There’s a first time for everything. In my entire working career, I have never used profanity when writing a document, email, or text message. As I tell my daughters, I believe profanity is only effective when you use it very sparingly, perhaps once or twice a year, only to underscore the dire significance of the situation. Choose wisely. So, after decades of waiting for that moment, here it is:
You should be scared shitless about cyber security.
There. I won’t swear again until the end of 2020; however, between now and then, there is an ever-increasing continuum of work to minimally safeguard the majority of small and mid-sized organizations from very real threats. Including “cyber security administration” as a job description for a person in your IT department is sadly a mere drop in the ocean of what needs to be done. It takes a commitment of the whole firm, beginning with senior leadership.
Taking a high-level perspective, it’s worth noting that the full scope of “cyber security” is vast and getting vaster, if that’s a word. The bad guys are really, really, really smart. They don’t look like bad guys, either. They are known to be good-looking, smart men and women who regularly hang out wearing suits at airport lounges. They are polite. They go to conventions where the registration process is completely anonymous, and they share ideas of how they can continue to outsmart security software and law enforcement. There are highly organized companies, here and overseas, who recruit the best of the best talent out there, with the sole purpose of earning income by hacking, hijacking or hoaxing businesses. They are not just teenager geeks or third-world criminals trying to make a living. In short, cyber security “professionals” are working in some of the most sophisticated organizations on the planet. Sadly, crime does pay.
So what should you do? Let me start by saying what NOT to do, and then I’ll revert back to the first question.
A few ground rules:
– DO NOT hire a firm who says, “We do end-to-end cyber security for you.” Any firm in this day and age that says they have you completely covered is either lying or ignorant of the facts.
– DO NOT hire a single person or two people and make it their job to “take care of cyber security.” This is not a 1-2 person job anymore. It takes a village.
– DO NOT say, “I’m not in IT. I’m not technical, so I have to rely on someone who is technical to make sure we’re OK.” If you are smart enough to read this article, you are smart enough to understand conceptually what the issues are. You cannot abdicate your ownership and responsibility as a current day business leader.
– DO NOT allow any IT security firm you use to “grade their own homework,” meaning that whoever sets up the network cannot do the penetration tests or friendly hacking tests on that network. See, you get it already, and I just heard you say you weren’t technical.
I recently heard a business owner say, “We have a VPN, so I’m thinking we are fairly secure.”
OK, having a VPN is a fine step, but it’s one step on a hundred step journey. Here is the scoop on VPNs: VPN’s are typically used to do one of three things securely: allow employees to work remotely as if they were in the office, connect two or more offices or locations over the Internet as if they had a direct connection between them, or, in more specialized cases, allow users to browse the Internet without third parties being able to snoop on what they’re doing (ex: users in China might not want the government monitoring their web browsing, but I digress…)
However, while a VPN prevents third parties from being able to see the actual data as it flows across the Internet, it doesn’t inherently make what the user is doing any safer by itself. If a user is connected remotely via VPN and clicks on a malicious link in a phishing email, they’re no safer than if they’d clicked that same link and went to the same malicious site while they were at the office. It won’t stop them from downloading a virus or other malware. It doesn’t protect them from websites tracking their usage or personal information. And if hackers steal the user’s password – perhaps via a phishing scam – the VPN by itself won’t stop the hackers from logging into your network using the stolen credentials.
We do recommend the use of a VPN to provide a foundation for users being able to work securely remotely, or to allow you to connect multiple locations securely over the Internet. However, several other technologies still need to be leveraged to tackle the bigger picture.
In fact, at Entara we often embed many of the following practices and toolsets into our standard offerings for IT managed services, as they are the table stakes for security. If you don’t have these items in place at your organization, this is a good place to start when mapping out your top 2020 cyber security projects. These practices are in order of importance based on the real world cyber security threats I’ve witnessed:
• Intensely Rigorous Patching Processes – My daughter, who is obsessed with sports, was talking the other day about the merits of defense vs offense. We know you need both in sports to win, and the same is true in winning cyber security wars. Having a rigorous patching process is one of the best defensive moves a company can make.
Many breaches are caused by “exploiting vulnerabilities.” So what are those vulnerabilities exactly? It’s not unlike sports, where the news of someone’s injured shoulder is announced, potentially after the team has privately known about it for awhile. There is speculation about whether they will play, and then there’s the news that indeed, they will play. Cheers go out. But what does the other team do? They are probably trying to figure out how to use that injury to their advantage. And so it is with cyber security. When Microsoft discovers a new security problem with their operating systems or applications, they don’t announce it immediately. Instead, they work on it with their team of developers, and then the “fix” is published and explained, thereby releasing the specifics of the security problem itself. This announcement comes out on a Tuesday, and is known as “Patch Tuesday” in the IT industry. It’s a day when most security-related IT professionals are working overtime. It occurs on the second, and sometimes fourth, Tuesday of each month in North America. You can imagine what happens after the patch is published. Cyber criminals from around the world figure out how to very quickly reverse engineer the attack, and then they hammer servers globally to see if they can gain access to servers that do not yet have the patch.
Now, here’s the catch. Many organizations have excellent intentions around patching, but they are lacking a designated process and time frame around resolving exceptions. It’s a classic case of the 80/20 rule, or sometimes the 95/5 rule. Most of the time the patches will run beautifully, automatically, and without a single issue. However, when they don’t… they really don’t. Most of us click the “yes” when there is an update on our own applications or iPhone, and most of the time, it runs fine. We reboot. We are then safely in the new patched world. However, most of us have experienced those times when the patch does not run. It hangs, and we are left with wondering what to do next. Your IT people are not that much different from you. For them to resolve the deeper issues in getting those patches implemented, it will take them time. They will also likely need to take some of the business’ applications down, and that’s a difficult call to make when the business is highly dependent on uptime.
Meanwhile, another day passes and then another. Since the cyber criminals know which patches are tricky to resolve, you can imagine which ones they target. For you win against them, you need to have your strongest defense not just on game day, but 24×7. That level of defense requires impeccable process rigor in your IT department or from your IT managed services provider, including a high attention to detail, along with a readily auditable system that won’t let an unpatched server fall through the cracks.
• Security Awareness Training – The number one source of security breaches is caused by human error – users being tricked into doing things they shouldn’t. This is called “social engineering.” Hackers have become very sophisticated at this practice, creating emails and websites that look and feel like the real thing (fake bank websites, Office 365, Starbucks coupons, etc.) where they fool users into putting in sensitive information such as passwords, social security numbers, or employee data. Since no technology solution will block 100% of these attacks, there is no substitute for user education to help them avoid falling victim to these scams.
The cost of a high-quality, ongoing, automated training program is low compared to the tangible reduction in risk. That’s why it is #2 on my list.
• Simulated Phishing and Social Engineering Campaigns – This is #3, because it falls naturally as a follow-up to #2 above. This weapon against cyber crime is where you engage a security firm to employ the same techniques as hackers to try and fool your users into clicking links or providing details they shouldn’t. This is a complement to Security Awareness Training – besides giving users an opportunity to hone the skills they were trained on, it also identifies those users who fall for the phishing or social engineering scams so they can receive more targeted training.
• Multi-Factor Authentication (MFA)– Yes, it’s a pain, and yes, in this day and age all companies need it. I am old enough to remember how nice it was to sail through the airport without going through security. However, I would not want to fly on any public airline these days that did not require it. The same is true in business. MFA protects against hackers using stolen passwords to access your network or cloud services such as email. Whenever a user logs in remotely or logs in to a cloud service, they receive a pop-up on their phone which they need to click on (or it displays a six-digit code they need to enter). Even if a hacker steals the user’s password, the hacker can’t login without the user’s phone in hand.
• Cloud Email Protection – I liken this to wearing a seat belt. It won’t protect you from injury altogether, but it will help. These services provide a first line of defense for email by blocking emails that appear to be spam or have falsified sender addresses, attachments with viruses or other malware, etc. Many services also provide solutions for email archiving if compliance is a concern.
• Endpoint Next-Gen Anti-virus – Having traditional anti-virus software these days means practically nothing to a cyber criminal. You need to level up. Traditional anti-virus protects your workstations and servers from infection by scanning files for viral signatures – fingerprints that identify malware. Many solutions also scan emails to block incoming network connections from untrusted sources or to block websites that may be malicious. However, the cyber criminals have out-thought anti-virus logic, and consequently, it’s difficult for these traditional solutions to keep up with the constant proliferation of new threats. Modern malware can often evade traditional signature-based scanning by modifying themselves as they spread, so they never leave quite the same fingerprint. Ingenious, huh? Next generation solutions expand these capabilities by leveraging AI or examining software behavior for suspicious activity.
• Next-Gen Firewall – This is related to the last point. Traditional firewalls protect your network by only allowing connections that appear legitimate based on simple parameters known as IP addresses and port numbers. Using a phone system as an analogy, this would be akin to only allowing incoming calls to certain extensions. However, once they’ve allowed an inbound connection, traditional firewalls don’t have ability to actively monitor what is being done, much like letting somebody into a room but not watching what they are doing. Next generation firewalls provide greater capability to look inside of these connections to block behavior that matches known attacks or appears unusual. There are also cloud-based services that can provide this functionality by connecting you to them via VPN, where all of your traffic is sent through their own next generation firewalls instead of having to purchase your own.
• Backups – Besides protecting against equipment failure or accidental modification or deletion of data, a good backup solution that you can restore quickly also provides a last line of defense in the event of ransomware or rampant malware infection by providing you the ability to quickly recover to a state before you were infected. Backups can also be a source of forensic information in the event of a more serious breach. A robust backup solution also should not be exposed to attack if your other systems are compromised.
Once you have these basics covered, you can continue the journey with examining Managed Detection and Response solutions, which are third party managed security tools, some of which have security engineers on tap at all hours (yes, 24x7x365) to examine any suspect activity and respond to threats in real time. Like many things in life, there is a wide range of scope and quality in these solutions. Most solutions tout their “24×7 response,” but that response can often be an auto-generated email versus a human security engineer personally reviewing your specific situation within a minute after it’s happened – and taking immediate action. Additionally, there is a wide range in terms of the scope of what specific activities are reviewed.
Data Loss Prevention solutions are another logical next step to take. These solutions look for patterns that might indicate sensitive data, such as credit card numbers being sent via email or uploaded outside of the firm.There are many more avenues to explore in an effort to thwart the bad guys, but this list will give you a running start. The technologies above are crucial pieces of security infrastructure that are appropriate for most businesses that employ knowledge workers or depend upon their technology. While there is overlap between some of these functions, this is intentional as no one solution is perfect.
At Entara we love to talk about IT security. Please reach out and start a conversation. We are happy to share with you our processes and the specific names of products that we use to keep both our clients and ourselves as safe as possible in an era where the threats are real and the risks are, well, worth my once-yearly-profanity rant.