Imagine this scenario: you are a private business owner bidding on your first government contract. You suddenly come to a section on your application with questions about your internal network security: How and where is your company data stored? Do you enforce data governance and mobile device management? What services do you have in place to protect against data breaches and what is your response policy in the event of a breach? How will you answer?
Not having adequate answers to these questions can mean the difference between winning or losing an opportunity. And yet, we seldom go beyond the vague understanding that our network security is important and move into placing cybersecurity at the forefront of how we practice doing business daily. Legacy programs that haven’t been updated in ten years continue to run important applications on our networks. We fail to enforce secure connection methods and password complexity for user accounts. And our wireless networks are the wild-wild west for all sorts of connected devices, with little (if any) insight into exactly what is connected on the same network as our business-critical systems. The unfortunate reality is that cybersecurity remains a highly overlooked and seldom enforced area for most companies until there is a breach of information. Whether in the form of an active hacking attempt, ransomware, a phishing scam, or some other unwanted intrusion, very few take notice unless it results in actual business downtime.
Abel Solutions recently had the privilege of participating in an Active Cyber Defense Challenge seminar addressing some of these very issues that face many businesses today. A collaboration between the National Technology Security Coalition (NTSC) and the Technology Society of Georgia (TAG), the event culminated with a hands-on simulation of a response to a live data breach against a national agency. Throughout the exercise you take on the role of government entities and private contractors as they walk through realizing they have been hacked and there is a loss of information, and then moves to a discovery phase to assess the extent of the damage. Running almost parallel with discovery is a response phase, where you must attempt to “stop the bleeding” and determine your next steps.
Among the more interesting topics covered during this portion was determining what type of response tools you have at your disposal? And, are we merely interested in data recovery, or should we investigate the possibility of hacking back against our attacker? Overall, the experience was an eye-opening look into the dangerous realities posed by the always-online nature of our daily work and personal lives, and the importance of a sound security policy and the consequences of not having one in place.
While most private companies will never cross over into the realm of offensive cybersecurity, we wanted to share several key takeaways on the topic of cyber defense that are worth learning for every company.
The Cost of a Reactive Security Policy
Protecting your network is ultimately about protecting people – your employees and your clients. Just like having a good QA policy is important, you don’t want to wait until there is a major incident to start practicing good behaviors. Therefore, start now so it becomes second nature. Failing to take proactive steps for good online behavior not only places your assets at risk, but others who are connected to you. Annual losses due to data breaches can be calculated in the millions, but the intangible cost of a security breach can also mean the erosion of trust both in the workplace and with your clients.
Exercising a passive defense against network attacks is the first step businesses can take to stay ahead of most attackers. This includes having a dedicated firewall and intrusion prevention system, regular anti-virus and anti-malware scanning, and enforcing password complexity and rotation.
A good passive defense also includes a high amount of human technical training for safe networking behaviors. This can include training on things like properly identifying malicious content and best practices to not get phished for important credentials.
Identify Insider Threats
Think of your network structure as modeling your business structure: What sort of data would you keep in a general filing cabinet vs locked in your office desk? The importance of auditing your network infrastructure on a regular basis can’t be overly stressed. How is your data structured? Where is it located? Who has access to it? It is important at this stage to identify your critical business imperatives and what tools you have in place to protect them.
Performing a thorough network evaluation can be time-consuming and costly. If you are used to operating in an “open network” culture, it can be a very hard to sell something like network auditing as a cost of doing business, especially if key decision makers in your organization do not feel they have any particularly important data to protect. What may be easier to grasp is; what is the cost to me if I lost this data and what could have prevented that?
Even those that may feel a breach of their data isn’t that important need to remember they may not be the ultimate target, but an intermediary in a larger attack against someone else. It is important for all users to realize they have a responsibility in the success or failure of their company’s network security policy and start seeing cybersecurity as not just a cost of doing business, but something that adds value to the success of the organization.
The Blind Trust Network
It’s tempting for most of us to stick our head in the sand and say, “security is not my problem”. This can lead to the 3 common pitfalls of a cybersecurity strategy:
- Lack of knowledge – These are the individuals who simply don’t know or don’t care about cybersecurity. Or they do care about it, but don’t want to change their behavior to support it, and rather than require training or revoke permissions, they create exemptions that can open up critical accounts to vulnerable situations.
- The “mixed bag” – We’ve written in the past about the risk of maintaining legacy systems, creating a network – where old, new and different technologies are all used together. It is extremely common for most businesses to update one piece of software but leave another untouched for years because it “just works”. However, doing this can make your entire network less and less secure over time. Start planning your migration strategy now so you won’t be caught off-guard by an unsupported program 2 or 3 years down the line.
- Fix it later – When it comes to cybersecurity, time and money are the resources companies struggle with the most. In our haste to move onto the next project, we can be tempted to leave issues half-finished. It may be working now but failure to follow up on that unpatched equipment leaves vulnerabilities in the network that may linger for months or years.
Zero-Trust Networking and the Shiny Object Syndrome
Cybersecurity for a business doesn’t only mean the desktop computer where you do most of your work. It can also mean that smartphone to which you downloaded that questionable app that also syncs your company e-mail and files. If you have a habit of emailing passwords back and forth and your mailbox or smartphone is compromised, what type of account information might an attacker gain? If you are still using an account without 2-factor authentication, it’s time to get this enabled.
Cybersecurity is also the personal assistant smart device you got for Christmas and decided to bring to the office. A report on IoT cybersecurity found that 70% of smart devices do not encrypt their communications.
With the proliferation of these devices it is important for a cybersecurity strategy to only include securing desktops and laptops, but to also have tools in place to enforce data governance for all sorts of connected devices. It is also important to be able to audit your wireless network to see just what types of devices are connected to your network.
Keeping your network clear of the “next new device” isn’t just an IoT problem, but can include any piece of software in use on your network. Can you identify each software vendor platform you have on your network and what function they’re serving? How much overlap is there among the various platforms? While value-added software has its place in any good network, introducing too many platforms leads to vendor fatigue and failure to identify exactly what each program is “supposed” to be doing. The result is having tools on your network that may not only be behaving incorrectly, but also maliciously, if they haven’t been patched properly.
What’s in Your Playbook?
Ultimately the first step in any effective cyber security strategy is to change your company’s cyber security behavior. As we mentioned at the beginning of this article, most companies won’t take cybersecurity seriously until there is a breach of their network and a potential loss of their data, and this is not the mark of a working cybersecurity policy. The job of a cybersecurity policy is not just to have a list of rules in place if/when the worst-case scenario happens, but also what steps are being taken to avoid it. Any policy is only as effective as the support it has to be enacted. That is why it is critical for the success of any cybersecurity policy to have buy-in from the key stakeholders and the teeth to enforce consequences for non-compliance. Are we ready to start assigning weights to various cyber security policy violations? Are we ready to have real requirements in place for poor password policies and enforce specific requirements for repeat offenders such as mandatory technical training? It is time we all start taking our behavior online and on our company networks as seriously as we would take an OSHA or HIPPA violation and act on them accordingly.
This Abel Insight written by IT Consultant Bill Hardison