Five Lessons on Cybersecurity Survival
In the midst of the recent devastating cybersecurity news from Equifax it would not be unreasonable for Americans to think: What’s next?
Let’s be candid: The status quo is not working. Traditional perimeter defenses are becoming sieves. Password policies and practices are weak. Over-privileging is a self-induced wound. And the timely patching of critical vulnerabilities continues to be a major issue despite months of discussion and thousands of written words on the topic.
So what will work? Getting back some of the basics would be a good start. Taking advantage of some current and next-generation technologies would be another good step. What follows are a few such suggestions, in no particular order.
1. Artificial Intelligence, Machine Learning and Cognitive Computing
Opening disclaimer: These tools cannot be a company’s only approach. They need to work in tandem with everything else, so don’t go selling the farm to buy some junior version of Watson. Apart from the obvious supply gap of skilled cybersecurity workers, these tools can be trained to sift through the enormous amounts of big data generated today. Data is everywhere and it is everything. Emails, transactions, social media, even phone calls that have moved off copper and cells and onto Voice over Internet Protocol systems (yes, sometimes that phone call you are making is a data call and you do not even realize it).
The advantage these learning tools offer is that they are not dependent on signature-based technologies that might block known malware. In English that means you don’t have to wait for a picture of the bad guy before you do anything; instead, you look out for bad behavior, regardless of where it is coming from. This technique is sometimes called “user-based analytics” or UBA. These learning tools can also assimilate large amounts of cyber threat intelligence to help guide operators and analysts who would otherwise be overwhelmed by the sheer volume of alerts (some larger organizations are experiencing 1,000,000 cybersecurity alerts per day). Currently, 93 percent of most organizations are unable to sort through all relevant threats and a quarter of all alerts aren’t sufficiently investigated due to the volume.
Remember, these are just tools, not crutches, and humans are still needed at the helm.
2. The National Institute of Standards and Technology Cybersecurity Framework
The NIST CSF is your friend. When NIST announced the CSF in 2014, it was designed to be applicable to both the federal government as well as 16 areas of critical infrastructure (including financial institutions, transportation, and health care). Today, the CSF has been made mandatory for the federal government, along with associated vendors.
The beauty of the CSF is that it is designed to be a “plain English” document that can be used by the non-tech types to discuss and improve an organization’s cybersecurity posture. You have heard it said repeatedly: “Cybersecurity is not solely an IT problem.” It’s not. And if you encounter those who continue to promote that view, you should really question their motivation or understanding of the issue.
If the CSF is supposedly so easy to use, what’s the catch? There is none. It’s just a matter of using it. Unlike the EU’s General Data Protection Regulation (GDPR), the CSF is not mandatory. It is more of a guidance piece, but it has the benefit of having “time in action” as they say. There has been adoption or incorporation side by side with other regulatory and legislative pieces (HIPAA, the Federal Financial Institutions Examination Council, the Office of the Comptroller of the Currency, the U.S. Department of Treasury and the U.S. Securities and Exchange Commission, for example).
The main difference between CSF and the GDPR is that many organizations will have no choice but to comply with the GDPR if they want to continue doing business in the EU. For those companies that have been using the CSF, they are ahead of the game because the GDPR substantially incorporates many of the ideas already outlined in the CSF. Therefore, in a sense, those who are already using CSF are satisfying multiple regulators and multiple purposes, which is a real benefit to multinational companies.
Virtually every major data breach this year can be traced to a failing of basic cybersecurity principles.
3. ‘Cyber Hygiene’
We believe it is safe to say that “cyber hygiene” has officially reached buzz-phrase status in 2017 and for good reason. Good cyber hygiene should be the backbone of everything a company does, the simple stuff, the ABCs, such as:
- Timely updates and patching. Patch regularly and patch often.
- Employee training and awareness progress. And not these once-and-you’re-done online multiple-choice tests that you forget once you’re complete. It has to be continual and it has to touch everybody, including directors, officers and all employees (that includes IT staff). Yes, this may sound like a tax on business operations, but 30 minutes a month on some regular training may be a whole lot cheaper than losing 143 million records …
- Good identity and access management principles, including multifactor authentication and least privilege access.
Virtually every breach this year can be traced to a failing of one of those basic principles.
4. Incident Response Planning (and Practice)
If a company has a plan but hasn’t tested it, that’s not a plan, it’s a document. It’s that simple. The same goes for business continuity and crisis communication. What’s the point of spending tens, if not hundreds, of thousands of dollars to create an incident response plan if there isn’t the slightest clue how to use it? Test it against a controlled attack (Red Team vs. Blue Team).
Breaches cost a lot of money to remediate. Think of what you need to deal with: forensics, notification, outside experts. And that doesn’t include the possible investigation, litigation and settlement costs, or the possible intangible costs. Sure, you can see the impact on your market capitalization, but what about the reputational cost?
5. Back It Up
Hands down one of the most common errors organizations make is not sufficiently backing up their data. Just when you need a backup more than ever (such as during a ransomware attack) there won’t be one. Proper backup procedures cost little, but can save a lot, and there is nothing wrong with having backups of backups. Generational or incremental backups are helpful tools. And make sure the backups work. Before you put that backup on the shelf, test it. You don’t need the additional stress during a crisis of finding out that your backup doesn’t work.
Cybersecurity is not easy or intuitive, cyber threats and attacks are changing constantly. The basics outlined above really matter and can help a company’s executives sleep better at night.
* The CyberAvengers are a self-described “group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure.” The group includes BRINK’s cybersecurity columnist Chuck Brooks, Paul Ferrillo, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma, and Christophe Veltsos.