The last decade has seen its share of internet-based innovations in both the public and private spheres. Many, such as the introduction of cryptocurrency, the further refinement of secure transactions, the widespread adoption of cloud services, and others have advanced the way businesses operate. Not all of these innovations were positive, though: many of them led to novel ways of system exploitation and disruption, information exfiltration, ransomware, and other “hack attacks” that have lost people and businesses money, time, and confidence in their online excursions.
This is the first week of National Cyber Security Awareness Month (NCSAM) 2017, and as an NCSAM Champion, we at Secure Halo offer steps to improve corporate and personal online safety. A great place to begin is by using one of the most comprehensive frameworks for managing risk – the National Institute of Science and Technology (NIST) Cybersecurity Framework. The five functions that the framework contains are labeled as Identify, Protect, Detect, Respond, and Recover. Explanations of those functions are below and show how organizations can use the framework to create a more resilient enterprise environment. At a personal level, you can utilize the framework to guide your family toward a position of strength in any cyber space they encounter.
IDENTIFY what needs to be protected against cyber attack
A company cannot protect what it considers precious unless it knows what it’s protecting and where it lives. Just as a company maintains a list to keep track of its physical assets, it should be able to answer the question, “where is the data located” —in the server room down the hall, across town in a datacenter, or “in the cloud”, which can be anywhere on Earth? Likewise, you and your family should know what information you possess that is exposed to cyber risk, loss, or hacking attacks, as well as where the companies you work with are storing it.
Limit or contain the impact of a cyber event through PROTECTIVE measures
At the enterprise level, many incidents have historically occurred due to company IT/networking staff allocating excessively broad permissions to a group that didn’t necessarily need it. For example, IT grants computer administrative access to staff that may not have a business need, allows excessive third-party access to datastores and networks, and doesn’t harden operating systems to a minimum access profile.
At the personal level, incorrect information access includes password sharing and reuse, improper information disposal, and a lack of security awareness with personal electronic devices. Both the corporate and the personal spheres must protect their information with strong security controls. You and your company can increase your security posture in a few notable ways:
- Minimize access to information according to business need
- Minimize attack surfaces on managed computers by conforming them to security best practices (e.g., close unneeded ports, don’t install unnecessary programs, etc.)
- Protect important information with information classification schemes or other forms of rights management
- Make sure important information is backed up and that the backup is mirrored elsewhere when possible
- Protect backups with encryption
- Provide security awareness training to staff or family members
- Ensure that information has a defined lifecycle and is disposed of in a controlled manner (e.g., mandate that all sensitive documents such as bills, records, and the like are stored securely or shredded)
These protection mechanisms can be used at the enterprise level as well as at the personal level to prevent important information from falling into the wrong hands or being lost through a ransomware attack.
DETECT precursors to the incident as well as attacks in progress
As the great Muhammad Ali said, “The hands can’t hit what the eyes can’t see.” This is a great analogy for network and personal account visibility. You cannot protect against what you can’t see coming. Detection mechanisms at the corporate level are an absolute must to provide visibility into network activities within the corporate network, at the edge, and beyond. Tools such as network intrusion detection systems, next-generation antivirus and anti-malware software solutions, system monitoring and alerting systems, and network traffic monitoring used in concert enable you to investigate events and incidents in progress as well as insider actions that can lead up to potential incidents.
At the personal level, following security-focused publications, podcasts, and other media could help you ascertain what technologies are OK to use in the home and which you should stay away from due to built-in vulnerabilities. Additional personal measures include checking your credit report on a regular basis, asking your bank if any odd activity has occurred to it or on your account that is out of the norm, or having identity monitoring services monitor that activity for you.
RESPOND to issues an incident creates
When an incident occurs, one of the goals should be to respond to its effects in an appropriate and expedient manner. Whether the incident is affecting an enterprise environment or your family, there are measures you can take to manage the incident as it’s happening. Some of those measures are explained below:
- Have a response plan in place and use it to manage containment efforts. For enterprises, the plan would contain phone numbers of a response team, guidance on when to contact shareholders, etc. For a family, the response plan would contain banking phone numbers and contacts, ISP contact info, and others that might be able to assist with the response
- Enterprises should continue collecting and analyzing information pulled from their detection capabilities and use it to inform their next step of response and correction
- All parties should use software, hardware, or other solutions to mitigate attacks or other incidents. This includes using malware control software to stop the spread of a virus, the segregation of affected computers off a production network to a quarantined space for further analysis and possible reimaging. For personal networks, the spread of malware may be harder to visualize and monitor, but if a member of your family lets you know something is acting up with their device, you can create an ad-hoc “safe space” by turning its network connections off and seeing if it runs any differently (faster, slower, etc.) and then using anti-malware software (if available) to remove any detected threats from the device
RECOVER from an incident
Once the damage from the incident has been contained, you or your company can focus on the recovery and restoration of normal operations. Some measures that can be taken on an enterprise and personal level are shown below:
- For enterprises, have a recovery plan in place and act upon it
- Restore any affected information from backups
- Work with external parties to coordinate data and service restoration
- Once service is restored, create an after-action report (or at the personal level, talk with your family about what happened and what you’ve set in place to minimize this occurring again)
Tools such as the NIST Cybersecurity Framework are great to use at the enterprise and personal level, but it’s only as useful as its implementation. At the personal level, it is up to you to make its goals understood to those you care about. At the enterprise level, ensuring conformation to this framework can be the difference between protected data and a front-page article on your company’s data breach.