Implementing the five actions described in this article can help reduce your organization’s cyber risk and bolster its security defenses
Securing the information systems that keep your organization running is an ongoing endeavor that needs to evolve over time in response to trends in the threat landscape. As our IT systems grow in scale and complexity, new cyber risks arise. At the same time, threat actors have been growing in number; and their means, methods, and motivations are evolving.
I’ve identified five action items to reduce your cyber-risk and fine-tune your cybersecurity program, based on the trends identified by ESET security researchers in Cybersecurity Trends 2018:
Review your ransomware response plan
If you’ve read my colleague David Harley’s chapter on ransomware in the Trends 2018 report, you will know this threat is not likely to recede in 2018. Maliciously encrypting someone’s files so they cannot use them is proving to be a popular attack. We anticipate a continued growth of ransomware in three main categories: broad attacks, targeted attacks, and destructive attacks. While attacks in the first two categories typically involve a good faith offer to provide the victim with a key to unlock their files in return for payment, attackers in the final category have no intention of providing a key.
While a properly deployed and appropriately managed endpoint protection product offers a strong defense against all three forms of attack, there is always a chance that the bad guys will find a gap in your defenses – like a forgotten server that IT never knew about, or an employee who just won’t stop clicking in all the wrong places.
That is why every organization needs to have a ransomware response plan in place. This plan tells everyone in the organization what they need to do if there is a ransomware attack, from the first sign of compromise to the technical escalation process, management notifications, PR handling, and so on.
Your organization should already have some sort of breach response plan in place (if not, then ESET researcher Lysa Myers has some good advice on that and you can download a very useful 50-page “Cyber Incident and Breach Readiness Guide” from the Online Trust Alliance, an initiative of the non-profit within Internet Society).
In fact, you may already have a section in your response plan that addresses malware incidents; however, a ransomware attack is sufficiently different to warrant its own section. This should be reinforced with ransomware scenarios in your crisis response manual, scenarios for which you need to practice (with tabletop exercises, for example).
If you’re not convinced that a ransomware attack is sufficiently different to warrant specialized response planning, try answering these questions:
- Does your organization have a written policy prohibiting payment of IT-related ransoms and extortion demands without management approval?
- Is there a process in place for determining whether or not a ransom demand will be paid?
- Does the organization currently hold or can it quickly acquire crypto-currency such as Bitcoin for ransomware emergencies?
- Has your legal counsel advised you on the breach notification requirements that may, or may not, apply to data compromised by ransomware?
If there is one thing worse than being hit with a ransomware attack, it is not being ready to respond to a ransomware attack. Consider this your number one cybersecurity action item for 2018.
Check your power supply
The second action item concerns the supply of electricity that makes all of this digital technology work. In the Cybersecurity Trends 2018 chapter that I wrote on critical infrastructure, I was very mindful of the multiple malware-enabled power outages in the Ukraine. Those events provided proof that bad actors can abuse connected industrial control systems to disrupt the power supply. I was also thinking of the multiple power supply issues that have crippled air travel in recent years at major hubs like London’s Heathrow and Atlanta’s Hartsfield-Jackson International. Even though these incidents were not hacking-induced, they show how disruptive and costly targeted attacks on the power supply could be.
So what has this got to do with your organization’s cybersecurity? The answer lies in your response to this question: What steps has your organization taken to continue operating in the event of a power outage? Do employees know what to do when the power goes out? Is there an office-wide backup power generator? How quickly does it kick in? While your organization may have the answers to these questions, do you know where they are documented?
A lot of organizations use a data center for data processing, app hosting, offsite backup, and so on. If you use a data center, think about the last time you visually inspected their power arrangements. Did they have a large bank of batteries to power everything until the diesel generator spins up? And where is that generator located? Well above flood level, I hope. Now might be a good time to check that your data center has updated its risk assessment to account for weather extremes. When Hurricane Sandy hit the East Coast in 2012, at least eight data centers were impacted.
Remember, availability is one of the three pillars of cybersecurity (the other two being confidentiality and integrity). If your systems don’t have power they are not going to provide availability.
Map data for better security and compliance
The third action item arises from changes in the world of data privacy that were highlighted in the 2018 Trends chapter penned by my ESET colleague, Tony Anscombe (see his related blog post here). Tony and I agree that new privacy laws and lawsuits in 2018 will increase regulatory risk for many organizations, and not just because of this thing called General Data Protection Regulation (GDPR).
Since we are just a few months away from GDPR’s implementation deadline, I trust that every company in the world that has an internet connection also has a basic understanding of what GDPR means for its data privacy and security practices. (If you’re not sure, take our free compliance check to get a detailed report customized to your organization.)
But GDPR is not the only regulatory factor at play. In the U.S., there are new state regulations in place, and very likely more to come. If your organization operates in the State of New York then you probably know about 23 NYCRR 500. This is a cybersecurity regulation with which some covered entities are required to be in compliance by March 1, 2018. In 2017, the policy wonks at CompTIA, the technology industry association, spotted nearly 700 pieces of privacy/security legislation at the state level. Many of these bills will not pass, but state laws can add to the cost of security failures; for example, in 2017, we saw California levy a multi-million dollar data breach fine. Not sure what affects you? Take a look at ESET’s security technologies and compliance cheatsheet.
All this means that it is more important than ever for your organization to know what data it is handling, along with why, where, and how. In other words, you need to carry out what is variously called a data inventory, a data audit, or data flow mapping. The idea is to make sure that all the uses of data by the organization are documented so that they can be appropriately protected and compliance data privacy requirements are being met.
Fortunately, the International Association of Privacy Professionals (IAPP) has written extensively about this process and many of the articles – like this one – are freely available. While the information is presented in terms of GDPR – Article 30 of which obliges organizations to “maintain a record of processing activities under its responsibility” – the strategy described can be broadly applied. There are data mapping tools available, including one that is free to IAPP members. However, according to a 2016 survey, “66 percent of companies conduct data inventory and mapping informally with email and spreadsheets.”
Whichever approach you take, I can guarantee that a thorough data inventory and mapping project will uncover data of which the organization was not appropriately aware. The classic case is a marketing database that was created for a project that ended but was never properly retired. Sadly, we have seen breach after breach where hackers found servers “outside the fold” and weakly protected.
Update server protection
Your data “audit” should produce a catalogue of all of the organization’s servers that are processing or storing vital data. This provides input for the fourth action item: updating server protection. We saw attacks on internet-accessible servers increase in 2017 and we expect this trend to continue in 2018. Classic attacks include brute-forcing credentials for Remote Desktop Protocol (RDP) access, then turning off endpoint protection and encrypting the server contents for ransom.
In some cases, server attacks are almost too easy, like typing “admin” for the user name and password (which worked against an Equifax server in Argentina last year, an incident overshadowed by the company’s larger 143 million record breach due to delayed patching of a widely-reported server code vulnerability).
So, now is the time to check how well your servers are protected against outsider attacks. Here are four key questions to ask about each server:
- Is access to this server protected by two-factor authentication?
- Is this server running properly configured and appropriately managed endpoint protection (which would prevent unauthorized attempts to turn off protection)?
- Is data on this server appropriately encrypted?
- Is the server regularly backed up with archives stored off-site and off-line?
These days you need to be able to answer “yes” to all four questions, with no exceptions. Why? Because those exceptions are what criminal hackers look for when they want to: steal credentials for resale, create spam or DDoS botnets for rent, steal IP and PII for resale, ransom files, or pivot to infest the rest of your network.
Push security training wider and deeper
The fifth and final action item stems from two 2018 trends that concern ESET researchers: continued growth of criminally malicious hacking and something you might call socially-malicious hacking, like efforts to disrupt elections and other pillars of civil society. Both of these trends remind us that information security is a society-wide problem. Smart organizations know that “security is everyone’s responsibility.” One clear implication of this reality is that everyone in your organization needs security awareness training.
There are many ways to implement a baseline of security awareness training for everyone but some organizations still struggle to do this. For example, a recent studied revealed that 70 percent of employees in some industries “lack awareness to stop preventable cybersecurity attacks” and workers in some sectors are even less prepared to play their part: “78% of Healthcare Workers Lack Data Privacy, Security Preparedness.”
Statistics like that help explain why ESET decided to provide free online cybersecurity awareness training. This training is offered on demand, and allows organizations to document their employees’ progress to a baseline of cybersecurity awareness, including how to identify and respond to threats like malware, phishing, and social engineering.
This is one way to address the problem of that employee who keeps clicking in all the wrong places, and almost 10,000 people have taken that training so far. However, your organization’s cybersecurity training and awareness efforts need to go well beyond a baseline for all employees.
Any sizable organization also needs training that is tailored to the specific needs and policies of your company as well as specific roles within the company. One of the most effective programs that I have worked on operated at three levels: all-hands, management, and IT security staff. A fresh set of timely training materials was produced each quarter around a “hot” threat category and tailored to each of the three levels. Programs like this can be executed in house or by contracting with one of the well-established companies that specialize in this type of work.
Protecting your organization’s digital assets is an ongoing effort with no shortage of tasks to perform. We respectfully suggest that you check your task list to make sure that the above action items are somewhere on the security agenda. If not, we recommend you add them, preferably near the top.