Failure to plan is planning to... Well, you know.
We are now in the era we call Ransomware 2.0, far from the teenager in the hoodie in their parent’s dank basement seeking to establish their bona fides as a notorious social avenger. This generation of ransomware crime syndication is well organized, underground, yet professionally run. Ransomware is now a service bureau, now selling the tools of its trade “as-a-service”.
Today, hackers are recruited by "head-hunters". Their organizations are usually criminal in nature but operate largely the way a corporation does. They have Human Resources people, technical support, facilities managers; they have goals and targets like sales people do, and get paid commissions as well. In other words, they are extremely structured and well organized.
3 Cornerstones of an effective IT Security Strategy:
- People: The misconception that security starts with a world-class product has been proven false by the thousands of data breaches that occur each year and the unlimited budget that some large companies have put into their IT security. That’s why security must start with people. When it comes down to it, most of the security decisions we make are based on emotion, like whether we choose to click on a malicious email and open ourself up to attack.
This age of information sharing and big data has also compounded the problem in cyber crime because there is so much information out there about us and our organizations. Cyber criminals are able to piece together bits of personal information leaked on social media networks that make it very easy to create a sense of familiarity and lower victims’ guards.
- Policy: An information security policy is the foundation for protecting an organization’s information, systems, and people, as well as its intellectual capital, customer and partner relationships, company brand, and shareholder value.
Information security policies should provide a thorough understanding of your business and be concise documents that identify best practices vs. required practices. Focus on assessing risk objectively—not restricting personnel from being able to use systems fluently—to allow for business flexibility and innovation. You don’t want policy to stifle creativity or offer jargon that employees can’t understand and therefore legal can’t enforce.
- Process: Cyber self-defense is more about psychology than it is about technology and our biggest adversary may in fact be ourself. As an organization, you need to think like an attacker, train and test relentlessly, and measure results over time.
The goal should be a reduction in risk, and continuous process monitoring will help you better understand your security posture. If your IT security system is simple to both technical and non-technical people, with multiple layers of diverse security to protect data, and is limited to only those who need access, your risks of a breach are severely lowered.
5 STEPS TO IMPROVE YOUR SECURITY POSTURE ARE:
Layer: When it comes to your IT security, it is important not to rely on any single form of security device or product to be the whole essence of security. Having your security in layers is essential to maximizing its strength. An example of a strong layered system would be intrusion detection, end point protection, and vulnerability scanning to find weak points.
Limit: Otherwise known as the fulfillment of the concept of leased privilege, limiting your security is a great way to take it to the next level. It is important to only give full access to people who need it and limited access to outsiders so that they can work only on what they need to do, without exposing the rest of the company’s information.
Diversify: Don’t limit yourself to one vendor’s product. Should that vendor experience a catastrophe or business loss, you too will be affected by those losses. Diversify your vendors and their products so that one vendor’s loss won’t impact you as severely.
Obfuscate: This is, in its most basic form, hiding from the hacker. This is a way for you to not let the hacker see what preventative measures you have put into place. Say, for example, someone from China is trying to hack into your system. You would want to put geographic blocking into place which wouldn’t send any signals back to them and just end up dropping them and their attempts to get in. Essentially, you don’t give signals back so the attacker doesn’t know what is happening.
Simplify: The entirety of your people, processes, products, and policies must be simple. Both your technical and nontechnical people need to understand everything so that errors aren’t made and questions don’t come up.
IT Security Policy
Information security policies are one of the strongest preventative tools against cyberattacks.
A documented policy which outlines step-by-step procedures and designates responsibilites, is your company's first defense in preparing for and mitigating a cyberattack. It's foundationally important to keep all of your employees vigilent and aligned.
We recommend that within your IT security plan, each policy should include the following five sections:
Overview: Summarize each policy, pulling out the key takeaways for quick scanning purposes.
Scope: The scope will spell out the "what" and the "when": what the policy does and does not include and when it should be used.
Policy: This section outlines the "how" in detail: how your organization will govern. Each policy should be specific and action oriented, including step-by-step procedures to take around each topic.
Enforcement: Here, we need to designate the "who": the people in the organization that will be responsible for executing and enforcing the policy.
- Revision Tracking: Your IT policy should be a living, breathing document that is routinely revisited and revised based on your organization's predetermined review cycle. Annese believes that accountability is the key to any good policy. This is really the "now what" phase.
Security Awareness Training
Empower Employees to be your strongest security Champions
If you look at your security budget and 90% of it is allocated to technology, then you’re missing the proverbial boat. Investing in an awareness training program is imperative.
No matter who, when, or where companies have been impacted by cyberattack, they each have one thing in common: human error. This is a long-term issue, and continuous, consistent messaging is necessary in order to change employees’ cognitive behavior toward security over time.
There are many ways to spread and reinforce key security messages throughout your organization, such as:
- Email reminders,
- internal campaigns,
- live presentations,
- quizzes, and
Penetration Testing vs. Vulnerability Scanning
What Street Crime Teaches Us About Cyber Criminals
In order to understand the nature of cybercrime and differentiate between three cybersecurity awareness techniques—Port Scanning, Vulnerability Scanning, and Penetration Testing—let's compare to a traditional security breach, like a home invasion.
Vulnerability Scanning or "Auditing Your Perimeter"
The robber knows no one is home. The robber also know that you do not have a dog or an alarm system in place. Perhaps when they get out of their car and take a closer look at your house, they notice a cracked window, a screen door that does not lock properly, or a basement entrance that's routinely left open. We compare this favorably to another technique called a Vulnerability Scan.
Finding your vulnerabilities before the thief does is a great way to audit your own perimeter (or internal security environment), with the same tools and techniques the criminal may use.
Vulnerability Scans often start small. Only one "vulnerable" window is needed for the house thief to enter, while only one "vulnerable" subnet is needed for the cyber thief. Maybe the back door is hidden from neighbors making the front door a more viable entry point. Perhaps an application or web server is less protected than a database server. Speed and ease of entry are usually high priorities for both of these types of criminals.
Penetration Testing or "Asset Acquisition"
The robber with all their intel is set to pilfer jewelry, cash, and other valuables from the home, exactly as the cyber thief who penetrates your system is set to take your personally identifiable information (PII), customer lists, intellectual property, and pricing models. In cyber terminology, this is called Penetration Testing, or a Pen Test for short.
The goal here is asset acquisition. It’s an act of execution, not exploration. Neither criminal stops at the point of entry when determined to acquire assets. Skilled ones do all they can to cover their tracks especially if they plan to come back again.
Ransomware + Phishing
Ransomware is the fastest Growing economic crime of our time
It is safe to assume that if you have not already fallen victim to a ransomware or phishing attack, it is only a matter of time. So how do you prevent against it? Or, if it's happening to you now, how do you stop it?
Backups: First, have a complete set of backups, not just of your data but also your system files. Keep a minimum of six monthly full backups available. Why? Because if someone is already in your network, you may need to do a bare metal restore. Ransomware is often symptomatic of other problems, including data exfiltration to the outside, which we call an Advanced Persistent Threat, or APT.
Authenticate Inbound Email: Tools like Sender Policy Framework (SPF), work by validating the IP address and domain of the server from which an email originates, often preventing phishing and other threats posed by email spoofing.
Block Ads: “Maladvertisements” allow attackers to distribute ads up to users when they visit certain sites.
Monitor Recursive DNS: ...Or have tools on hand that will do this for you. Ransomware, at its core, is a DNS attack. Botnets use domain generating algorithms and fake domain names with very short lifespans to avoid detection.
Have Great Access Control Policies in Place: When someone leaves your firm, terminate their access that day. Same with third party contractors. Every person is a vector. Less vectors, less threats.
Have a Plan and Validate It: Time is critical for an organization faced with a ransomware deadline. Do an inventory of your critical data assets, know where they are located, and evaluate that impact of any loss or unavailability of that data. Have key information in offline or paper format. Remember, you may not be able to see your file data.
Repeatedly Train Your Employees: Offer rewards to staff members who identify a phished email and do not click on it. Tell personnel that no one gets penalized for ignoring an email that looks strange to them (and that they tell someone about), even if it is a real business email. It sounds trite; “If you see something, say something.”
Cost of a Data Breach
The COst of a data breach has risen to $7.35M in the U.S.
[Source: IBM Security & Ponemon Institute's 2017 Cost of Data Breach Study]
The FBI cited the 2016 cost of ransomware at nearly one billion dollars for U.S. businesses, accounting for 38% of all attacks globally. 76% of ransomware uses the easiest and fastest to deploy vector available, that of SPAM.
From a consumer perspective, this firestorm led to 2.3 million individuals being victimized in 2016 as well. But it is that of commercial enterprises that receive most of the attention from ransomware syndicates.
In 2016, we saw explosive growth exemplified by:
- 4000 attacks per day on average
- 752% growth in new families of ransomware in 2016 (source: TrendMicro)
- 40% of victims paying the ransomware (source: Osterman Research)
- 72% of organizations having information held encrypted and unavailable for two or more days
- A startling cost to recover of $333,000 per incident
- 51% of business decision makers calling ransomware “an extreme concern”
Our research also indicates:
- SMBs saw a 433% increase in attacks in 2016
- 84% of those attacked did not meet the demands of the attacker because they could not restore data from their own backups
- 47% of all organizations, regardless of size, were leveraged negatively with a broad category of attack called Business Email Compromise (BEC), including the 38% ransomware mentioned previously
- Only 4% of all organizations surveyed feel confident their defenses are strong enough to protect against ransomware attacks showing that 96% lack confidence
Validate Your compliance with HIPAA, HITECH, FERPA, PCI, GDPR, and Other Industry Regulations
The healthcare and finance sectors are no stranger to regulatory compliance. Industries that have experience dealing with mandates can adopt this three-pronged process to success:
Start with a risk assessment,
build your roadmap around your most critical risk, and
be prepared to show progress to a regulatory body.
At the end of the day, organizations need to adopt the philosophy that cybersecurity is not an IT issue; it's a business function. Don't recreate the wheel with one regulation.
Make a list of what's most important to your business, risk assess that list, determine your risk tolerance against that list, build your roadmap around that list, rinse and repeat.
Cybercriminals don't take sick days
If you are wondering whether it is time for a security assessment, then the answer is probably yes. Even if you have been deliberate in implementing and monitoring security measures, it can be difficult to stay ahead of the game. Here are four signs it is time to schedule a security risk assessment:
- You store large amounts of data.
This is probably true of most businesses, which is why there is never really a bad time to conduct a security assessment. Cyber criminals can steal personal information, hijack intellectual property, and completely take over websites. The more data you store, the more vulnerable you are to major attacks that can have lasting consequences to your business.
- You don't remember the last time you conducted an audit or assessment.
It is imperative that you regularly conduct audits in order to identify whether your existing cybersecurity efforts are actually delivering as promised and adapt to new threats. Ideally, any solutions you put in place will be effective and operate as expected, but that isn't always the case. An assessment will allow you to confirm that your policies are actually working as intended.
- You recently moved your network to the cloud.
While cloud computing is designed to be secure, it is susceptible to the same kinds of vulnerabilities and attacks as on-premises networks. It is important to update your security and conduct an assessment any time there are major changes to your existing technology. Don't assume that any standard controls will be enough to protect your data.
- You notice an increase in cybersecurity incidents in your industry.
Security breaches tend to happen in waves. Once hackers discover a new vulnerability, they will go to work targeting a larger number of businesses so that they can inflict the most damage before cybersecurity experts have the chance to respond. Pay attention to the news and take note when a rash of breaches occur. It is a good sign that you could be next.
SCHEDULE A RISK ASSESSMENT:
- What are you currently doing for cybersecurity?
- Are these investments working?
- Who is held accountable for cybersecurity?
- Do you know what your top risks are?
- Do you have any compliance regulations you need to assess security for? (HIPAA, PCI, DFS, FERPA, NERC CIP)
Annese, a ConvergeOne Company, will help you identify where the security gaps and vulnerabilities lie in your organization and share best practices around how to address them.
Fill out the form below and we will contact you back with next steps.