It has been said the only way to get rich in Information Security is to be the “Bad Guy”, and if you look at 2021 you can see why. The rate of high-visibility ransomware attacks has escalated dramatically and both the impact and value of these incursions have risen in parallel. It can make us feel like there is no winning and that it is just a matter of time before your organization is impacted. Unfortunately, if it’s unlikely we can get rich, our next problem is to not become “infamous”.
I do not blame the many companies who have been compromised. I have already discussed that the fight is never ending and you are only ever one bad email away from compromise. However, no one wants to be a headline in tomorrow’s news about how they have been shutdown by a Ransomware attack. I have been pleasantly surprised at the general attitude in these situations recently. I do encourage you to reach out and offer to help if a local competitor or another closely aligned business is compromised.
I cannot promise you will never be taken out by such an attack; however it is reasonable to believe that you can minimize your “Attack Surface”. By reducing the number of vulnerabilities in your organization, you simultaneously reduce the risk. Using a Control Framework, we can begin to break the problem down to focus areas that allow our various teams within the enterprise to protect and harden their exposures, together raising your overall security posture.
In the last Blog, I spoke about five desired outcomes that form Information Security: Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation. These become our justification for expenditure on security controls, which get mapped to the specific targets we want to invest in. We then use our chosen Control Framework to identify risk areas and apply a common set up steps to address them.
But, as mentioned in my earlier Blog, we cannot assume we are safe just because we installed a new Firewall. This brings us to the process of how we use our controls, and a well structured process can be found within the security functions documented within the NIST Cybersecurity Framework. They outline 5 steps on how to use your controls to achieve the outcomes above.
1. Identify valuable assets requiring protection
2. Protect the assets with appropriate safeguards
3. Detect cybersecurity incidents as the occur
4. Respond to incidents when detected
5. Recover from damage caused by an incident
It is important to notice steps 1 (Identify) and 3 (Detect) revolve around visibility, that of knowing the risks and seeing vulnerabilities being compromised. It also doesn’t assume that just because you have protection in place, that you will therefore not be compromised. This infers that assessment and monitoring are key to maintaining your security posture, which therefore becomes the starting point for any given step you take.
Let’s start with Step 1, Assess: There are many ways of assessing your risk posture and external vulnerability assessments that are a good starting place, such as those we offer at Charter. However, before spending money on a formal assessment or tool don’t ignore tribal knowledge. Inside any organization there are generally people who know what is going on and can quickly point to high-risk processes and practices that have been allowed to continue.
In Step 2, Protect: We determine any actions we need to take to close discovered vulnerabilities. Regardless of how you identify risk areas, you need to vet the results carefully to validate any findings. Begin by identifying the risk and impact, then assign a priority, identify the cost to fix or work around the issue, and ultimately determine the timing and process to fix the issue. Some will be easy, with nothing more than deploying a configuration change, applying a software patch, or modifying the way a tool is used. This may allow you to make rapid changes that improve your security posture in very short timeframes.
The more concerning issues, which may require more capital expenditure, more project time, or may more widely impact business operations, could need to be handled over a longer period. If there are protections or work arounds that can be deployed temporarily, you should seriously consider using them. Telling the press that you knew about a major vulnerability but “hadn’t got around to it just yet” is never a good look. In some cases, it may be necessary to disable or restrict a service to your organization, which may have negative repercussions, but if the cost of being compromised is too high it might still be the right decision.
As we move to Step 3, Detect: We begin the process of ongoing monitoring. This may sometimes leverage the same tools as those used in Step 1, but usually requires at least some form of Security Operations Center (SOC) that is responsible for monitoring the environment, addressing new risks as they evolve, and responding to intrusions should they occur. There are usually many sources of monitoring data in a given organization; Antivirus, Firewalls, IDP/IPS and Web ApplicationFirewalls are the common ones that spring to mind, but there are many other logs from Network equipment, Operating Systems, Management tools, and so on, that can all add colour to your visibility.
The problem is often not having enough data, but rather having too much. How can you assess millions of log entries a day and correlate them all to a single event identifying a high-risk incursion into your infrastructure? It is for this reason the SOC needs to be equipped with a good Security Information and EventManager (a SIEM) such as Securonix or any number of other tools available. If you cannot afford the capital or operational resources to run such a tool, consider outsourcing to a Managed Service Provider’s SOC to assist you.
Once a potential compromise has been detected we move on to Step 4, Respond: At this point, we often need expert assistance to validate the compromise, isolate the threat, and remove it. If you don’t have the trained personnel necessary to address this, ensure you have a plan on who you would call and how you would engage them prior to needing them. Two o’clock on the Saturday morning of a long weekend is not a good time to be evaluating and selecting a third-party SecurityResponse Team.
The process of responding to the threat is a large one and will potentially include many difficult decisions, such as whether the business should shut down, negotiation with extortionists, and prioritization of what needs to be done first. While I am not intending to answer any of those questions in this Blog, I will highlight that these are decisions that may require executive level involvement, so any response to an active incursion must include the ability to call in all key decision makers on your team regardless of time or day.
Step 5, Recover: Brings us to the final step, the sometimes long and laborious process of getting back to good. If we are lucky, we might be able to minimize damage during the respond phase above. In other cases we may be forced to restore data, deal with loss or exposure of critical data, or even completely rebuild operational processes. I hope this isn’t ever the case for you, but it is one that you need to prepare for.
I have said it before and will say it again, get help when you need it. At Charter we understand that this is a big and weighty topic to deal with. We don’t expect to be able to solve all of your problems across the broad and deep field of information security, but we do have a lot to offer in addressing Cybersecurity concerns, and would happily join you in your process as you protect your business in a increasingly wild Internet.
Don’t become infamous on your own, at least be able to hold your head up and say that you did everything you could to protect your organization.
In my next Blog, we will talk about the importance of Backups to get you Back Up!
Author: Ronnie Scott (CTO)