Implementing
the five actions described in this article can help reduce your organization’s
cyber risk and bolster its security defenses
Securing the information systems that keep
your organization running is an ongoing endeavor that needs to evolve over time
in response to trends in the threat landscape. As our IT systems grow in scale
and complexity, new cyber risks arise. At the same time, threat actors have
been growing in number; and their means, methods, and motivations are evolving.
I’ve identified five action items to reduce
your cyber-risk and fine-tune your cybersecurity program, based on the trends
identified by ESET security researchers in Cybersecurity Trends 2018:
·
Review
your ransomware response plan
·
Check
your power supply
·
Map
data for better security and compliance
·
Update
server protection
·
Push IT
security training wider and deeper
In addition, you can watch my short webinar for a closer look at 2018’s trends
and challenges—and how to respond to them.
1.
Review
your ransomware response plan
If you’ve read my colleague David Harley’s
chapter on ransomware in the Trends 2018 report, you will know this threat is
not likely to recede in 2018. Maliciously encrypting someone’s files so they
cannot use them is proving to be a popular attack. We anticipate a continued
growth of ransomware in three main categories: broad attacks, targeted attacks,
and destructive attacks. While attacks in the first two categories typically
involve a good faith offer to provide the victim with a key to unlock their
files in return for payment, attackers in the final category have no intention
of providing a key.
While a properly deployed and appropriately
managed endpoint protection product offers a strong defense against all three
forms of attack, there is always a chance that the bad guys will find a gap in
your defenses – like a forgotten server that IT never knew about, or an
employee who just won’t stop clicking in all the wrong places.
That is why every organization needs to have
a ransomware response plan in place. This plan tells everyone in the
organization what they need to do if there is a ransomware attack, from the
first sign of compromise to the technical escalation process, management
notifications, PR handling, and so on.
Your organization should already have some
sort of breach response plan in place (if not, then ESET researcher Lysa Myers
has some good advice on that and you can download a very useful
50-page “Cyber Incident and Breach Readiness Guide” from the Online
Trust Alliance, an initiative of the non-profit within Internet Society).
In fact, you may already have a section in
your response plan that addresses malware incidents; however, a ransomware
attack is sufficiently different to warrant its own section. This should be
reinforced with ransomware scenarios in your crisis response manual, scenarios
for which you need to practice (with tabletop exercises, for example).
If you’re not convinced that a ransomware
attack is sufficiently different to warrant specialized response planning, try
answering these questions:
·
Does
your organization have a written policy prohibiting payment of IT-related
ransoms and extortion demands without management approval?
·
Is
there a process in place for determining whether or not a ransom demand will be
paid?
·
Does
the organization currently hold or can it quickly acquire crypto-currency such
as Bitcoin for ransomware emergencies?
·
Has
your legal counsel advised you on the breach notification requirements that
may, or may not, apply to data compromised by ransomware?
If there is one thing worse than being hit
with a ransomware attack, it is not being ready to respond to a ransomware
attack. Consider this your number one cybersecurity action item for 2018.
2.
Check
your power supply
The second action item concerns the supply of
electricity that makes all of this digital technology work. In the Cybersecurity Trends 2018 chapter that I wrote on critical
infrastructure, I was very mindful of the multiple malware-enabled power
outages in the Ukraine. Those events provided proof that bad actors can abuse
connected industrial control systems to disrupt the power supply. I was also
thinking of the multiple power supply issues that have crippled air travel in
recent years at major hubs like London’s Heathrow and Atlanta’s
Hartsfield-Jackson International. Even though these incidents were not
hacking-induced, they show how disruptive and costly targeted attacks on the
power supply could be.
So what has this got to do with your
organization’s cybersecurity? The answer lies in your response to this
question: What steps has your organization taken to continue operating in the
event of a power outage? Do employees know what to do when the power goes out?
Is there an office-wide backup power generator? How quickly does it kick in?
While your organization may have the answers to these questions, do you know
where they are documented?
A lot of organizations use a data center for
data processing, app hosting, offsite backup, and so on. If you use a data
center, think about the last time you visually inspected their power
arrangements. Did they have a large bank of batteries to power everything until
the diesel generator spins up? And where is that generator located? Well above
flood level, I hope. Now might be a good time to check that your data center
has updated its risk assessment to account for weather extremes. When Hurricane
Sandy hit the East Coast in 2012, at least eight data centers were impacted.
Remember, availability is one of the three
pillars of cybersecurity (the other two being confidentiality and integrity).
If your systems don’t have power they are not going to provide availability.
3.
Map
data for better security and compliance
The third action item arises from changes in
the world of data privacy that were highlighted in the 2018 Trends chapter
penned by my ESET colleague, Tony Anscombe (see his related blog post here). Tony and I agree that new
privacy laws and lawsuits in 2018 will increase regulatory risk for many
organizations, and not just because of this thing called General Data Protection Regulation (GDPR).
Since we are just a few months away from
GDPR’s implementation deadline, I trust that every company in the world that
has an internet connection also has a basic understanding of what GDPR means
for its data privacy and security practices. (If you’re not sure, take our free
compliance check to get a detailed report customized to
your organization.)
But GDPR is not the only regulatory factor at
play. In the U.S., there are new state regulations in place, and very likely
more to come. If your organization operates in the State of New York then you
probably know about 23 NYCRR 500. This is a cybersecurity regulation with which
some covered entities are required to be in compliance
by March 1, 2018. In 2017, the policy wonks at CompTIA, the technology
industry association, spotted nearly 700 pieces of privacy/security legislation
at the state level. Many of these bills will not pass, but state laws can add
to the cost of security failures; for example, in 2017, we saw California levy
a multi-million dollar data breach fine. Not sure what affects you? Take a look at
ESET’s security technologies and compliance cheatsheet.
All this means that it is more important than
ever for your organization to know what data it is handling, along with why,
where, and how. In other words, you need to carry out what is variously called
a data inventory, a data audit, or data flow mapping. The idea is to make sure
that all the uses of data by the organization are documented so that they can
be appropriately protected and compliance data privacy requirements are being
met.
Fortunately, the International Association of
Privacy Professionals (IAPP) has written extensively about this process and
many of the articles – like this one – are freely available. While the information
is presented in terms of GDPR – Article 30 of which obliges organizations to
“maintain a record of processing activities under its responsibility” – the
strategy described can be broadly applied. There are data mapping tools
available, including one that is free to IAPP members. However, according to a 2016 survey, “66
percent of companies conduct data inventory and mapping informally with email
and spreadsheets.”
Whichever approach you take, I can guarantee
that a thorough data inventory and mapping project will uncover data of which
the organization was not appropriately aware. The classic case is a marketing
database that was created for a project that ended but was never properly
retired. Sadly, we have seen breach after breach where hackers found servers
“outside the fold” and weakly protected.
4.
Update
server protection
Your data “audit” should produce a catalogue
of all of the organization’s servers that are processing or storing vital data.
This provides input for the fourth action item: updating server protection. We
saw attacks on internet-accessible servers increase in 2017 and we expect this
trend to continue in 2018. Classic attacks include brute-forcing credentials
for Remote Desktop Protocol (RDP) access, then turning off endpoint protection
and encrypting the server contents for ransom.
In some cases, server attacks are almost too
easy, like typing “admin” for the user name and password (which worked against
an Equifax server in Argentina last year, an incident
overshadowed by the company’s larger 143 million record breach due to delayed
patching of a widely-reported server code vulnerability).
So, now is the time to check how well your
servers are protected against outsider attacks. Here are four key questions to
ask about each server:
1.
Is
access to this server protected by two-factor authentication?
2.
Is this
server running properly configured and appropriately managed endpoint
protection (which would prevent unauthorized attempts to turn off protection)?
3.
Is data
on this server appropriately encrypted?
4.
Is the
server regularly backed up with archives stored off-site and off-line?
These days you need to be able to answer
“yes” to all four questions, with no exceptions. Why? Because those exceptions
are what criminal hackers look for when they want to: steal credentials for
resale, create spam or DDoS botnets for rent, steal IP and PII for resale,
ransom files, or pivot to infest the rest of your network.
5.
Push
security training wider and deeper
The fifth and final action item stems from
two 2018 trends that concern ESET researchers: continued growth of criminally
malicious hacking and something you might call socially-malicious hacking, like
efforts to disrupt elections and other pillars of civil society. Both of these
trends remind us that information security is a society-wide problem. Smart
organizations know that “security is everyone’s responsibility.” One clear
implication of this reality is that everyone in your organization needs
security awareness training.
There are many ways to implement a baseline
of security awareness training for everyone but some organizations still
struggle to do this. For example, a recent studied revealed that 70 percent of
employees in some industries “lack awareness to stop preventable cybersecurity
attacks” and workers in some sectors are even less prepared to play their part:
“78% of Healthcare Workers Lack Data Privacy, Security
Preparedness.”
Statistics like that help explain why ESET
decided to provide free online cybersecurity awareness training. This training is offered
on demand, and allows organizations to document their employees’ progress to a
baseline of cybersecurity awareness, including how to identify and respond to
threats like malware, phishing, and social engineering.
This is one way to address the problem of
that employee who keeps clicking in all the wrong places, and almost 10,000
people have taken that training so far. However, your organization’s
cybersecurity training and awareness efforts need to go well beyond a baseline
for all employees.
Any sizable organization also needs training
that is tailored to the specific needs and policies of your company as well as
specific roles within the company. One of the most effective programs that I
have worked on operated at three levels: all-hands, management, and IT security
staff. A fresh set of timely training materials was produced each quarter
around a “hot” threat category and tailored to each of the three levels.
Programs like this can be executed in house or by contracting with one of the
well-established companies that specialize in this type of work.