Practical Steps to Reducing Cyber Risk
Cyberattacks are hard to contain and can quickly impact any organisation — whether a target or not.
Reminding us of this fact, recent tensions in Ukraine and a range of cyberattacks that crippled their government websites last month resulted in warnings issued by US and UK cyber bodies.
Back in 2017, in what WIRED magazine called “the most devastating cyberattack in history,” malware called NotPetya — later attributed to Russia — compromised a tax application in everyday use by businesses in Ukraine. Organisations suffered worldwide as the malware spread. Companies such as global shipping giant Maersk either lost their shirts or came close to doing so.
However, even with advanced threats, there are simple controls that every organisation should put into operation to protect themselves and ensure they can recover if their network is compromised.
Implementing the following basic but essential steps will dramatically reduce your risk — not only from geopolitical cyber threats but criminal activity, hacktivists, and internal staff errors.
1. Patch all your systems regularly
This does not just mean Microsoft Windows — it means your website, databases, and infrastructure hardware such as firewalls and routers, as well as Linux servers, mobile devices, CCTV systems and IoT devices. Consider that if a patch is released, the vulnerability may have existed for some time already and may have been exploited. If you then take 30 days to test and deploy a patch, that’s a long time during which the vulnerability could be used against you. Rather than investing time into prioritising patches, I recommend focusing on building a simple, repeatable process for rapid testing and deployment. Have an emergency patching process for critical vulnerabilities with known exploits; otherwise, aim to patch everything as quickly as you reasonably can. Cyber Essentials recommends within 14 days of release.
A warning: If you are not patching a system because it’s at the end of life, that’s not OK. It’s like driving a car without insurance or servicing — that accident will happen, and when it does, the impact will be worse. Good organisations practice renewal and manage the lifecycle of their systems, so they are replaced before they are obsolete. If you have obsolete software or hardware that can’t be patched, that’s a situation capable companies should never find themselves in. Isolate the offending system on your network and ask your IT Director some tough questions. For an externally facing out-of-support system, you may have to take it offline entirely. If so, it’s a price worth paying. If you have to pay for extended licensing agreements for old systems, this is an early warning sign that your IT lifecycle management practices are inadequate and need review.
2. Implement multi-factor authentication (MFA)
Multi-factor authentication is where you have at least two of something you know (such as a password), something you are (biometrics, such as a fingerprint), or something you have (such as a code to a mobile phone app). This is more secure than a password because even when a password is compromised or guessed, it cannot be used. Passwords by themselves are highly ineffective, and regardless of the system, a password should not be considered adequate on its own. Many password complexity rules make life easier for an attacker and harder for the user, making systems less secure rather than more secure. MFA should be used for network, device and app access, as well as for personal services and accounts. Don’t introduce apps or services into your environment or workforce that do not use MFA. Not all MFA is the same, and some techniques are better than others, but all are much better than a password by itself.
Do remember that having a password and a PIN code or separate memorable word is not multi-factor. Requiring two things you know does not make you more secure; it simply worsens the user experience. Don’t do it.
3. Control Privileged Access
In addition to the customer and employee-facing systems you operate, such as websites and email, you will have a lot of hidden infrastructure working hard for you. These are the directories, databases, file systems and routers that enable your IT to work. Whether this happens on-premise or in the cloud, someone has to configure, manage and maintain these systems. If an attacker gets access to the accounts used to manage these systems, it can be game over — they have access to everything on your network. Admin accounts should be very carefully controlled, with rigorous use of MFA, careful access management, and a record of when an account is checked out for use, why and who by. IT staff should not use privileged accounts for email and web browsing — only when they really need to. Solutions vary from costly enterprise apps to the functionality built into cloud platforms to free key safes.
4. Manage your attack surface
Most opportunistic attacks will start with a scan of your perimeter. This is everything someone without special access can see. There’s a lot you can do to minimise this and make sure it looks boring to an attacker. If it seems high risk and low reward, an opportunistic attacker will go elsewhere, and a targeted attacker will find it harder to get in. In addition to network firewalls that sit between your network and the internet, run application firewalls that sit between your application and the internet. Ensure your systems are built to a consistent standard and hardened using a reference such as the CIS Security Benchmarks. Turn off ports and services you don’t need and only have systems face externally if they need to.
5. Maintain Segregated Backups
How long would you survive without your data? Even if most of your activities are offline, how could you take payments, pay staff, produce the accounts, buy supplies, file returns, and generally operate your organisation? For most, it’s not long. If data is available but corrupted, recovery is often even more difficult. Nothing will guarantee all attacks fail, so assume that one will succeed and ensure you still have your data. This includes your business data, but also technical data on the configuration of your systems and network, so you can rebuild it if you need to.
Make sure your data is stored somewhere segregated from your primary network. This could be offline, such as a dedicated computer, storage array or USB stick. It could also be an online backup service or cloud computing platform. Wherever you store it, remember you want to make sure that if usernames and passwords are compromised, they cannot be used to access and damage your backup data.
Finally, test your ability to restore data and run from the restored data. A backup is no good if you can’t use it, and if it will take three weeks to download it from the cloud — best to find that out now rather than when you need it.
6. Manage Risk in your Value Chain
Recent attacks we saw in Jersey involved compromising the email of a customer or supplier to send malicious emails to the target organisation that they would think were legitimate. This is a lot of trouble for an attacker to go, and they would only have done it if the target organisation could not be easily compromised directly. You can’t be responsible for your clients — or even your suppliers — security. However, you should recognise that the borders of your organisation are porous and take reasonable steps to reduce your risk. This would include undertaking security assurance on suppliers to make sure they operate appropriate controls, notifying customers of issues and concerns, and passing on advice and alerts. Train staff to spot anomalies, and if companies you work with don’t take security seriously, ask yourself whether they are worth the risk.
7. Operate Effective Monitoring & Alerting
It’s essential to be first to know when something goes wrong. That means logging the correct data and monitoring it for anomalies that suggest a problem. However, monitoring doesn’t have to be complicated and expensive. If you know which are your critical systems, you can often outsource elements of this to a security supplier. Examples include cloud-based firewall and security monitoring services such as Cloudflare that keep an eye on your websites, online services such as BitSight and SecurityScorecard that keep an eye on your visible perimeter, your people, technology-based monitoring systems that alert to unusual behaviour, tools available through your cloud computing supplier, more advanced security monitoring systems such as SIEM (security incident and event management) solutions, and security defence capabilities such as a SOC (security operations centre) who can monitor systems 24×7. All of these options can be deployed internally or outsourced to capable suppliers. Define the monitoring that’s right for you, and step it up at times of heightened concern.
8. Test Incident Management Processes
When the worst happens, the impact can be significantly reduced by properly managing the incident. Bad incident management can turn a drama into a crisis. Good incident management can improve your customers and stakeholders’ confidence in you after an incident. The first step is to ensure you have an incident or crisis management plan that sets out how you would respond. Who would do what, and when? Guidance is available from standards such as the NIST incident management framework, ISO standard 27035, proprietary services such as the ISF or Gartner, and online resources such as those from the UK’s National Cyber Security Centre (NCSC).
Most successful attacks result from controls we intended to apply not being implemented fully — often because it is felt to be cost-prohibitive or inconvenient for one particular system or business process. Of course, it is then likely that the same system or process is compromised. Once you have implemented additional controls, make sure you know what exceptions you have — make them strictly time-limited, report them to the Board, and work over a few months to eliminate them.
If you’ve implemented these controls, consider verifying them regularly through technical security testing or certification against a standard such as Cyber Essentials +. Some standards, such as ISO27001 which assesses security risk management practices, are more costly to certify against. I would suggest looking to practical, technical checks first and foremost. Some cloud services, such as Microsoft Azure, provide tools that can be used to compare your IT configuration against all the standards and frameworks mentioned in this article. That can be a great place to start.
*** This is a Security Bloggers Network syndicated blog from Stories by Matt Palmer on Medium authored by Matt Palmer. Read the original post at: https://matt-palmer.medium.com/practical-steps-to-reducing-cyber-risk-c3b49e8af2d4?source=rss-ca0fc895d58b------2
