IT Tips & Tricks

Published 24 May 2022

Cybersecurity Tips: Get Off the Fence About Defense

ransomware

Does your organization have a C-level IT Security officer and team in place? Do they have a reasonably sized, dedicated security budget to protect against the rising wave of threats? No? Now might be a very good time to rethink that status quo and we’ll tell you why.

A quick glance at the headlines from just the last couple of days at The Record — a leading cybersecurity news publication — should be a red flag, waving fast and furious, sounding the alarm bells for cyber security professionals everywhere.

Here are some recent examples: An NFT (non-fungible token) company had its Instagram account hacked; an engineering company was hit by North Korean hackers; more than 10,000 Redline malware attacks occurred in April; the American Dental Association suffered a ransomware attack; one of the largest DDoS attacks on record just targeted a crypto platform; the Austin Peay State University in Tennessee became the latest school to suffer a ransomware attack; more than $13 million has been stolen from the Indian finance platform, Deus Finances, and US-based healthcare corporation, Tenent, was on the receiving end of a cybersecurity incident this past week that shut down several hospitals and acute care operations.

The only better time to beef up your security is already behind us.

All this from just one website, with only three days’ worth of cyber news from across the globe? Yes, and every other cyber news site is the same. If you haven’t yet done so, then now is the time to maximize your security and protection. The only better time to beef up your security is already behind us.

Chris_WrayV2

FBI Director, Christopher Wray, has raised concerns about foreign cybersecurity threats.

Recently, FBI Director, Christopher Wray warned that the current scale of espionage and cybersecurity threats from China was unprecedented in history. Per The Hill, “The biggest threat we face as a country from a counterintelligence perspective is from the People’s Republic of China and especially the Chinese Communist Party,” Wray said during an interview on CBS News’s 60 Minutes.

“They are targeting our innovation, our trade secrets, our intellectual property, on a scale that’s unprecedented in history,” he added, noting that China’s hacking program is larger “than that of every other major nation combined.”

Three Mitigation Measures

These statements appear to be substantiated by the recent formation of a joint Cybersecurity Advisory, comprised of CISA, NSA, FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the United Kingdom’s National Cyber Security Centre. With growing concern over the increasing number of cyber-attacks globally, they recommend the following prioritized mitigation measures:

  • Vulnerability and configuration management, including updating software, operating systems, applications, and firmware, with a prioritization on patching known exploited vulnerabilities; implementing a centralized patch management system; and replacing end-of-life software.
  • Identity and access management, including enforcing multi-factor authentication (MFA) for all users; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly reviewing, validating, or removing privileged accounts.
  • Protective controls and architecture, including properly configuring and securing internet-facing network devices, disabling unused or unnecessary network ports and protocols, encrypting network traffic, and disabling unused network services and devices.

“They are targeting our innovation, our trade secrets, our intellectual property, on a scale that’s unprecedented in history.” — Christopher Wray, FBI Director

Standards: What and Why?

Listen to the water-cooler banter on the topic of cybersecurity, and it’s likely you’ll find as many opinions as paper cups. Peter states that blah-blah is definitively the best defensive solution, but Paul disagrees because yadda-yadda. Bruce, with a secret opinion of his own, haughtily admits that “we each have our own unique philosophical take on the topic.” The thing to remember about an opinion is that they’re simply a view or judgment formed about something, not necessarily based on fact or knowledge.

NIST_logoV2

The National Institute of Standards & Technology: setting the standard for cybersecurity.

So, let’s talk about standards. Per Merriam-Webster, “standard (noun): something established by authority, custom, or general consent as a model or example.”

We hear the word, “standard” so often that we’ve perhaps become desensitized to its not insignificant meaning. Phrases such as “industry standard” and “standard practice” are bandied about so readily that we lose sight of the importance of the word. While the three recommendations above are a good starting point, there is, perhaps, a need for a deeper perspective — with greater detail — defining the standard for cybersecurity.

There is such a cybersecurity standard and, in the US, that standard is issued — and constantly updated — by the National Institute of Standards and Technology (NIST), a US government agency — and contained in a whitepaper known as NIST Special Publication (SP) 800-53, Revision 5. It’s a detailed document with variable recommendations based on your particular situation. There are, however, seven fundamental steps to establish your cybersecurity environment:

  1. Prepare: Engage in essential activities to prepare the organization to manage security and privacy risks.
  2. Categorize: Based on an impact analysis, categorize the system and information processed, stored, and transmitted.
  3. Select: Select the appropriate set of NIST SP 800-53 controls to protect your system based on sound risk assessment.
  4. Implement: Implement the controls. Then document how the controls are deployed.

There is a standard for cybersecurity.

  1. Assess: Assess to determine whether the controls are in place, operating as intended, and producing the desired results.
  2. Authorize: Have a senior official make a risk-based decision to authorize the system (to operate).
  3. Monitor: Continuously monitor control implementation and risks to the system.

Lackadaisical Preparedness

If the phrase, “lackadaisical preparedness” sounds to you as much of an oxymoron as something like, oh, let’s say “military intelligence,” then you are one of the few who recognize that cybersecurity is not a “seriously funny” topic, and we hope you are never confronted with the “deafening silence” in the IT department when Kevin, hands tearing at his already threadbare scalp, suddenly yells, “Holy sh*tballs! We’ve been hit! The system … it’s … Oh, God, no! Oh sh*t, oh sh*t, oh sh*t!”

AdobeStock_807101751

The longer a breach goes undetected, the more it’s going
to cost.

We hope that you’re not looking around the room at the shocked and wide-eyed faces of your colleagues, shaking your head and thinking to yourself, “I knew this day would come,” while your escalating pleas for increased budget or C-level representation for the IT department fell on deaf ears.

What’s the point of the execs and board members shaking hands and patting each other on the back at the quarterly function? Who cares about the astonishing third-quarter performance, that fabulously lucrative new foreign contract that’s finally in the bag, or that critical design breakthrough at the plant that puts you about three years ahead of your key competitor? None of it’s going to mean a darn thing if the walls come tumbling down.

Braced for Breach

If you’ve been begging for years for more than outdated antivirus protection and an ancient firewall that protects nobody and nothing should the enemy breach the walls, forward this article to the higher-ups. For execs for whom the bottom line is everything, the value of a healthy, equipped IT department is often difficult to gauge until the poop hits the fan. But by then, it’s too late for recriminations and regrets.

Spending on heightened security for the IT department doesn’t increase market penetration, it means nothing in the race against competitors and it contributes absolutely nothing to the bottom line. At least not visibly. But it’s a bit like owning a car without insurance. You’re only happy about the savings until someone rear-ends your car and it’s a write-off. Purchasing auto insurance at that point is, well, pointless. After-the-fact cybersecurity measures are equally futile.

None of it’s going to mean a darn thing if the walls come tumbling down.

Hit Them in the Soft Spot

It’s often difficult for execs who don’t live and breathe on the IT frontlines every day to see the need for investment in upgraded security measures. They do, however, understand things like the bottom line, company reputation and the cost of lawsuits. Without C-level representation, to get what IT needs, you might have to hit them in their soft spot and position your IT security requirements in terms of issues they do understand, such as:

  • Financial loss,
  • Reputational damage,
  • Operational downtime,
  • Legal action and
  • Loss of sensitive data.
AdobeStock_666546885

LOTL — living off the land — the threat you can least detect.

Anticipate running into some stock replies and be prepared to counter them. Here are a few common arguments, and potential responses.

“We've always been fine. We’ve never been hacked. You’re probably overreacting.”

Everything is always fine until it’s not. Accidents happen quickly. If they didn’t, they wouldn’t be accidents, they’d be “on purposes.” An uninsured car runs just as well as its insured equivalent. Until it gets totaled. Then, the guy with the insurance is the only winner. With current world events and the massive increase in cyber-attacks, consider us already on that highway, sir.

“Honestly, what would anyone want to steal from us? We’re not a huge multinational corporation that’s attracting attention.”

You’ll need to explain that losses from a security breach are seldom only about what valuables were compromised. Here are some factors that may be more on an execs radar:

  • Increases in insurance premiums,
  • The value of lost contract revenue,
  • Devalued company reputation
  • Increased cost to raise debt,
  • Operational disruption or outright destruction,
  • Loss of valued intellectual property,
  • Loss of valued customer relationships.

“I don’t understand what you want. We’ve got antivirus protection and a firewall. That’s all we’ve ever had, and we’ve been fine. What are you so worried about?”

Okay, this one may take a little explanation. In fact, you may want to set it up as a PowerPoint presentation so that they really get it.

For execs for whom the bottom line is everything, the value of a healthy, equipped IT department is often difficult to gauge.

There is a thing called living off the land, and it has nothing to do with homesteading or foraging and gathering Mother Nature’s seasonal offerings. Living off the land — generally known as LOTL — is a step beyond what can be anticipated in a typical malware scenario. In LOTL situations, the hackers accomplish their objective without writing any malware to the endpoint. Instead, they use your computer’s legitimate tools and processes in a deliberate effort to evade detection by legacy antivirus products.

“In other words, sir, they’re looking for the exact scenario we currently have.” If you’re talking to the kind of guy who thrives on facts and figures, then here’s something you could share with him: Of all detections indexed by CrowdStrike Security in the 2021 fourth quarter, 62% were malware-free. Yup, let that sink in for a moment. The majority of intrusions had nothing to do with malware. It turns out that living off the land is growing in popularity both literally and figuratively.

Dollars, Days and Data Breaches

spotted

Hackers may go undetected for months. Strengthen cybersecurity wherever possible.

LOTL attacks are most commonly initiated after a user clicks on a phishing email or compromised website. Again, if you need ammo to convince the execs that you need better security measures, let’s talk dollars.

To calculate the average cost of a data breach, the 2021 Ponemon Data Breach research report (sponsored by IBM) excluded very small and very large breaches. Data breaches examined in the 2021 study ranged in size between 2,000 and 101,000 compromised records. Within that mid-sized sector, the amounts listed below are the average financial impact/loss.

  • Business email compromise: $5.01 million
  • Phishing: $4.65 million
  • Malicious insiders: $4.61 million
  • Social engineering: $4.47 million

Heck, print it out and offer it to the execs as a menu. Which would they choose as their entrée? Remind them that given the rising incidence of cyber-attacks, they may be forced to also select an appetizer and a dessert course from this menu at some point — unless you can get some budget for cyber defense.

If, at this point, they’re still deferring or delaying, politely inform them that “taking their time” and “not making a hurried decision” is the exact game the hackers are playing and relying on you playing too. The bad guys don’t just suddenly swoop in like Jack Sparrow. That’s not how it works. They sit and watch and wait, often for months, undetected, as they gather data and build their final plan of attack.

Everything is always fine until it’s not.

In terms of financial cost to your organization, the longer the breach goes undetected, the greater the loss. The average number of days before detection is currently 287 — that’s over nine months! That’s nine months of the enemy already inside the castle walls, watching, gathering intel, and planning, planning, planning, while you have absolutely no idea that you’re already playing host to unwanted guests.

Sadly, in order to dramatically reduce data breach costs, the baddies have to be caught in 200 days or less. Here are some statistics for your number crunchers:

  • Breaches that were identified and contained within 200 days had an average cost of $3.61 million.
  • Breaches that took longer than 200 days to identify and contain had an average cost of $4.87 million.

An uninsured car runs just as well as its insured equivalent. Until it gets totaled.

That’s a difference of $1.26 million. Now let those guys go crunch the numbers and see what they’re willing to put into your cybersecurity budget in a bid to offset the potential cost of a breach. Honestly, a small percentage of that could make the world of difference to your cyber defenses.

If you’re an exec reading this, and your organization doesn’t have a C-level IT Security officer, you may want to reconsider. Your organization would benefit by having an exec with a deep understanding of the workings of an IT department, yet who will think and strategize in terms of high-level concepts that align with corporate philosophy. They’ll consider how to help the IT department achieve their goals, they’ll be able to inform the board why certain actions are critically important, they’ll outline how to protect your company, apply corporate strategy and maintain a viewpoint of altitude over your IT requirements.

In an age where your data is everything, failure to adequately protect it is exactly like hurtling down the highway in an uninsured vehicle. Good luck with that.

Additional Data Defenses

As if security concerns weren’t enough to contend with, how about throwing a good old data migration into the mix? There are a number of good reasons why your organization may be migrating to the Cloud, perhaps to SharePoint online or something similar. If you’ve previously experienced a data migration, you know that missing data is a common problem. You’re probably also aware that one of the most common causes of that missing data is the file links that break during the migration itself.

Add a layer of protection with LinkFixer Advanced, the first-of-its-kind software that protects against missing data due to broken links. Used prior to your migration, the links are protected so that following the migration, your data is intact. If you’ve already completed a migration and have encountered missing data, think of LinkFixer Advanced as your disaster recovery tool to repair the broken links and instantly restore the missing data. Visit LinkTek.com for more information or call 727-442-1822 for a live demo or a free no-credit-card trial.

Losses from a security breach are seldom only about what valuables were compromised.

We can’t remove every bump in your migration path, but why not completely eliminate one of them if possible? When it comes to your data, like you, we believe it’s important to “keep it together,” so we’ll help you get there.

Feel free to share this article on your social media: