Cybersecurity: what perimeters should be protected?

Areas that CISOs should be more wary of

Service providers, customers, central governance, SecOps, physical sites… in absolute terms, every point of entry into the IS is worth examining! In practice, however, it seems that the threat hangs over certain areas in particular.

Today, cybercriminals have clearly understood the advantage of not targeting businesses directly, but of using intermediate attack surfaces (subcontractors, service providers, etc.). The risk seems to have been well identified, with ANSSI currently working on a set of requirements applicable to PAMS (secure administration and maintenance service providers). On the other hand, there seems to be less vigilance when it comes to subsidiaries, even though they are just as likely to cause knock-on damage. Often remote, they are seldom visited and therefore easily forgotten, a phenomenon that is exacerbated in organisations where the dynamics of buying and selling are significant. What can be done when a subsidiary appears to be particularly exposed to threats, but has no resources in place to deal with them? In our view, the CISO has only two options once he has presented the situation to his top management, stressing the risk of a ‘stray bullet’: ask for the technical links to be cut to contain any attacks, or request sufficient resources to bring the subsidiary back up to a satisfactory level of security.

While managing cybersecurity through compliance is already an excellent basis for protecting the company, the method has its limits. The fact is, reference systems do not cover everything, and in particular they do not cover what makes a company unique, i.e. its businesses and the way they operate. This blind spot can be a cause for concern, as the risks associated with Shadow IT are very often underestimated. In a tutorial on Cloud Discovery, Microsoft gives the following estimates.

• When an IT administrator imagines that there are 30 or 40 different applications used by employees, there are actually 1,000 within the organisation.
• Of all the applications used, 80% have not been examined and may not comply with the security policy.

These figures show that there is a real interest in looking not only at business lines, but also at the applications that support them. This is all the more true given that the consequences can be extremely serious, as illustrated by the ransmoware attack suffered by Altran in January 2019. As CEO Dominique Cerruti explained, the attackers used a misconfigured web application with a default password as their entry point. This was followed by the blocking of all emails, telephone lines and communication tools.

Mapping, the first step in any cybersecurity strategy

Whatever the way in which the organisation to which they belong operates, CISOs can never be everywhere. Should this be a concern for the company’s security? Not necessarily, as long as they have an overview that enables them to allocate resources to the right place.

According to the Forrester study commissioned by Tenable in August 2020 (The rise of security managers aligned with business objectives), CISOs are still sorely lacking in visibility of business assets. When it comes to applications, data, information technologies and cloud platforms, 70% consider that they have ‘high or complete visibility’. However, the rate drops to 60% for IoT, mobile and IoT devices, as well as for employees working on site. It then drops to just over 50% when it comes to remote employees, service providers and third-party partners. How can you understand risks globally under these conditions? The only solution is to map the risks throughout the organisation, to get a macroscopic view. This is painstaking, even laborious work, but it is absolutely essential if we are to avoid forgetting anything and avoid treating areas in silos. It is therefore up to each CISO to map out their entire ecosystem and build their own framework. This overview will then serve as a basis for reflection on a range of issues.

• What are the entry points into the information system?
• What needs are common to the different areas identified?
• What are the specific needs?
• What is shared with the outside world (file data, applications, etc.) and with what level of security?

Because human and financial resources are limited, cybersecurity can only be based on a principle of heterogeneous protection of areas. With an overall view, it becomes possible to identify the areas where the risk is greatest, either because it directly affects the company’s business or because it concerns its creative potential (RD). In this way, mapping enables a meaningful cyber security strategy to be built: the CISO identifies where efforts need to be focused, but also where the risk can be considered acceptable. The exercise also has the merit of facilitating communication with management. Unsurprisingly, it is much easier to get their support (and budgets!) by proposing a clear presentation of the high-priority risks and the resources required to deal with them.