This article originally appeared on HelpNetSecurity.com
In 2018, the average cost of a data breach is more than $3.75 million, and experts expect this number to rise in the coming years. This staggering—and potentially catastrophic—cost per incident is why implementing proper security practices is so important, so it is vital that enterprises both large and small understand how to secure their IT environments successfully.
So, what should you be measuring when it comes to your security program? As the old saying goes: If you can’t measure it, you can’t manage it. Here are four Key Performance Indicators (KPIs) that can help enterprises navigate the murky waters of cybersecurity and reduce anxiety surrounding the possibility of cyber attacks.
1. Assuring account validity
What level of confidence does an organization have that users authenticating to systems are who they claim to be? Many critical systems are heavily reliant on two-factor authentication for additional security. It’s important to note that two-factor authentication only protects “log on local” authentication mechanism within Windows. These are attempts to login from the Windows console or RDP protocol. By authenticating via Server Message Block (SMB) using a tool like PsExec to a remote server, hackers can execute a “Pass-the-Hash” attack and completely bypass two-factor authentication. Furthermore, the “Golden Ticket” attack has been problematic due to the fact it is a design flaw in Kerberos, one of the primary protocols used in Active Directory. An attacker with a password hash, domain SID, domain admin username and domain name can generate a “Golden Ticket,” which allows them to impersonate anyone in the domain.
So, what can be done to protect a domain? First, a user needs to disable cached credentials. By using Active Directory Group Policy, you can disallow the storage of passwords hashes. However, this is not possible for mobile systems. In this case, a user needs to navigate to the security settings and set the number of previous logons to cache to “1.” Both these methods are free and are incredibly helpful in protecting an IT environment. With that said, Kerberos is still a problem.
2. Achieving confidence in system control
One practice that is key to this KPI is patching, so be sure to document patch cycles. However, some assets like industrial control systems, stamping presses or systems for other industrial uses may not be able to be patched. Many times, the manufacturer of the equipment will not support an updated operating system. In the case that patching it is not an option, the next best step is to use application whitelisting on the asset, which ensures that it will function as a fixed purpose device.
That being said, patching in and of itself is not a silver bullet: There are still many assets in which neither of these options is feasible. If that is the case, the only option is isolation—and isolating an asset in its own network segment, in many cases, is the only way to enhance security.
3. Minimizing and monitoring lateral movement
Minimizing lateral movement means designing the network in source away so that attackers cannot jump from system to system. Users that move across networks provide an opportunity for security professionals to discover and closely monitor their actions. Because attacks often come from the user LAN, the majority of attacks will be on a domain’s user base. Malicious activity in the LAN can be easy to spot, as long as users are well-versed in the company’s policy. For example, the company can mandate via policy no file sharing between workstations. This will eliminate the need for workstation-to-workstation communication. If security engineers see movement from one workstation to the next, they know immediately it’s a policy violation at the very least and a malicious actor in a more serious case. Once all users are aware of the company’s policies, it is much easier to implement fine-grained monitoring processes.
4. Monitoring data for anomalous access
Famous investor Mark Cuban once said, “Data is the new gold.” That’s why it is imperative to understand that good security does not protect useless data—and why an organization must understand what data is contained within their network, what is the most sensitive data, where it lives and who should be able to access it. This is especially critical to successful compliance with the GDPR.
Enterprises spend an exceptional amount of time and money to keep their data secure, but the outcomes are often less than exceptional. By focusing on these four KPIs, organizations can take several proactive measures of effectiveness in securing their IT environments.