The increasing numbers of privacy regulations (GDPR, CCPA, etc.) have raised the bar for organizations that collect, process, and store user’s personal information. With the new wider classifications of personal information and the increased penalties for non-compliance or a breach, implementing good data security is a priority.
Accomplishing this requires an understanding of the cybersecurity industry. Knowledge of the basic terminology used by practitioners when describing potential attack vectors and of the resources available to tell non-practitioners which tools that they need (antivirus, WAF, etc.) and the steps they should take to properly secure their systems.
Exploits, Threats, and Vulnerabilities
Cybersecurity has a lot of different vocabulary, and it’s important to understand the specific meanings of certain words in order to understand the cyber news or have a discussion about your organization’s current cybersecurity posture. Bugs, vulnerabilities, threats, and exploits are at the core of cybersecurity.
A bug or flaw is anything that could be wrong with your organization’s software or hardware. (They’re called bugs because the original computers often had issues with insects crawling in and dying, which messed them up). Bugs can have a variety of different levels of importance. Some bugs may not even be noticeable since they don’t create a significant impact on operations. Others may jeopardize the security of your organization.
If a bug can be used to negatively impact your organization’s cybersecurity, then it’s a vulnerability. This can include flaws in services that are potentially accessible to hackers (web servers, email, employees, etc.) or flaws in your security appliances that cause some form of bad traffic to be overlooked or ignored. Most of cybersecurity is focused on identifying and fixing these vulnerabilities before a hacker does.
Anyone or anything who turns a vulnerability into an attack that can harm your organization is a threat. While most people and organizations consider their threats to be external hackers, insider threats exist too. These can include disgruntled employees who are out to hurt the company or a clueless insider who accidentally leaks sensitive information.
Finally, an exploit is something designed to take advantage of a vulnerability in order to advance a threat’s agenda. For example, the knowledge that your company website has a vulnerability isn’t enough for a hacker. They need to develop code that would exploit that vulnerability and enable them to move on to the next stage of their attack. This code is the exploit.
When dealing with potential threats to your organization, deterrence and prevention are always the best option. The reason that many people have a Beware of Dog sign isn’t because they’re concerned about the physical and emotional wellbeing of potential robbers who may be attacked by said dog. Their goal is to convince robbers not to attack in the first place since it’s much cheaper to buy a cheap sign and stick it in their front yard than to replace broken windows and anything that the burglars stole.
If deterrence doesn’t work, the next best thing is to ensure that the doors and windows are locked securely. From a cybersecurity perspective, this includes finding vulnerabilities before the hackers do and closing them off. Automated vulnerability scanners and other tools are great for finding, but it’s better not to have vulnerabilities in the first place, right?
Many regulations also require that an organization implement “adequate” security controls for sensitive data but are a bit less specific on what exactly should be done and how. Luckily, there are some organizations out there who have taken it upon themselves to help the average person improve their organization’s cybersecurity.
CIS Security Controls
The Center for Internet Security (CIS) does exactly what its name suggests: working to improve the security of the Internet. When the Internet was first designed, security wasn’t a priority (making it work was), so many security controls need to be tacked on afterward to protect users.
The CIS publishes a list of core security controls that are well-regarded in the cybersecurity community. The list of twenty controls is organized into three groups: Basic, Foundational, and Organizational CIS controls. These controls are a great starting point when trying to implement good cybersecurity throughout your organization.
The Defense Information Systems Agency (DISA) is a component of the United States Military devoted to protecting military information systems (i.e. computers, phones, networking equipment, etc.) from being hacked (because that could be bad for business).
The military in general, and DISA in particular, are huge fans of being prepared for any possible situation. As a result, DISA has taken it upon itself to create Security Technical Implementation Guides (STIGs), or how-to guides on securing various devices, for 423 different information systems. Since these guides are 1) manuals, 2) government documents, and 3) about cybersecurity, they’re not exactly pleasure reading, but they’re a great resource for securing your organization. Access to the documents is not limited to the US military and the guides are freely available on the DISA website.
Securing Your Systems
Securing sensitive data is a priority for any organization, but knowing what to do can be complicated. Luckily, there has been some standardization of vocabulary across the industry (i.e. bugs, vulnerabilities, threats, and exploits) and standards have been developed to help the layman know what they need to do in order to meet or exceed requirements and keep their organization and customers safe from potential threats.