Broken cybersecurity

Cybersecurity is complex and affects business.  If you are an executive, have you considered whether you are fulfilling your fiduciary duty through cybersecurity strategy?  If you are a CISO, have you taken a methodical approach to every increasing cybersecurity topic?  If you are a non-IT person, have you wondered whether your enterprise information is secure?

The Ugly Truth

100% security does not exist and cybersecurity is a journey: even if you truly minimize the threats today, these are ever-evolving.  Individual hackers get the power they didn’t dream of from IaaS (Infrastructure as a Service).  Organized hacking groups – state or private – execute hacking as a well-run software project: they do reconnaissance, design, plan, execute and lessons learned in a well-oiled project loop.  

It’s not only commercial proprietary information worth hundreds of millions which can get stolen, but government secrets causing prime ministers to resign.  The latest downfall has been Nawaz Sharif, the prime minister of Pakistan, whose downfall was caused by the country’s Supreme Court based on the information from the leaked Panama Papers.  While it may be argued that it’s good for some of the confidential information saw the light of the day, let’s also remember the Sony employees whose confidential records – social security numbers, medical records etc. – were published after the Sony hack in December 2014 or the massive WannaCry attack which paralyzed many companies, incl. UK’s National Health Service, putting life of patients at risk.  Ransomware has evolved to the point that some ransomware “providers” sell their products and even provide customer service to hackers who prefer to pay for 3rd party software than to write their own.

How should we minimize the likelihood of a successful security breach?

The old rule stating “your system is as secure as its most vulnerable component” still stands.  The challenge is that there are many components, and in the software area solutions contain subcomponents which may be difficult to identify.   A rule of thumb is to go through different areas of your environment, identify both the threat and its impact and then prioritize what to protect first. “Saving” on security measures is a classic component of being penny-wise and pound-foolish, as recovering from a security attack can be costly in financial terms or in reputation, as seen by some retail vendors.

Pre-requisites:

  • Upgrade all of the operating systems, RDBMS and applications to the latest releases, execute regular patching policy and implement regular monitoring
  • Enforce adequate login policy with frequent mandatory password changes
  • Educate staff (webcast, testing which each staff member has to pass, simulated phishing attacks etc.)
  • Establish management dashboards and reporting
  • Make sure you have an adequate backup policy and your backups can be successfully restored
  • Consider Disaster Recovery (DR) for vital applications
  • Simulate incident response and monitor incident response performance
  • Implement security policy across the enterprise
  • Create KPIs to monitor the rationalized operations
  • Create regular “lessons learned” sessions based on real or simulated incidents and make sure your security policies are updated with these findings
  • Understand compliance obligations: as an example, if you are taking credit card payments you need to be PCI compliant.  If you store personally identifiable information, with health care data, you need to be HIPAA compliant. If you store data of EU customers, you need to comply with GDPR. Ignorance of the law will not be an excuse and will not decrease your liability.

If your environment has been compromised, you may need to execute “step 0” – establish a new environment and gradually migrate components from the old environment in a secure manner.  Independent tools like Bitsight may help give you a better picture of your security situation.

What components do you need to examine and what are the examples of actions you may need to take?

Network:  conduct perimeter analysis – e.g. network sniffing, log analysis, data flow diagram, network diagram.

  • Create a Bill of Materials (BOM) per application.  BOM is defined as a table of a list of components – application name, release version, a list of subcomponents within the application (this can be other commercial or open source components) together with their release number, list of ‘external’ applications components and release numbers (e.g. RDBMS, operating systems).  Each component should be identified as “supported” or “not supported” by the supplier.  The support expiration date should be listed for the existing version and the latest “production” version of each component stated in another column.  Old components or subcomponents are often vulnerable to attacks, as witnessed by the hundreds of thousands of servers successfully compromised by WannaCry virus.
  • If you find that many of the applications are vulnerable, prioritize them.  A good example is 3 categories – vital to a business, important but not critical and the rest.  Harden the applications in this priority order.
  • Create an inventory of compliance for each application.
  • Segment your network so that applications are isolated, and vital applications are protected. The segmentation will also reduce the compliance burden.

Other:

  • Consider VDI
  • Review incident response process
  • Implement Identity Management.  Leaks of internal data can be more devastating than external attacks due to volume and importance, as seen on many occasions.

Final word

A Russian cybersecurity expert once said, “if I stop seeing attacks, it means that the attackers are already in.” Cybersecurity is everyone’s responsibility given the increase in cybersecurity crime.  It’s not a question of “if” you will be hacked, but “when.”  Being prepared consists of 2 steps: a) minimizing the chance of a successful attack, b) being able to recover quickly if such an attack succeeds. Examples provided in this blog illustrate the complexity of the task, yet being prepared optimizes cybersecurity expense and time, and it is critical to success. NewPush can help on this journey through cloud and cybersecurity offerings.