – can be protected against with the installation of a boundary firewall where inbound and outbound network traffic to authorized connections are restricted through the application of configuration settings known as firewall rules.
The minimum requirement is to:
In scenarios where the organization has engaged a third-party vendor, and the administrative interface needs to be accessed from the internet, the interface should be protected by additional security measures such as:
Inherent vulnerabilities threatening the organization’s computers and network devices can be reduced if configured to provide only the services required to fulfil their roles.
When an organization first purchases new equipment (hardware or software), they are not secure. Usually, they come with an administrative account with a predetermined default password, one or more unnecessary user accounts enabled, and pre-installed but unnecessary applications.
If not configured (changing passwords), these platforms provide cyber security attacks easy access (HM Government, 2014) to an organization’s assets.
Once the organization starts implementing security controls to these devices, protection against cyber security attackers is increased, minimizing inherent weaknesses.
The minimum requirement is to:
IT infrastructures within the organizations help with the operations of daily activities. Production and efficiency of the business are increased with the utilization of the infrastructures. However, since they create and utilize data during functioning, the data is at risk of influence from cybercriminals.
Although security controls (Zanderigo, 2017) have been installed on the infrastructures, the organization has to monitor the infrastructures continuously to ensure that they are secured and not vulnerable to cybercriminals to exploit.
Specific organizations are obsessed with getting the best security controls from the market for their IT infrastructures. They are willing to spend the resources to obtain them, and once they do, they are under the illusion that they are well-protected with the existence of the controls.
Organizations fail to realize that resources spent on acquiring new security tools, removing old tools, and installing the newly acquired tools can be better spent on fine-tuning existing tools. A finely-tuned defensive control is more efficient at mitigating cyber security incidents than a newly-added control because the organization is assured that the existing control will be capable of performing its duties.
Adding new security controls (Rick, 2017) is necessary with the increased dependency on technology. However, the existing controls should not be neglected. The current controls, together with newly-added controls, should be fine-tuned to their maximum efficiencies to secure the IT infrastructures within the organization.
Blacklisting refers to an inventory of known malicious entities such as unauthorized infrastructures, known malware, users, processes, and IP addresses that should not have access to the organization’s systems as they pose a threat to the organization.
Information required to develop a blacklist (Finjan Team, 2017) can be gathered from surveying employees within the organization, security intelligence, and first-hand experience. However, creating a blacklist is not as beneficial.
Security controls have already been developed for the cyber security threats identified in the blacklist; organizations by now would know these threats and implement the appropriate security controls. A blacklist is useless to the organization for sophisticated or unknown cyber security attacks.
Whitelisting is the complete opposite of blacklisting. Acceptable entities allowed access to the organization’s system is identified instead. The creation of a whitelist is based on a ‘zero trust’ principle where only authorized infrastructures are allowed access; anything else is denied access.
The whitelist (Finjan Team, 2017) has to be updated regularly, including newly introduced technologies or removing obsolete, redundant infrastructures. Although it is significantly better at dealing with unknown cyber security threats, the effort and resources required are comparatively more demanding as security controls will have to be implemented for every identified infrastructure.
The trend of employees bringing their mobile devices to work has been growing. As employees enjoy the flexibility of working from their devices, the organization also enjoys the benefit of increased efficiency at lower equipment costs.
However, new security concerns arise (Continuum, 2017) as personal devices are connected to the corporate network. Organizations can introduce Mobile Device Management (MDM) to secure their employees’ devices.
As the employees continue to utilize their devices when connected to the corporate network, vulnerabilities are exposed for cybercriminals to exploit, which are not under the radar of the IT department. Hence, measures such as installing malware protection on the employees’ laptops must be developed and executed to ensure that the personal devices are protected from cyber security attacks.
Currently, connectivity between devices and the network is gradually increasing. However, these devices or the Internet of Things (IoT) are not built from a software or security point of view. They were installed for their functionalities, generating attack vectors for cyber criminals to exploit.
Regardless of the device's purpose, they are still connected to the organization’s network, increasing the complexity of security as the devices (Raja, 2017) may include employees’ applications or information.
Developing policies to segment access based on the purpose of devices or having separate networks is crucial for effectively managing IoT device connectivity. Knowing who is and what devices are connected to the network and the activity of the connection are some good practices that organizations can adopt.
BACK TO: Mitigation and Response Strategies | CIR BC Strategies for Infrastructure | CIR BC Strategies for People | CIR BC Strategies for Policy |
CIR BC Strategies for Process |
CIR BC Strategies: Respond | CIR BC Strategies: Recover | CIR BC Strategies: Defence Lines |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 7 Developing Mitigation and Response Strategies 7.6 Infrastructure
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.