This October, Secure Halo is participating as a Cyber Champion during the DHS and National Cyber Security Alliance’s National Cyber Security Month (NCSAM). As a Cyber Champion, TSC is showing our support for cybersecurity by partaking in weekly online Twitter chats with Stop.Think.Connect. Each week, we provide inputs on various topics relating to cybersecurity and online safety. This week, our discussion focused on the theme, Creating a Culture of Cybersecurity from the Break Room to the Boardroom. We turned to Brendan Fitzpatrick, Enterprise Security Assessment Program Manager at TSC, to shed some light on the subject. Here are his responses:
Why is it important for every organization, no matter the size or industry, to be cyber aware?
The nature of information security attacks has shifted dramatically in the last ten years or so towards criminal activities. These attacks come from a variety of sources, but the method of delivery is largely ‘spray and pray.’ They attack in every possible way – phishing attacks to either steal credentials or drop malware (like crypto locker) onto a PC/device, or creating drive-by ‘watering hole’ attacks by infecting websites (or the advertisements that run on them) that may be visited by an organization’s users. No organization is immune to infection or having credentials stolen.
What examples can you share of organizations’ need for cybersecurity that might not be obvious?
For targeted attacks, we’ve seen several examples of ‘man-in-the-middle’ attacks involving an organization’s email system. One example is that an attacker will intercept communications between vendors and the organization and, at an opportune time, will masquerade as the vendor and change payment details (bank routing information, etc.) to receive transferred funds.
We’ve also seen several self-inflicted information security wounds, for example, failing to test disaster recovery and business continuity plans. We’ve seen some larger organizations store all DR plans and procedures on the organization’s network shares. When a disaster occurred, they lost access to those plans because didn’t have a complete set of offline copies. A simple DR test would have revealed that.
Less obvious problems: many organizations forget that procedures like Change Management are an essential part of information security. If you do not track and control all changes to your environment, then it becomes likely that additions or changes will undermine your security. An example: a firewall port is opened for a special project or purpose but not documented or approved in the change management system. The project ends, and the organization forgets to close the port.
What are the most critical pieces of data for an organization to protect?
There is no definitive set of ‘most critical data’ for all organizations. What is critical information for one company, may not be for another; each organization must determine for itself what its most critical information is. Some information, such as regulated data (PFI, PII, PCI, PHI, etc.), should always be considered critical, since the breach of that information would have multiple negative financial and reputational repercussions. This information includes not just client information, but employee information as well. Any intellectual property, source code, industrial production advantages, material formula and recipes, business intelligence, financial information, etc. should all be evaluated for criticality.
What we know doesn’t work is to treat all information equally. An organization must differentiate and categorize (even in a general way) the information it possesses and depends upon. That knowledge will drive all other information security concerns and decisions.
What measures can organizations put in place – and employees follow – to help guard against cyber incidents?
Of course there are a whole host of technical safeguards that can be put into place to secure this information. However, many organizations fail at the administrative level – specifically:
- They fail to determine how to classify and categorize the information they acquire, generate, or use.
- They fail to determine what and how the information should be protected (i.e., confidentiality, integrity, availability), and the proper parameters of its use and disposal.
- They fail to assign explicit ownership and custodianship of all the different types of critical information.
- They fail to communicate this (through training and awareness) to their employees in order to make it every employee’s responsibility to protect the information.
How can leaders encourage all levels of an organization to detect and report cyber threats?
Explicit training and awareness campaigns are essential. It’s also more effective to have at least some training and awareness activities be in person-to-person settings. PowerPoint and CBT is okay for much of the training lift, but at some point, sitting in a room with trainers creates a more lasting effect. In this light, having company leaders as students in those settings (to be seen as full participants) lends weight and authority to the training – after all, if the COO is taking the same training I take, it must be important! Some of the most effective training I have seen explicitly incorporated various levels of the organization within one room. This is easier to perform for smaller organizations.
What should be included in an incident response plan, and what are your tips for building one?
The bare bones of an incident response plan should have the following:
- Organizational structure of the incident response team. You need to know the members and what each of their roles are within the team. You need to designate ‘responsible parties’ who will own the IR processes. You will need to list all parties that might need to be alerted, and under what circumstances they would need to be alerted.
- You need to define what constitutes an incident. i.e., what thresholds have to be passed to move something from an event (which can be handled in a routine way), to an incident. Every organization with a developed plan defines this differently, so figure out what works for your organization.
- You need to know what organizational things need to happen along each of the stages of incident response. E.g., first, events are recorded in a ticketing system. Then, all events are evaluated by some member of the team. If the threshold is passed, the IR team is activated and these business officers are alerted, etc.
- You will need establish a documentation methodology and repository for all incidents. This includes after action reports and root cause analyses that occur after closing an incident.
- You will need to establish a regular schedule to fully test and update your plans.
Specific playbooks for incident response can be developed during these tests, as well as when dealing with real events and incidents.
How can organizations return to normal operations after cyber incidents and protect info and reputations long-term?
As mentioned above, an incident doesn’t end when it is closed. After action reports and root-cause analyses are essential for the organization to develop changes to its information security strategy and implementation. Understanding what threat vectors were used and what vulnerabilities exploited is essential to repairing the damage. Taking a step back and analyzing what proactive changes to overall information security strategy may be needed will have a larger impact on future security than living a reactive state of mind.
What does it mean to have a culture of cybersecurity at an organization?
As a company that does assessments, this is one of the easiest things to spot. There is always the “pat” answers of leadership engagement with security, visible awareness, etc., and those are all true. For us, we see it in attitude – is the organization making excuses for the lack of security controls and practices? Or are they freely admitting their difficulties and genuinely seeking help to solve the challenge of achieving good security despite limited resources? When security, IT, legal, and the leadership really ‘own’ security, their focus inevitably is on making it better. Nobody’s security is ‘good enough.’ Every organization has room for improvement. A culture of cybersecurity is one where you’re constantly trying to improve – and to do that, YOU MUST KNOW WHERE YOU ARE. You must assess and evaluate your security, otherwise you will be blind to your weaknesses.
What are some effective and/or creative ways to talk to staff about online safety in the workplace?
Here is one example, though it’s not online safety oriented – instead it’s information security oriented. One company had a clean desk policy – they didn’t want confidential materials left on desks for everyone to see or walk away with. So they would pick a random day, go around to everyone’s desk after work hours had ended and pack up any papers or work materials into individual boxes with the employee’s name on them. The senior manager (VP or above) would get the boxes and the employees would have to go in the next day and retrieve their belongings from the senior manager. They kept this practice light hearted, but it was very embarrassing to the employee, and as a result, it was a very effective lesson.
And what topics are important to cover in these office cyber aware talks?
Phishing, safe surfing, policy reinforcement (such as clean desk example above, information ownership), incident reports for anything that might be a problem – i.e., when in doubt, shout it out.
For non-computer experts, what are some quick steps to take to protect your organization from a cyber attack?
The first thing every organization has to do is assess where they are. An internal or external (third party) assessment is essential to identify what you’re doing right, what needs to be tweaked, and what you need to begin doing to secure your organization. Information security is only partly a technical problem; It is also an administrative and organizational problem. As a doctor might say, you can’t treat a patient without examining the patient.
What should an organization’s leaders consider and put in place before allowing BYOD in the workplace?
At minimum, organizations need to perform a risk assessment to identify and understand what the threats are posed by mobile devices, what vulnerabilities there are, what the potential impact and likelihood of occurrence would occur. Once the organization understands the risk levels involved, it can implement controls (such as MDM platforms and specific mandated configuration settings) appropriate to the environment and sufficient to protect the data that needs protection. Again, one size does not fit all.
What are the key considerations for organizations regarding protecting individuals and their information?
You get one chance to protect this valuable information. Once it has been breached, the toothpaste is out of the tube. With that in mind, you must identify and categorize this information. You must explicitly determine how to protect and manage the information. You must assess yourself to see if the controls you put in place are sufficient to achieve the protection requirements.
How do we equip employees with the info they need to take cybersecurity beyond the office to their homes and communities?
Training and awareness is the path to increasing security at home and in communities. We’ve seen a number of organizations who will do lunch and learns with topics that address information security at home. Their explicit focus isn’t organization security, but protecting personal identity, safe surfing habits, phishing identification and avoidance, safe Wi-Fi use, secure travel, etc. Frequently we hear that employees enjoy these type of sessions, and it has the effect of increasing the security consciousness of the employees in all areas of their life.
To combat cybercrime at work, we need a strong cyber workforce. Why should students consider careers in cyber?
Information security is going to be an essential part of everything we do from now on. Information is valuable — it is a currency — and currently, many organizations have secured it with the equivalent of a screen door. It is essential that we bring new minds to help us look at the problem from new angles, develop innovative solutions and strategies. The landscape is changing so rapidly that everyone in school now has a chance to leave a permanent mark on the information security industry.
