Once again Cybersecurity Awareness Month is upon us and with everything else that has happened this year, are there reasons why this year should be different? With everything else going on and grabbing our attention, now is not the time to take your eye off of cybersecurity. In fact, it is probably more important now than before.
In rushing to send everyone home, we have seen evidence of companies taking shortcuts. Often, speed and necessity take precedence over security. This is understandable when the requirement is that everyone has to be able to work from home overnight. But, are actions being taken to go back and secure those items that are insecure? As the Covid response drags on and more companies are deciding to extend the time people are working from home the possibility of those open security holes getting discovered increases. As the current situation becomes more routine, it is time to go back and see what was done and are the defenses still in place and adequate. Remember, the hackers are probably sitting around bored at home too.
Recently, Cyber-attacks have been on the rise. Malicious actors, recognizing the opportunities the current situation, is offering have increased their efforts. In addition, due to the rush to get workers home, there are more exposures now than ever before. Recently, a patient death was attributed to a ransomware attack made possible because of a security flaw that was announced in December of 2019. While many hacker organizations have vowed to not attack hospitals during this time, not all comply: there is no honor among thieves (as they say). This is evidenced by the recent attack on Universal Health Services. This is evidenced by the recent attack on Universal Health Services. Unfortunately, we are still seeing some disturbing statistics:
- 94% of malware is delivered via email (2019 DBIR)
- 48% of malicious email attachments are Office files. Of those, the most popular is .doc or .dot. (Symantec)
- Attacks on IoT devices tripled in the first half of 2019.
- Fileless attacks grew by 256% over the first half of 2019.
- 60% of breaches involved vulnerabilities for which there was a patch available. (Security Boulevard)
- 1 in 13 web requests lead to malware. (Symantec)
- 63% of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
So, what steps should you be following to keep your data safe? Try following these techniques to protect your data:
Patching, patching, and more patching
It is almost painful to think that 60% of data breaches are still being caused because systems are not being patched properly. The security flaw I mentioned above had a workaround immediately, and firmware fixes within 6 weeks. Unfortunately, there were compromised systems like the one involved in this instance where the patch was applied after the device was compromised, but since the system had already been compromised, the door was open for attackers to enter months later. Too many believe that just applying the patch is enough. We must all ensure that we understand what is necessary to stop an attack and perform all the fixes, not just patching. The Equifax breach exposed the records of over 147.9 million consumers and cost the company $4 billion dollars because an apache server was not patched.
Reduce your threat vulnerability
Appliances such as the Citrix ADC can stop inbound attacks by dynamically blacklisting known bad IP addresses using services like Webroot. Outbound traffic systems like Cisco Umbrella ensure that the web sites being visited are not suspicious before allowing traffic to a web site. Make sure your Wi-Fi is secure. Make sure your Guest Wi-Fi is completely segregated. Manually shut down switch ports that are not in use. We all have heard these, but it is surprising how many have not taken the time to enforce them.
Multiple Layers of Security
Many companies still believe that just having anti-virus is enough on the endpoints. With the speed at which viruses are developed and limitations on how fast the databases can be updated having a dynamic solution that looks at behavior is also needed. Preventing malicious behavior needs to also occur at the server and even network switching level. Applications that watch what devices are connecting to the network (Network Access Control) and is the traffic what is expected from the devices that are connected (Infrastructure Analytics). If suddenly my “printer” port has opened a secure shell to an external web site and starts copying all the files exposed on my file server, I’d probably want to stop that. When users are attaching from external sources, multi-factor authentication (MFA) should be required. Having something like Duo so that just a username and password are not enough goes a long way to prevent things like password spraying attacks.
We all must remember that a human being is easier to trick than a computer. Cybersecurity training should be on going not just at employee onboarding. And remember, you want your people to be on your team. Make sure any training is enjoyable. If you test your users, don’t make their mistakes punitive. Having your fellow employees as adversaries in security instead of teammates will make your job much harder. One of my favorites is the Mimecast training videos. You can see an example of a “Human Error” training below.
Just backing up your data is not enough anymore. We need to follow the 3-2-1 rule for sure. 3 copies of your data, on 2 different media types, and at least 1 of them off site. In addition, you need to ensure that your data is getting backed up. We perform a data restore test twice a week on our managed backup solution. But how fast you can restore is also valuable. If you are infected by ransomware, and restoring your systems would take days, many pay the ransom merely because they cannot wait on the restore. Not to mention that you must ensure that the ransomware does not infect your backups at the same time. So, backups that ensure data integrity are required now.
Regular Password Changes
I know, I hate changing my password all the time too. But it is the best way to ensure that a compromised password does not lead to a loss of data. So often when we do security assessments, we find that the personnel in the C-level or managing partner level are not required to change their passwords. I know it is tough, but these high-profile individuals are specifically targeted because of the data they have access to. If they have weak passwords that are not changed often, it is much easier to breach their accounts. Then, one email to transfer money to an account from the CEO to accounting and now your company is out millions. Once that money leaves the US border, you probably won’t see it again. I am looking forward to the development of the FIDO2 security devices like Yubikey where we will not need our usernames and passwords anymore. Won’t that be a wonderful day!
Where possible, use hardened equipment
Some equipment is being manufactured with security enabled even in the assembly line. Items like HPE’s Silicon Root of Trust provide trusted handshakes from the lowest level firmware to BIOS and software to ensure their servers maintain a known good state. AMD offers Secure Encrypted Virtualization which provides encrypted Memory, Encrypted virtualization with a key per VM, and Encrypted CPU register contents allowing encryption in every step and preventing one compromised thread from gaining access to other memory registers and CPU registers. As Cybersecurity gains necessity, expect to see even more of these types of preventative measures. They can even save you money on your cybersecurity insurance. Marsh has added two of HPE’s products to their “Cyber Catalyst” program and 8 of the leading cyber insurers will give discounts for using their products. “Why HPE Leads the Cyber Security Market” (Forbes)
Cybersecurity is a requirement these days. Even home PC and personal accounts need protections. The best way to thwart these attackers is to prevent them from gaining access at all. As long as they can gain access, they will be out there just trying to find a way. Let’s at least try to make it as difficult as we can.
If you would like to hear more about what can be done, or if you need help with a plan for cybersecurity, reach out to a provider, such as Conversant Group, who can make this as painless as possible. You can also contact me, as I know several who can help out.