Upload
vuongkhue
View
213
Download
0
Embed Size (px)
Citation preview
A Layered Approach to Cybersecurity
an Eze Castle Integration eBook
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
2 | A Layered Approach to Cybersecurity
A Layered Approach to Cybersecurity
• Tier 0: This is the ‘must-have’ list. There is no getting around these security measures.
• Tier 1: This tier incorporates a few enhanced features as well as a strong contingency of policies to support your cybersecurity program. Plus – and here’s the big one we keep talking about –employee security awareness training. Tier 1 is typically where most investment management firms fall today.
• Tier 2: This can be considered an “advanced” tier, with the incorporation of progressive tools such as intrusion detection/prevention systems and next-generation firewalls. But this is quickly becoming the norm for mid-to-large asset managers, particularly as a means to demonstrate preparedness to institutional investors.
When it comes to protecting your investment firm from serious cybersecurity threats, it's safe to say that less is definitely not more. In fact, it takes a pretty heavy arsenal of security measures to combat the ever-growing threats targeting your firm from both the inside and the outside.
But it may not be realistic for your firm to employ every cybersecurity technology/tool and develop and maintain a host of security policies - at least not from day one.
This eBook is designed to help you assess some of the cybersecurity protections that should be on your list. You’ll notice we’ve divided them by tiers, because, well, you’ll need to decide how much of your time, budget and resources are spent protecting your firm’s assets.
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
© Eze Castle Integration | 3
Tier 0 (Basic)
We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
• Firewalls• Anti-virus Software• Software Patching/
Patch Management
• Secure Remote Access (e.g. via Citrix)
• Separation of Administrative Access/Principle of Least Privilege
• Acceptable Use Policy
• Strong Non-default Password Enforcement
Perimeter & Network Security Access Control Measures
Policies & Procedures Employee/User Behavior
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
4 | A Layered Approach to Cybersecurity
Perimeter & Network Security
At a minimum, your investment firms should install firewalls, anti-virus software and patch management software to protect your perimeter and stop low-level threats and spam from entering your network.
The firewall, as controlled by the network administrators managing IT for your firm, monitors and controls the incoming and outgoing traffic on your network.
Software patch management is best practice to prevent vulnerabilities from appearing within software applications. Particularly as zero-day threats grow in popularity, software patching should be part of your firm’s daily IT management.
Tier 0 Requirements:
• Firewalls
• Anti-virus Software
• Software Patching/Patch Management
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
5 | A Layered Approach to Cybersecurity
Access Control Measures
We live in a technology-empowered world, and if your employees work outside of the office (on location, at home, etc.), you need to ensure they have effective – and SECURE – means to do so. Citrix is a great option for secure remote access and allows end users to log in to access applications on-the-go.
Virtual Private Networks (VPN) also offer secure remote access for employees, allowing employees to “remote desktop” and run any and all applications that live on the work computer’s server.
Tier 0 Requirements:
• Secure Remote Access (e.g. via Citrix)
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
6 | A Layered Approach to Cybersecurity
Policies & Procedures
The policy layer of cybersecurity is often overlooked, but provides a much-needed backbone for your firm’s cyber risk management program. If you employ no other policies from the start, your first policy to create should dictate the Acceptable Use of your employees with regard to network access, system logins, Internet usage, etc.
Your firm should also employ the “principle of least privilege”, meaning only those who need access to certain systems and data should have access to it.
Tier 0 Requirements:
• Separation of Administrative Access/Principle of Least Privilege
• Acceptable Use Policy
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
7 | A Layered Approach to Cybersecurity
Employee/User Behavior
Your users themselves will round out your cybersecurity defense strategy (always remember: people, processes, technology), and the most basic way to control user security behavior is with strong password enforcement. Ensure your firm’s employees are prompted at least every 90 days to change their passwords and use strong combinations of upper and lowercase letters and special characters.
Consider also requiring specific parameters around password development and use, such as not allowing personal information (names, birthdates) within passwords and not allowing passwords to be reused within a certain time frame.
Tier 0 Requirements:
• Strong Non-default Password Enforcement
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
© Eze Castle Integration | 8
Tier 1 (Standard)
The good news is that many investment management firms today fall into the Tier 1 category, meaning they are doing more to address cybersecurity risks than just the basics. You’ll notice this tier features a strong contingency of policies that help firms prepare for and respond to cybersecurity and business-impact threats.
Additionally, Tier 1 does more to address network security and highlights the need for ongoing employee information security awareness.
• Enhanced Email Security
• Network Access Control
• Mobile Device Security/Management
• WISP• BCP• Incident Response
Policy
• Regular/Annual Cybersecurity Training
Perimeter & Network Security Access Control Measures
Policies & Procedures Employee/User Behavior
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
9 | A Layered Approach to Cybersecurity
Perimeter & Network Security
If you’re a Tier 1 firm, you’re expanding your network security beyond the standard firewalls and anti-virus software to include more comprehensive network access control. Plus, since email is oftentimes the gateway into a firm’s network (more on phishing later), enhanced email security features are a must to safeguard sensitive information.
Growing in popularity, these features often include targeted attack protection, attachment scanning and encryption.
Tier 1 Requirements:
• Enhanced Email Security
• Network Access Control
Tier 0 Requirements:
• Firewalls• Anti-virus Software• Software
Patching/Patch Management
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
10 | A Layered Approach to Cybersecurity
Access Control Measures
With our growing reliance on mobile devices for business, it’s become critical for firms to develop mobile device policies and employ mobile device management (MDM) solutions which allow administrators to provision, secure and support company-sanctioned smartphones and tablets.
Particularly if your firm is of the “bring your own device” (BYOD) kind, you need to ensure there are clear protocols and guidelines for employee access to company/client information.
Tier 1 Requirements:
• Mobile Device Security/Management
Tier 0 Requirements:
• Secure Remote Access (e.g. via Citrix)
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
11 | A Layered Approach to Cybersecurity
Policies & Procedures
We mentioned this was a policy-heavy tier, but these IT security policies are truly the backbone to a solid and comprehensive cyber program.
The written information security policy (WISP) should break down what and where your firm’s confidential data is and who has access to it. Your Business Continuity Plan (BCP) outlines how your business will continue to operate in the event the firm is impacted by a cyber-threat.
And your Incident Response Policy will go into deeper detail on how to respond to cybersecurity issues, including what steps to take to remediate the situation and how/when to notify clients/third parties.
Tier 1 Requirements:
• Written Information Security Plan (WISP)
• Business Continuity Plan (BCP)
• Incident Response Policy
Tier 0 Requirements:
• Separation of Administrative Access/Principle of Least Privilege
• Acceptable Use Policy
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
12 | A Layered Approach to Cybersecurity
Employee/User Behavior
Arguably the most important – and yet underrated –aspect of your firm’s cyber preparedness, training and educating your employees is critical to the success of your organization’s security efforts. Technology and systems can only do so much to address threats.
Your employees, however, can act as your first line of defense against cyber-attacks, but unfortunately, their efforts will only be effective if they are properly trained on both potential threats and the firm’s policies and procedures.
Tier 1 Requirements:
• Regular/Annual Cybersecurity Training
Tier 0 Requirements:
• Strong Non-default Password Enforcement
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
© Eze Castle Integration | 13
Tier 2 (Advanced)
If you’re thinking only the largest and most tech-savvy investment firms are in Tier 2 you’re only half-right. Yes, you’ll often find mid-to-large asset managers fall into this category, but many of these “advanced” protections are fast-becoming the norm for smaller firms hoping to demonstrate to institutional investors their commitment to cybersecurity. And through IT outsourcing, these firms are able to leverage managed service providers to add strategic value to their businesses – without having to manage these advanced technologies on their own.
*For EU firms, many of these protections will soon be mandated by the GDPR and will likely go into effect by early 2018.
• Next-Generation Firewalls
• Multi-factor Authentication
• Intrusion Detection/Prevention
• Storage Encryption• Data Loss
Prevention
• Phishing Simulation Exercises
Perimeter & Network Security Access Control Measures
Advanced Technologies Employee/User Behavior
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
14 | A Layered Approach to Cybersecurity
Perimeter & Network Security
Tier 2 Requirements:
• Next-Generation Firewalls
Tier 1 Requirements:
• Enhanced Email Security
• Network Access Control
Tier 0 Requirements:
• Firewalls• Anti-virus Software• Software
Patching/Patch Management
The latest and greatest network security technology you should employ? Next-generation firewalls. These take the benefits of traditional, port-based firewalls to the next level, and allow firms to filter network traffic by application and implement additional security protocols to keep harmful traffic at bay.
Some advantages to next-generation firewalls include:
• All-in-one functionality• Greater visibility and control• Simplified management• Better security• Lower total cost of ownership
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
15 | A Layered Approach to Cybersecurity
Access Control Measures
Tier 2 Requirements:
• Multi-factor Authentication
Tier 1 Requirements:
• Mobile Device Security/Management
Tier 0 Requirements:
• Secure Remote Access (e.g. via Citrix)
One of the most effective ways a firm – and its users – can ensure security is through the use of multi-factor authentication, which requires users to verify credentials in some form to ensure they are, in fact, who they say they are. This hot tech trend is growing in popularity, and many firms are now employing for access to cloud services, for example.
There are three types of multi-factor authentication:
• Knowledge-based (e.g. security questions)• Possession-based (e.g. cryptocard, authentication app on
mobile device)• Inherence-based (e.g. fingerprint, biometric scan)
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
16 | A Layered Approach to Cybersecurity
Advanced Technologies
Tier 2 Requirements:
• Intrusion Detection/Prevention
• Storage Encryption (Data at Rest)
• Data Loss Prevention
Being the “advanced” tier, Tier 2 features some progressive systems and technologies that many of today’s investment management firms are starting to leverage. Intrusion detection and prevention systems can be costly, but add a convincing layer of security to an existing cybersecurity program, with the ability to monitor networks and prevent threats from penetrating them.
Additionally, the encryption of data at rest is becoming a top priority for security-focused firms, as well as data loss prevention – software that aims to prevent end users from sending sensitive information outside of a firm’s network.
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
17 | A Layered Approach to Cybersecurity
Employee/User Behavior
Tier 2 Requirements:
• Phishing Simulation Exercises
If you consider your firm security-focused, then you probably also realize the critical role your employees play in securing your firm and safeguarding its information. To ensure employees realize their importance and act as well-informed users, many firms are conducting phishing simulation exercises to test and train users to identify potentially malicious email threats.
These managed phishing tools are relatively inexpensive in nature and often include in-the-moment security awareness training to reinforce many of the key concepts employees should be aware of.
Tier 1 Requirements:
• Regular/Annual Cybersecurity Training
Tier 0 Requirements:
• Strong Non-default Password Enforcement
Visit: www.eci.com | Call: US: +1 800 752 1382UK: +44 207 071 6802
About Eze Castle IntegrationEze Castle Integration is a leading provider of IT solutions, managed cloud services and cybersecurity to more than 650 alternative asset management firms around the globe. Our Managed Services portfolio includes:
Private Cloud Managed PlatformManaged Suite | Managed Infrastructure | Managed DR | Hosted Voice
Cybersecurity Solutions & TrainingManaged Security Solutions | Active Threat Protection | Managed Phishing/Training | Cyber Consulting Services & Policy Development
Business Resiliency & Contingency Planning Disaster Recovery | Business Continuity Planning | Backup & Recovery | Email & IM Archiving
Outsourced Technology Services IT Support | Staff Augmentation | Global 24x7x365 Help Desk
Contact Us TodayVisit: www.eci.com | Call:
Boston | Chicago | Dallas | Hong Kong | London | Los Angeles | Minneapolis | New York | San Francisco | Singapore | Stamford
US: +1 800 752 1382UK: +44 207 071 6802