Essential Security Frameworks You Need To Know About

What do you see when you look at these pictures? 

Is it a bat? A bird? A moth? Two humans? A four legged animal? A dog? A butterfly?

The interesting thing is, the human brain will interpret these “ambiguous designs” differently depending on your cultural background, geographical location, education, upbringing and even sometimes your mood.

These pictures are part of the “Rorschach Test” introduced in 1921 which can guesstimate what type of personality you are with some accuracy.

How about the following images? What pops into your mind? 

“Oh that’s a pretty good password hard to remember!” “That one is long enough!” “Oh yeah, I’ve known someone who has used that, it wasn’t me!”

Do you know what a possible hacker or Bot sees?…..Easy, easier and GONE!!!

Using basic brute force techniques, it won’t take long for those hashed password to be figured out. Changing them often helps, making them complex decreases vulnerability, but that is at the expense of the user. So what else can we do?

How about looking into some frameworks? EJ WISE a Cyber Security Lawyer shares key context on the Essential 8, Tina Phillips Senior Business Manager at Dicker Data shares insight into Zero Trust and Sonia Lasbleiz Security Presales Specialist at Dicker Data shares why you should consider SASE. 

The Essential 8

WHAT: A shorthand term to describe eight things an organisation or even an individual can do to reduce the risk and severity of a data breach or cybercrime. 
 
WHERE: The essential eight are produced by the Australian Government's Australian Cyber Security Centre (and there are also other places with great resources for individuals like the ATO). 
 
WHY: Data or information loss whether from a cyber crime, an accident or mistake, or a malicious event has a number of implications for a business (and for individuals) which range from insolvency and loss of reputation, litigation and prosecution to inconvenience, data unreliability and loss of earnings.
 
HOW: As clever as technology is, it doesn't necessarily come with safety features.  Cars didn't always have safety belts either!  Just as cars have had improved their safety features as time has gone by so have the safety features in technology and cyber systems we interact with. These more recent cyber safety features that are newer than the 'digital asset' tend to rely upon users/businesses to seek out and use the safety features (eg. your phone "updates" which need you take an action to install them, or it is up to the buyer to select their appropriate "privacy settings" on the device as the default factory settings may be very low or non-existent security). 
 
WHO: Your business, you, your family.  If you don't know if your organisation has this covered off ask the relevant people - depending on where you sit in an organisation you might start with the help desk employee or the CIO/COO/CISO or CEO. 
 
If you don't know if you have this covered off for your personal cyber resources ask yourself this: where is my data, do I back it up, how do I interact with the internet and who can reach me through my cyber footprint?

What is Zero Trust and why is it important? 

The key premise is don’t trust anybody and don’t trust anything trying to connect to your systems.

In 2019 the World Economic Forum rated data fraud or theft and cyber-attacks as the fourth and fifth most likely global risks in terms of likelihood¹. These risks have only been exacerbated now by the COVID-19 pandemic and is illustrated by cyber-enabled fraud and identity crime being one of the most common categories of incidents reported to the ACSC.
 
“There is no one technology that will enable zero trust”
Processes and your company mindset/culture need to be taken into consideration when taking the path to zero trust.  Businesses need to look internally and externally, review their processes, data access and systems to determine what is critical to their business and build a strategy based on their individual needs.
 
Whilst zero trust will require the implementation of several technologies, the first two steps to a zero-trust model that should be considered are;

1. Authenticating identity and implementing MFA to ensure all your users and devices are authenticated.
2. Determining access control; the right level of access to the right level of user which is assessed according to their role.  A method of enabling this is risk-based authentication which involves and grants access based on roles, policies, data, identities, location and device to ensure a user is “who they say they are”. 

As the threat and technology landscape continues to evolve, so too will your zero-trust model, this will require continued review and engagement by the broader business to stem the tide of cyber security threats.

What is SASE and why should I use it? 

SASE (pronounce “sassy”) is a security model defined by Gartner in 2019. It stems from the evolution of the way users consume the network: think about digital transformation with remote users and cloud applications and you get a pretty good idea of how the corporate network, from a confined perimeter, has become very scattered.

SASE can be described as an architecture that combines networking capabilities like SD-WAN with cloud-native security functions such as secure web gateway, CASB and zero-trust network access, all delivered as a service.

SASE is about convergence. It provides users with the same access experience regardless of what resource they need and where the resource is located. More specifically, according to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.”

So why use SASE?

SASE introduces trust into the security of the modern enterprise network. It incorporates context regardless of the connection, user, device, or application. It brings flexibility and reduces complexity as policies can be delivered pervasively and consistently. It prescribes the delivery of unified threat and data protection capabilities, providing more visibility into your network and preventing unauthorized access and abuse of sensitive data. And because it is a cloud service, it can be scaled up and scaled down easily.

This is why Gartner predicts that “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE”.

So, what do you see now? 

Your Cyber Risk and security should not be ambiguous anymore. The attack surface is greater than ever. We use hybrid cloud, multiple devices, multiple network locations; we pass trust onto social media companies to perform our authentication,  transient trust mechanisms for CASB and other methods are all the fad.
 
This is why when it comes to your Cyber Risk and Security you can’t be ambiguous, you need a systematic approach and review. Frameworks like Zero Trust, the Essential 8 and SASE provide you an understanding, a maturity model that you can step through so you can start your journey to building a more secure business model.

¹ World Economic Forum 2019, The Global Risks Report 2019, available at https://www.weforum.org/reports/the-global-risks-report-2019