Drupal defense in depth — securing Drupal at the people layer

Defense in depth and the people layer

In the modern digital landscape, the human element plays a crucial role in ensuring comprehensive cybersecurity. The 7th whitepaper in our series, Layer 6 — People, delves into the challenges and opportunities associated with the human factor in maintaining a secure IT environment.

The human factor can often be a weak link in cybersecurity, with employees potentially introducing vulnerabilities through social engineering, poor security practices, or a lack of security awareness. However, by understanding and addressing these issues, organisations can significantly improve their overall security posture.

In this whitepaper, we discuss the various security risks and challenges associated with the human element, as well as the top 10 best practices and recommendations to mitigate those risks. Additionally, we look at the benefits and outcomes of implementing these strategies, and provide resources and further reading for a deeper understanding of this critical layer in the cybersecurity framework.

Security risks and challenges

There are 10 main security risks and challenges at the people layer:

1. Social engineering attacks
2. Poor password management
3. Insider threats
4. Lack of security awareness and training
5. Remote work and byod risks
6. Human error
7. Unauthorised access and privilege abuse
8. Physical security breaches
9. Third-party vendor risks
10. Compliance challenges

1. Social engineering attacks

Social engineering attacks, such as phishing, spear phishing and whaling, exploit human psychology to trick individuals into divulging sensitive information or performing actions that compromise security.

2. Poor password management

Weak and reused passwords, as well as inadequate password policies, can create vulnerabilities that expose sensitive data and systems to unauthorised access.

3. Insider threats

Malicious or negligent actions by employees, contractors and third-party vendors can lead to unauthorised access, data breaches and other security incidents.

4. Lack of security awareness and training

Employees who are not adequately trained in cybersecurity best practices can inadvertently introduce vulnerabilities through their unintentional actions, such as clicking on malicious links or downloading malware.

5. Remote work and BYOD risks

As more organisations embrace remote work and bring your own device (BYOD) policies, the potential for security risks increases due to factors such as unsecured Wi-Fi networks, outdated device software and poor device security practices.

6. Human error

Simple mistakes, such as misconfigured settings or accidental data leakage, can lead to significant security incidents and data breaches.

7. Unauthorised access and privilege abuse

Excessive user privileges and poor access control management can enable malicious insiders or external attackers to exploit sensitive systems and data.

8. Physical security breaches

Insufficient physical controls for secure areas, sensitive equipment or devices containing sensitive data can lead to unauthorised access, data breaches and other security incidents.

9. Third-party vendor risks

Inadequate security practices by your organisation’s suppliers or third-party vendors can further expose your organisation to serious security risks.

10. Compliance challenges

Non-compliance with industry regulations and data protection laws can result in legal penalties, financial losses and reputational damage, making it essential for organisations to maintain effective cybersecurity policies and practices.

Top 10 best practices and recommendations

Below we’ve put together our top 10 best practices/recommendations for securing the people layer:

1. Establish a security awareness training program
2. Implement robust password policies
3. Develop an insider threat program
4. Create a culture of security
5. Secure remote work and BYOD environments
6. Minimise human error
7. Manage access and privilege controls
8. Encourage safe social media use
9. Perform regular security assessments
10. Plan for incident response and business continuity

1. Establish a security awareness training program

A security awareness training program educates employees about cybersecurity best practices, helping them recognise and avoid potential threats.

Actionable steps:

1. Assess the current level of employee security knowledge.
2. Develop training materials and courses tailored to different roles and departments.
3. Incorporate interactive elements, such as quizzes and role-playing scenarios, to engage employees.
4. Schedule regular training sessions to keep employees up-to-date with the latest threats and best practices.
5. Measure the effectiveness of the training program and adjust as needed.

2. Implement robust password policies

Strong password policies encourage the use of complex, unique passwords and reduce the risk of unauthorised access.

Actionable steps:

1. Require passwords to be a minimum length and include a mix of character types (uppercase, lowercase, numbers and special characters).
2. Implement two-factor or multi-factor authentication (2FA/MFA) for added security.
3. Set up a password expiration policy, requiring users to change their passwords regularly.
4. Encourage the use of password managers to securely store and generate strong and unique passwords.
5. Provide training on creating strong passwords and the dangers of password reuse.

3. Develop an insider threat program

An insider threat program helps organisations identify and mitigate risks posed by employees, contractors and third-party vendors.

Actionable steps:

1. Perform background checks on employees and contractors with access to sensitive information.
2. Establish clear policies and guidelines on acceptable use of company resources and data.
3. Monitor user behaviour for suspicious activity and potential policy violations.
4. Implement access controls to limit user access to the least amount of privileges necessary for their role.
5. Regularly review and adjust user permissions as roles and responsibilities change.

4. Create a culture of security

A culture of security encourages employees to prioritise cybersecurity and report potential threats or incidents.

Actionable steps:

1. Promote cybersecurity awareness from the top down, with executive buy-in and support.
2. Encourage open communication and feedback on security issues and concerns.
3. Recognise and reward employees who contribute to a secure work environment.
4. Establish a clear reporting process for suspected security incidents.
5. Regularly share security updates and news to keep employees informed.

5. Secure remote work and BYOD environments

To protect sensitive information in remote work and BYOD scenarios, organisations should implement security measures tailored to these environments.

Actionable steps:

1. Create a comprehensive remote work and BYOD policy.
2. Enforce the use of a virtual private network (VPN) when accessing company resources.
3. Implement zero trust for mobility or mobile device management (MDM) solutions to manage and secure devices.
4. Regularly update and patch all devices and software used for work.
5. Provide training on secure remote work and BYOD practices, including connecting to secure Wi-Fi networks and recognising potential threats.

6. Minimise human error

To reduce the likelihood of human error causing security incidents, organisations should implement processes and tools to support employees in their work.

Actionable steps:

1. Develop clear, easy-to-follow procedures for common tasks involving sensitive data or systems.
2. Implement automated tools to assist in tasks, such as configuration management or data handling.
3. Encourage a culture of collaboration, where employees can ask for help and support from colleagues or supervisors.
4. Conduct regular audits to identify areas of potential human error and address them through training or process improvements.
5. Implement incident response plans to quickly address and contain any security incidents resulting from human error.

7. Manage access and privilege controls

Proper access and privilege controls reduce the risk of unauthorised access or privilege abuse.

Actionable steps:

1. Implement the principle of least-privilege for all users.
2. Use Role Based Access Control (RBAC) approach to assign appropriate permissions based on job roles.
3. Regularly review and update user access rights as needed.
4. Enforce strong authentication mechanisms, such as two-factor authentication (2FA) or multi-factor authentication (MFA) for all privileged access.
5. Monitor user activity to detect and address unauthorised access attempts or suspicious behaviour.

8. Encourage safe social media use

Educating employees on safe social media use can help protect company and employee information from being exploited by cybercriminals.

Actionable steps:

1. Develop a clear social media policy outlining acceptable use and behaviours.
2. Train employees on the risks associated with oversharing information on social media platforms.
3. Encourage employees to use privacy settings and strong, unique passwords for personal accounts.
4. Monitor company social media accounts for potential threats and unauthorised access.
5. Provide guidelines on how to safely represent the company and its interests on social media.

9. Perform regular security assessments

Regular security assessments can help organisations identify potential vulnerabilities and areas for improvement.

Actionable steps:

1. Conduct regular vulnerability scans and penetration tests to identify potential weaknesses in systems and applications.
2. Review security policies and procedures to ensure they are up-to-date and effective.
3. Evaluate the effectiveness of employee training and awareness programs.
4. Perform third-party risk assessments for vendors and partners.
5. Address identified issues promptly and update security plans as needed.

10. Plan for incident response and business continuity

Proper planning for incident response and business continuity can help organisations minimise the impact of a security breach or other disruptive events.

Actionable steps:

1. Develop an incident response plan that includes clear roles and responsibilities, communication protocols and processes for investigation and remediation.
2. Create a business continuity plan outlining how critical operations will be maintained during and after an incident.
3. Test and update the plans regularly to ensure their effectiveness and account for changes in the organisation.
4. Train employees on their roles and responsibilities during an incident.
5. Regularly backup and store critical data in secure, offsite locations to enable timely recovery.

Benefits and outcomes

Implementing the top 10 best practices and recommendations for people security can lead to several benefits and positive outcomes for your organisation. These include:

1. Enhanced security posture
2. Increased employee awareness
3. Compliance with industry standards and regulations
4. Greater trust from customers and partners
5. Reduced costs associated with security incidents
6. Improved business continuity and resilience

1. Enhanced security posture

By implementing the top 10 best practices and recommendations, organisations can significantly improve their overall security posture. Proactively addressing security risks and challenges can reduce the likelihood of successful cyberattacks and minimise the damage if one occurs.

2. Increased employee awareness

These best practices and recommendations will empower a cybersecurity-aware culture among employees and ensure that everyone understands the importance of security and how their actions can impact the organisation. Well-informed employees are more likely to spot and report potential threats, reducing the risk of a breach.

3. Compliance with industry standards and regulations

Many industries have specific security standards and regulations that organisations must adhere to, such as the Australian Privacy Principles or the Australian Prudential Regulatory Authority Standard CPS 234. Implementing these best practices and recommendations help organisations meet these requirements and avoid potential fines and reputational damage.

4. Greater trust from customers and partners

Organisations with strong security practices in place tend to inspire greater trust from customers and business partners. This trust can lead to increased customer loyalty, stronger business relationships and a competitive advantage in the market.

5. Reduced costs associated with security incidents

By proactively addressing security risks and challenges, organisations can minimise the likelihood and severity of security incidents. This can ultimately reduce the costs associated with incident response, remediation and potential reputational damage.

6. Improved business continuity and resilience

Through well understood incident response and business continuity plans and processes, organisations can minimise the impact of security incidents on their operations. This ensures that critical business functions can continue with minimal disruption, reducing the potential for lost revenue and damage to the organisation's reputation.

Conclusion

The human element plays a crucial role in an organisation's overall cybersecurity posture. Addressing the security risks and challenges associated with people is essential for ensuring that security measures are comprehensive and effective.

By implementing the top 10 best practices and recommendations discussed in this whitepaper, organisations can create a strong security culture that actively involves employees in the protection of sensitive data and critical systems.

It’s essential to recognise that cybersecurity is an ongoing process, requiring regular updates to security policies and processes, continuous employee training and staying informed about the latest threats and vulnerabilities. Organisations must remain vigilant and proactive in their efforts to protect their digital assets.

Finally, it’s important to remember that addressing security risks and challenges related to people is just one aspect of a robust cybersecurity strategy. Organisations should adopt a holistic approach to security, considering all layers of defense, from infrastructure and hosting to applications, edge protection, content delivery and, of course, people.

National Institute of Standards and Technology (NIST) Cybersecurity Framework and the people layer

NIST is a US-based agency that provides critical measurement solutions to promote equitable standards such as the NIST Cybersecurity Framework (NIST CSF). NIST CSF is recognised globally as one of the leading standards for organisational cybersecurity management.

The NIST CSF can be applied to the people layer to help promote a strong cybersecurity culture, enhance security awareness, and improve the overall cybersecurity posture. People are a critical component of cybersecurity because their actions and behaviours can either contribute to or mitigate cybersecurity risks. Here are some of the NIST CSF activities that can apply to this layer:

Identify:

1. Roles and responsibilities: Clearly define and communicate the roles and responsibilities of individuals within the organisation regarding cybersecurity.
   
2. Training needs: Identify the cybersecurity training and awareness needs of individuals based on their roles and responsibilities. Determine the level of awareness and knowledge required for each group.

Protect:

1. Security training: Provide cybersecurity training and awareness programs to educate individuals about security best practices, policies and procedures.
   
2. Access control: Ensure that individuals have appropriate access permissions based on their roles and responsibilities.
   
3. User authentication and authorisation: Implement user authentication and authorisation mechanisms to ensure that individuals can access only the resources and data necessary for their job functions.

Detect:

1. User activity monitoring: Implement monitoring and logging of user activities to detect and investigate suspicious or unauthorised actions.
   
2. Reporting: Encourage individuals to report security incidents, suspicious activities or potential vulnerabilities promptly.

Respond:

1. Incident reporting: Establish clear incident reporting procedures and ensure that individuals know how to report security incidents or concerns.
   
2. Incident response training: Provide training to individuals involved in incident response to ensure they’re prepared to respond effectively to cybersecurity incidents.

Recover:

1. Awareness of recovery procedures: Ensure that individuals are aware of and understand the organisation's business continuity and disaster recovery plans.
   
2. Training for business continuity: Train individuals on their roles and responsibilities during and after a cybersecurity incident to facilitate a smooth recovery process.

More about NIST

Resources and further reading

Articles and whitepapers

The human factor: the hidden problem of cybersecurity

Books

People-Centric Security: Transforming Your Enterprise Security Culture by Lance Hayden

Online training and certifications

SANS Institute Security Awareness Training

Infosec Institute Security Awareness Training

Organisations and initiatives

National Cybersecurity Alliance (NCSA)

Center for Internet Security (CIS)

European Union Agency for Cybersecurity (ENISA)

Government resources

NIST SP 800-50: Building an Information Technology Security Awareness and Training Program

NIST Cybersecurity Framework

These resources provide valuable insights, guidelines and best practices for addressing the human aspect of cybersecurity. Reading these materials and participating in relevant training can help organisations improve their security posture by focusing on the critical role people play in protecting sensitive data and systems.