When we talk about cyber security, we are talking about a series of specific and clearly delimited processes, which address the main problems that may arise at the level of an information system – starting from its structure and how it works.The following is a detailed description of what the implementation of the basic processes of cyber security involves – asset management, vulnerability management and log management.
Asset management is an inventory process, starting from the idea that you cannot protect something you do not know you have – basically, in order to effectively start securing the IT network, it is compulsory for us to first know what elements it contains. When we talk about assets, we refer to both the hardware and software components that make up the IT structure as a whole, but also to access accounts.
Hardware inventory – the record of each device, component part of the computer assembly, with relevant aspects such as what it represents, the virtual address (the IP), the physical address, the logistical data (to whom it belongs), the date of purchase, the expiration date of the warranty, etc. .
Software inventory – the configuration of the firmware running on each device, the existing version (a very important element as each version comes with a series of specific vulnerabilities), who has access to that device and why it has access (referring to us here to the role offered – user, administrator – which implies the ability to intervene or not with changes on the system).
Accounts inventory – practically answers to "Who has access to what and why?", constituting a record of all accounts in the respective company. The importance of this inventory is evident especially in the case of the personnel flow at the company level, with reference here to the created accounts and the access rights offered (provisioning) for the new employees and what happens to them when professional changes occur such as:
• change of function within the company – where we talk about the occurrence of possible changes in the level of access offered to various resources, different depending on the function / activity specific.
• ending the activity in the company.
In practice, there are many situations in which the accounts of the former employees remain active after the cessation of their activity within the company, at the network level, sometimes reaching even thousands of accounts. This lack of provisioning (withdrawal of access rights for users) leads to the loading of servers with direct impact on the functionality of the system as well as risks of unauthorized access.
Vulnerability management is aimed especially at the software area, in the context in which the pressure to bring software to market escapes certain security elements of the respective software. Vulnerability Management involves performing an internal scan of each asset running a software, to determine the exposed data and the level of vulnerability to cyber attacks.
There is also an external scan of assets, in order to determine the degree of visibility of the vulnerabilities and the potential to be exploited. In principle, one target (or more) is chosen and with a special software the respective target is scanned.
Each of the two operations is finalized with a technical report that must be understood and analyzed in order to apply remedial measures.
As any device and application leaves traces of activity, periodic logging is essential for companies to identify potential cyber attacks. In this process of searching for errors, anomalies or suspicious activities at the system level, logs become alarm signals. But taking into account the large amount of data generated by the systems, a daily manual monitoring is totally counter-productive and impossible to achieve.
It is precisely for this reason that the use of log collection and management software becomes fundamental. Log monitoring software uses specific rules to automate their review and highlights only those events that could pose problems or threats. This is often done using real-time reporting systems that alert you when something suspicious is detected.
Thus, log management solutions refer to the centralization of logs, offering the possibility:
• carrying out subsequent searches on certain activities, in case of security incidents;
• real-time monitoring.
The Cyber-In-a-Box solution, developed by certSIGN as a complement to cyber hygiene measures for small companies (networks of up to 100 devices), includes solutions addressing these three essential cyber security processes – Asset Management, Vulnerability Management and Log Management.
Find out more on this topic from certSIGN specialists at Radio Guerrilla!
(invited Dan Ionuţ Grigore, Cyber Security Director certSIGN)