Sign up to our newsletter
The third part in our series of short blogs from Twitter chats we have had to mark the 14th National Cybersecurity Awareness Month (NCSAM). The National Cyber Security Alliance (@NatlCyberSecAlliance) is once again hosting a series of Twitter chats every Thursday in October using the hashtag #ChatSTC (moderated by @STOPTHNKCONNECT), in which ESET researchers are once again participating.
In the first two parts of our series we have looked at the role an everyday internet user has in making the internet a safer place, and ID theft. This time around we focus on the role everyone has when it comes to cybersecurity best practices in the workplace.
Cybersecurity in the Workplace Is Everyone’s Business Thursday, Oct. 12, 2017, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT
Bruce P. Burrell: As in real life: it’s not a matter of “if”; it’s a matter of “when.” So, in particular: the attackers WILL attempt to break through your defenses; they WILL try to phish you, in what the attackers perceive to be your weakest point(s); you are NOT too small to be considered a target. So it’s your duty to harden your defenses as much as practical in order not to be “low-hanging fruit.” While we don’t wish the attackers to hack someone else – even if it’s your competitor – better them than you.
Of course, if the attacker is targeting YOUR business, not just “whatever businesses succumbs to our attacks”, and the attacker has sufficient resources, chances are that the attacker will succeed. But at least make it as difficult as possible.
Obviously, a successful attack can disrupt business (sometimes severely, as in the case of ransomware without adequate offline backups). It can incur costs, such as mandatory (offering of) credit monitoring for your customers whose PII were stolen in the attack. It can incur legal costs and financial penalties. It can cause the business to suffer both short and long-term loss of customers, and of course of your reputation.
“Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.
Othello Act 3, scene 3, 155–161
[Bruce also points out that these words are actually spoken by Iago, the villain of the piece, so “it’s That Trust Issue all over again.” I can’t resist suggesting that you watch your handkerchief as well as your purse and your reputation. (DH)]
Aryeh Goretsky: Businesses have more money, employee tax IDs + all sorts of info criminals love to steal + use to commit tax fraud.
Lysa Myers: Many people consider phone#s throw-away details, but their loss can cause huge hassles.
Aryeh Goretsky: Ransomware is a very visible threat, + often comes via email as fake invoices or waybills. Also, poorly-secured servers.
Lysa Myers: It varies by industry: Intellectual property theft? Customer PII theft? Ransomware hitting most industries hard. Breaches & interruptions cause loss of customer confidence, regulatory fines. Many cos go out of business after incidents.
Bruce P. Burrell: Why, ALL data, of course. But if you are protecting someone else’s data, that’s a particular cause for concern. And your intellectual property, confidential information, and even just “internal info.”
Basically, this is something for each organization to decide. What do you need? Is it all backed up and tested? If so, then losing access to it temporarily is costly, perhaps, because of downtime needed to get things restored to the former state. But if the data have been stolen, that is an entirely different headache.
Aryeh Goretsky: Customer lists, sales databases, tax information.
Lysa Myers: In short: Data that has value to you or your customers. Don’t assume the obvs; it’s not just about payment card details!
Email or social media login credentials are actually more valuable than CC# on the black market becuz they can steal trust.
Bruce P. Burrell: Keep everything up-to-date/patched. Use a top-quality antivirus suite. Apply Defense-in-Depth. Implement 2FA. Back up, often, test the backups, and keep at least some of the backups offline. Encrypt your data, both when at rest and when in motion. Segment your networks. Apply the Principle of Least Privilege.
More generally: Implement the CIS Top 20 Controls, and for sure implement the CIS Top 5. Note that these are prioritized – you get the biggest bang for the buck with the first, then the second, etc. So do the Top 5, then the rest as time/budget/expertise allow.
Aryeh Goretsky: A patching system to keep OSes and software up to date. Encryption to prevent stolen data from being read.
David Harley: Patching, backup, education for employees, accurate advice to customers.
Lysa Myers: Salt & Hash login info: criminals can’t steal what you don’t have. Allow & encourage 2FA for logins. Segment your network so customers, contractors can access your resources without compromising sensitive data.
The more layers of protection you add, the more resilient you are to inevitable accidents & mistakes.
Bruce P. Burrell: Obviously, the first thing on the list is top-quality, up-to-date, properly configured antivirus software and, in a corporate environment, IT staff who know what they are doing in the security realm. Tools such as ESET Remote Administrator can help with keeping your machines in compliance, noticing anomalies, etc.
Above what your security suite can tell you, there are various additional layers that can increase protection such as network traffic analysis, albeit at additional costs both monetary and human.
Aryeh Goretsky: There are specialized system + network monitoring tools to look for anomalous behavior like connections to unusual networks, or connections outside of normal business hours.
Lysa Myers: Monitoring means knowing your network well enough to see anomalies. Perform regular, ongoing risk assessment to make this work.
Bruce P. Burrell: Besides report it to law enforcement? Besides what the law requires the business to reveal?
Well, there are several things. In some cases, it may not be prudent to try to repair things right away, as in the case of an attack by a nation state or some terrorist group: the FBI or equivalent may need to be brought in to image the machines before they can be restored, and so on, so that proper forensics can be applied. But once that part, if necessary, is complete: Try to restore to the former status quo. Then figure out what went awry – perhaps with the assistance of an external investigation – and fix whatever problems are unearthed. Be sure to review your defenses periodically, which will require you, or someone else you hire, to keep up with security developments. Educate your staff – all your staff allowed to touch a computer – and do so regularly. And if you don’t have one (or more) already, develop and emergency protocol for any future successful attacks/breaches. Remember: it’s not a matter of if ….
And be transparent with your customers – otherwise, they will have good reason not to trust you.
Aryeh Goretsky: Contact police and IC3.GOV to file a report.
David Harley: As mentioned last time, contacting law enforcement doesn’t guarantee redress for the individual reporting the crime, especially if the financial damage is minor, but it does help ensure that LE are aware of the scope and impact of the problem.
Lysa Myers: Get very familiar with breach requirements & regulations in your state. Follow policies already in place for incident response.
We encourage you to check out the chats on Twitter and other events, and take advantage of the commentary and advice offered by other players in the security industry. We also encourage you to check out a page put up by ESET offering lots of free cybersecurity resources to help you become more #CyberAware.
WeLiveSecurity will be back with part 4 in our Twitter chat blog series later this week and we encourage you to keep an eye out for that.
Author David Harley, ESET