NZ Incident Response Bulletin – November 2023

Our Views:

Improving cybersecurity when you have limited resources

Threats to your technology such as information theft, phishing, ransomware, denial of service, website defacement, and even natural disasters are regularly impacting organisations of all sizes and maturity. Not even the largest and most well-equipped businesses are immune. There are well-known strategies that can be used to defend against all of these threats however they are not always undertaken, especially by smaller or less well-resourced organisations who may believe they require greater budgets or more skills before attempting to implement security controls.

We believe any action is better than none however and therefore we suggest following a new guide from the Centre for Internet Security (CIS). The guide lays out a simple step by step process that is designed to assist organisations who have small budgets and limited staff successfully progress towards implementing the essential security hygiene controls. The process consists of six phases that are designed to ensure you fully understand your IT environment and that you can confidently answer the following questions:

• What computers, phones, and other IT assets are being used in your office?
• Are you using unique, secure passwords and multi-factor authentication wherever possible?
• Are your computers set up with security in mind?
• Do you manage who has extra privileges on your network or access to sensitive information?
• Are your staff clear about their role in protecting your enterprise from cyber incidents?

Phase 1 – Identification and Inventory

This phase involves completing five worksheets that allow you to inventory exactly what you have in your organisation to protect. Understanding this is essential because if you are unclear of your assets, you may not protect them all. Each worksheet may take 2-4 hours to complete on first attempt, however updating these sheets moving forward is a much quicker task and you should aim to update these sheets regularly. As the completed worksheets will hold sensitive information about your priority assets it is important these are protected whether you choose to save them electronically or physically.

• Enterprise Asset Inventory Worksheet
• Create an Enterprise Asset Management Policy (CIS Enterprise Asset Management Policy Template).
• Complete the Enterprise Asset Inventory Worksheet (Enterprise Asset Inventory Worksheet).
• To see all devices connected to your network you can check your wireless router internet protocol (IP) address and device names.  If you have a larger network, consider investigating commercial or opensource network scanning tools.
• Software Asset Inventory Worksheet
• Create a Software Asset Management Policy (CIS Software Asset Management Policy Template).
• Complete the Software Asset Inventory Worksheet (Software Asset Inventory Worksheet).
• To help create an inventory of application running on your computers you can manually check the installed programs with the operating system and periodically check what applications are running on your devices using auditing tools.
• Data Inventory Worksheet.
• Create a Data Management (CIS Data Management Policy Template) and Audit Log Management Policy (CIS Audit Log Management Policy Template).
• Complete the Data Inventory Worksheet (CIS Data Inventory Worksheet).
• Examples of data you should identify includes Credit card, banking, other financial data, Personally Identifiable Information (PII), names, birthdates, addresses, medical data, usernames, passwords, customer lists, trade secrets, Intellectual Property.
• Ensure you are familiar with any regulatory requirements that you need to comply with.
• Service Provider Inventory Worksheet
• Create a Service Provider Management Policy (CIS Service Provider Management Policy Template).
• Complete the Service Provider Inventory Worksheet (Service Provider Inventory Worksheet).
• Add web services and cloud solutions to your inventory.
• Check with your team to identify any additional filesharing or online platforms they use.
• Account Inventory Worksheet
• Create an Account Management Policy (Account and Credential Management Policy Template).
• Complete the Account Inventory Worksheet (Account Inventory Worksheet).
• Check with your team to identify further websites and services they use for work and hold accounts for.

Phase 2 – Secure Configuration

The second phase of this process is securely configuring each of your devices and completing the asset protection worksheet for all assets on your inventory. To complete this you should:

• Define policies for secure configuration, malware defence and vulnerability management. (CIS Secure Configuration Management Policy Template), (CIS Malware Defense Policy Template), (CIS Vulnerability Management Policy Template).
• Complete an Asset Protection Worksheet for every device listed in your asset inventory. (Asset Protection Worksheet)
• Have a look at using CIS benchmarks for securing systems that process the most sensitive data.

Phase 3 – Account Security

This phase secures the accounts you have listed in your account inventory and involves:

• Ensuring you have an account management policy (Account and Credential Management Policy Template).
• Completing the Account Security Worksheet for each account listed in your inventory (Account Security Worksheet).
• Passwords should be unique, 14 characters or more and include at least 1 special character. MFA or 2FA should be enabled for all services where possible. Use admin accounts only for necessary admin activity. Educate your team on secure credentials.

Phase 4 – Backup and Recover

Phase 4 creates backups for all your sensitive data which is one of the best ways to protect your organisation and enable recovery after a cyber incident.

• Define a policy for data recovery (CIS Data Recovery Policy Template).
• Complete a Backup and Recovery Worksheet for ever asset in your organisation. (Backup and Recovery Worksheet)
• Don’t forget paper assets and ensure at least one backup destination is offline.
• Test your backups regularly.

Phase 5 – Incident Response

This phase prepares you with a plan to follow in the event of a cyber incident. To be prepared you should:

• Create a policy for incident response management. (CIS Incident Response Policy Template)
• Complete the Incident Response Worksheet. (Incident Response Worksheet)
• Practice and test your plan.

Phase 6 – Train your Team

Cyber Security is all about people! Strong cybersecurity awareness is key to remaining secure. This phase is completed by:

• Developing a policy for cybersecurity awareness training. (CIS Security Awareness Skills Training Policy Template)
• Complete the Cyber Education Worksheet. (Cyber Education Worksheet template)

Our key tips for making progress:
 
While we see the enormous value of creating organisational policies in defining your risk appetite and clearly articulating your goals and expectations to all team members, this step should not stall your progress. If the creation of approved policies is taking too long or stalled, then please continue through the process, and start completing the inventory worksheets in parallel.

Do not let the drive for perfection in any of these activities slow or prevent progress. Dedicating 10 minutes a day will see results. If you follow the steps, you will be in a more secure position.

Utilise the free tools, worksheets, and advice.

Ask for help. We are more than happy to help you progress in any of these activities should you need a bit more advice or just a resource to draft your positions.

If you wish to know more around implementing cyber governance and ensuring your cybersecurity investments are well planned and managed, please contact us. We look forward to assisting you achieve your cybersecurity goals and maximise your cybersecurity investment.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.