Thoughts on how to avoid becoming a victim in cyberspace.
Cybersecurity Awareness Month: advice for small and medium businesses.
The US Cybersecurity and Infrastructure Security Agency (CISA) has particular points of emphasis for small and medium businesses to consider during Cybersecurity Awareness Month. “Small and medium-sized businesses (SMBs): SBMs face unique challenges, so CISA is working to help them Secure Our World by offering tools and resources that can help boost SMB’s cybersecurity defenses and minimizes the risk of data breaches or cyber-attacks, making not only our businesses, but our communities safer.”
Inculcating a security culture.
Michael Mestrovich, CISO, Rubrik, described what businesses can do to help their employees become part of a security-aware culture. "Monetization of data theft drives the cyber crime business. Modern cybercrime revolves around stealing data from organizations or denying them access to critical data. It is imperative that we maintain a security-first corporate culture and that a security mindset permeates everything that we do," Mestrovich wrote. Some of the things we do are simple. "So how do we achieve this? A culture change starts with simple behavior shifts. When you walk away from your computer, do you lock it? When you’re using your laptop in public, do you have a screen guard on? When entering corporate buildings do you badge in and make sure no one is tailgating you? These sound like small things, but they are the practical day-to-day activities that people need to understand that help cultivate a security-first culture."
(Added, 3:00 PM ET, October 2nd, 2023.) JP Perez-Etchegoyen, CTO at Onapsis, offered some reflections on how security culture might be assessed and strengthened. "This year’s Cybersecurity Awareness Month serves as a timely opportunity for companies to reassess their cybersecurity practices. The significance of cybersecurity has grown even more pronounced in the face of ransomware and supply chain attacks that have affected organizations of all sizes and sectors. Just considering the number of cyberattacks, research indicates a 38% increase from 2021 to 2022, Perez-Etchegoyen wrote. "The ability to ensure business continuity and safeguard brand reputation now hinges on an organization's capacity to enhance the availability of business operations, of which a critical part are its business applications, while also embracing innovation and integrating security and compliance into their operations. Special emphasis must be placed on safeguarding critical web applications since cybercriminals continually identify and exploit vulnerabilities in this area. Such vulnerabilities not only risk data exposure and theft but can also result in complete system downtime until necessary updates are deployed. This system downtime, when it comes to business critical applications, equates to business disruption, potentially resulting in millions of dollars in losses. With the theme 'it’s easy to stay safe online' in mind, enterprises must evaluate all elements within their IT landscape to detect any potential cyber threats. This includes identifying unpatched systems, addressing permissive access controls, securing integrations, and rectifying any misconfigurations. Prompt action is vital to shield mission-critical applications and the overall business from sophisticated cybercriminals. Organizations should also incorporate a robust business application security program into their cybersecurity strategy, ensuring complete visibility into applications for high-priority patching, vulnerability assessments, and security protection."
Human error is with us always.
Irfan Shakeel, VP of Training and Certification Services at OPSWAT noted the importance of effective training and education. “Recent findings from Tessian's Human Factor Report 2023 found that 88% of data breaches are caused by employee mistakes,” Shakeel wrote. “This underscores the paramount importance of investing in our first line of cybersecurity defense: our workforce. Cybersecurity Awareness Month is not merely about social media posts or celebratory events; it is about educating employees, vendors, and all other stakeholders on cybersecurity best practices and other security policies. By doing so, we ensure that our primary defense doesn't become our most significant vulnerability.”
(Added 3:00 PM ET, October 2nd, 2023.) There are best practices both individuals and organizations can follow that may help reduce the opportunities for human error. Jason Kent, Hacker in Residence at Cequence Security, wrote, "Cybersecurity Awareness Month is a timely reminder for organizations to revamp their security posture. With this year’s theme, “It’s easy to stay safe online,” in mind, individuals can take a few small steps that make all the difference:
- "Time and again, one of the most critical aspects of account security is overlooked: password creation.
- "To achieve proper password security, individuals should consider the following best practices:
- "Using strong, unique passwords for each account is imperative, as cybercriminals often target those with reused or weak passwords derived from a vast pool of compromised userID/password combinations from data breaches.
- "Avoiding easily guessable patterns like birth years, family names, or sports teams.
- "Implementing password managers proves invaluable for generating and securely storing complex passwords.
- "Enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) adds an extra layer of security to your application and website accounts, requiring an additional authentication step beyond your password.
"Having covered what to do, let's also discuss what you should avoid:
- "Using a credit card is the safest way to pay online, storing your credit card details in online accounts, though convenient, pales in comparison to the potential risks of unauthorized charges. Taking the extra 30 seconds to manually input your card information during transactions can save you from these hassles.
- "Equally important is steering clear of "pay me with a gift card" scams, where scammers manipulate individuals through email or phone calls, convincing them to make payments for non-existent computer issues or software subscription renewals. These fraudsters exploit fear and a lack of technical knowledge to access victims' computers, installing remote access tools and insisting on gift card payments. Tech Support, the IRS, the FBI, the County Sheriff - don’t take Steam Gift Cards as payment.
"With these steps in mind, bolstering your online safety becomes a manageable task. By implementing these precautions, individuals can navigate the digital landscape with confidence and enhanced security."
Josh Bartolomie, VP of Global Threat Services at Cofense, took the opportunity to remind businesses of the ways they can manage their exposure to human error. "Cybersecurity Awareness Month, now in its 20th year, stands as an annual partnership between government and private sectors, uniting efforts to enhance awareness of digital security. Its mission: equipping everyone to safeguard their personal data against the perils of digital crime. Contrary to the belief that technology alone can eliminate vulnerabilities, it is essential to recognize that your workforce constitutes one of the most important lines of defense. They play an indispensable role in guarding against cybersecurity attacks and compromises. Organizations need to invest in their employees, imparting not just the ability to recognize suspicious activity but also to foster a culture where reporting such concerns and incidents is encouraged and even incentivized. Additionally, in cases where threats manage to elude employee vigilance, Security Operations Center (SOC) teams must possess the capability to identify, trace, and neutralize these risks swiftly and efficiently. Cybersecurity is our collective responsibility. The most effective way to ensure protection is by working together. Cybercrime ranks as the foremost threat faced by companies but fear not; there are established and user-friendly methods to thwart it, like free resource toolkits to greatly assist in promoting security awareness."
Achieving clarity about policies and expectations.
A healthy culture requires clarity about expectations. Doug Kersten, CISO of Appfire, explained the importance of such clarity. “First and foremost, whether an employee has been at an organization for 20 days or 20 years, they should have a common understanding of how their company approaches cybersecurity; and be able to report common threats to security.”
He’s seen an improvement in this regard over the twenty years we’ve been observing Cybersecurity Awareness Month. “It’s been refreshing to see security come to the forefront of conversation for most organizations. It was rare 20 years ago that cybersecurity awareness was even a training concern unless you were at a bank or regulated institution. Today, it is incredibly important that this heightened interest and attention to security best practices continues. With advancements in technology like AI, employees across industries will face threats they’ve never encountered before - and their foundational knowledge of cybersecurity will be vital.”
Kersten concludes, “Employees today should be well-trained on security standards and feel comfortable communicating honestly with their security teams. Even more important, security leaders should ensure their organizations have anonymous alternatives for employees to report their concerns without fear of retaliation or consequence. By combining education and awareness into the foundation of your organization’s security framework, and empowering employees, the odds of the realization of a threat decrease exponentially.”
The importance of network visibility.
Knowing what’s going on in your networks, and being able to quickly recognize when something out of the ordinary, something abnormal is happening, can be crucial to detecting and mitigating a cyberattack.
Doug Murray, CEO of Auvi, wrote:
“We can’t have a constructive discussion around cybersecurity without addressing network-based security. You can’t protect what you can’t see – unknown devices are unprotected devices. As rigorous as your cybersecurity efforts may be, poor visibility can put the entire network at risk of an attack.
“To effectively implement cybersecurity protocols that reduce vulnerabilities, IT teams must have a comprehensive view and understanding of all assets, including switches, routers, firewalls, wireless controllers and access points, and endpoint devices, including many headless IoT devices.
“In addition to traditional security products, it’s important to also implement complementary tools like network management software to ensure an organization has a cohesive view of its network. By detecting unusual activity, rogue devices, traffic from unexpected locations, and unapproved or atypical application usage, network management tools identify areas of concern and flag for investigation before real problems occur. This allows organizations to take necessary corrective action early and maintain an offensive rather than defense cybersecurity strategy by preventing a wider range of potential attacks on an organization’s network. This is not only critical for cybersecurity but also assists with compliance, ensures quicker troubleshooting, and results in better business outcomes.”
To be aware of cybersecurity means being aware of container security.
Ratan Tipirneni, President and CEO of Tigera, noted the growing importance of container environments to businesses:
“Today, enterprises and small businesses alike are using containers and distributed applications, built with microservices and running on platforms like Kubernetes. Container environments are highly dynamic and require continuous monitoring, observability, and security. This Cybersecurity Awareness Month, it’s important to remember a critical Kubernetes best practice: treating container security as a continuous practice. Integrating security into the entire development and deployment cycle is key. For example, while “shift left" models have played an important role in increasing the security and resilience of deployments, the industry pendulum has swung too far. Many enterprises believe that runtime security is unnecessary if they put enough resources into planning and testing. The reality is that a breach is a matter of when, not if, and security teams must ensure their runtime security tools can rapidly identify and mitigate any intrusion attempts or risk serious consequences.
“A best practice for securing containers is to use a multi-layered security approach that includes security measures at different levels, such as network, host, and application layers. This approach provides a defense-in-depth strategy that can provide more comprehensive protection against different types of attacks. The goal of the defense-in-depth approach is to make it more difficult for attackers to penetrate an organization's defenses and limit the damage if an attack does occur.”
The integration of IT and OT systems brings benefits and risks.
OPSWAT’s Shakeel also pointed out the need business have for coming to grips with IT/OT convergence. He sees this as “not just a trend, but a necessity, driven by its transformative benefits such as streamlined operations, real-time data access, and data-driven decision-making.” But it comes with risks. “However, this integration also expands the attack surface, introducing new security challenges. As we observe Cybersecurity Awareness Month, it's the perfect opportunity to bridge the gap between industrial teams and their IT counterparts. This month is ideal for hosting hands-on cybersecurity awareness training sessions and organizing engaging activities like cybersecurity scavenger hunts. By fostering collaboration and camaraderie, we can pave the way for a more cyber-resilient OT environment.”
Summarizing the risks businesses face.
Stephen Gorham, COO of OPSWAT, points out that “Data breaches and cyberattacks loom over every organization's digital attack surface, and staying ahead of the curve has become not just a priority, but an absolute necessity. With the evolving threat landscape, it's crucial to adopt a proactive approach to cybersecurity that covers every facet of your network and operations – and Cybersecurity Awareness Month is a good reminder of that.”
Gorham offered four points of high-level advice:
- “Visibility: ‘You Can't Protect What You Can't See.’ The old adage holds true in the realm of cybersecurity - you can't protect what you can't see. It's imperative to have a clear understanding of what assets and devices are connected to your network – especially with many critical infrastructure organizations dealing with both IT and Operational Technology (OT). Without comprehensive visibility and asset management, you are essentially navigating in the dark, leaving your organization susceptible to vulnerabilities that you may not even be aware of.”
- “Insider Threats & Employee Awareness: Cyber Espionage and Social Engineering. While external threats grab the headlines, insider threats often go unnoticed until it's too late. Cyber espionage and social engineering attacks can be devastating, with malicious actors exploiting the very people who are supposed to safeguard your organization. As critical infrastructure sectors are increasingly targeted by nation-state threat actors, employee awareness and training – combined with zero-trust security measures – are your first lines of defense against these insidious threats.”
- “File-borne threats. Organizations heavily rely on web applications for sharing and transferring critical documents essential for daily operations. Yet, these productivity files, such as word processing documents, spreadsheets, or PDFs, can serve as attack vectors for cybercriminals. They may embed malware within these files and deliver malicious payloads to unsuspecting users. OPSWAT's 2023 State of Web Application Security Report underscores the significance of this threat, with data breaches topping the list of concerns (73%), and reputation damage (67%) and loss in business revenue (58%) not far behind.”
- “Uplevel your threat intelligence. Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes, and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises. The cybersecurity landscape is evolving at an alarming pace, and organizations must adapt accordingly. Comprehensive visibility, employee awareness, proactive threat hunting and actionable threat intelligence are indispensable pillars of a robust cybersecurity strategy and just a few areas that organizations should keep in mind as they build their cybersecurity resilience.”
Managing risk in the cloud.
As services are increasingly delivered in the cloud, businesses should be as aware of the costs in terms of risk as they are of the benefits in terms of efficiencies and cost-savings.
Ariel Parnes, COO and Co-Founder, Mitiga, looked at what we ought to learn from recent cloud-based incidents. “As cybercrime moves to the cloud – as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558's attack targeting Microsoft exchange – there is a whole new level of cyber awareness that is needed from everyone in organizations,” Parnes wrote. “ Awareness this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities in order to manage risk and grow resilience. To effectively respond to this new breed of incidents—and fast—enterprise leaders need to:
- “Understand the new and evolving threat landscape, and educate their team and peers
- “Assume breach, but more importantly: assume cloud/SaaS breach
- “Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
- “Build a plan to improve the KPIs through people, processes, and technology
- “Exercise, exercise, exercise!
“Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting—a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach—as in the MGM attack. We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in: rapid investigation, negotiation, comms, and PR.”
Be aware of the risks peculiar to your sector.
The healthcare sector affords a good example of this sort of issue, and Chad Anguilm, vice president of In-practice Technology Services for Medical Advantage, part of the TDC Group of Companies, shared some thoughts on what businesses, practices, and organizations in the sector should consider:
“After a global cyberattack targeted multiple government agencies, including the HHS, it’s clear healthcare-related information is valuable to attackers. It’s important for physicians to be aware of the medical liability implications for healthcare systems, especially new devices with a limited track record. It’s especially critical to have an understanding regarding patient use and how the analyses and/or diagnoses are made with new devices. Additionally, the FDA requires medical device developers include a plan in their submissions or applications for regulatory review. It’s equally important for physicians to stay up to date on standards for third-party programs and software security to ensure patient safety – both in terms of data privacy and medical risks.”
A checklist for data security.
Karthik Krishnan, CEO of Concentric.ai, reduced some sound practices to a checklist. “The following Data Security Posture Management (DSPM) checklist elements combined with new initiatives for Cybersecurity Awareness Month can help you create a comprehensive five-step guide through Awareness, Action and What You Need to Know:”
“Data Sensitivity: The Foundation of Security
- “Awareness: It is critical to be able to discover and identify your at-risk data. Knowing where your sensitive data resides is the first step in securing it.
- “Action: Host workshops and webinars to educate employees about the types of sensitive data (PII, IP, etc.) in your organization, and why it’s crucial to protect them.
- “What You Need to Know: Understanding the types of data you’re handling can make a huge impact. Employees should be aware of what constitutes sensitive data and the risks associated with mishandling it. Workshops can cover topics like data classification, secure handling of PII, and the importance of data encryption.
“Contextual Awareness: More Than Just Data Types
- “Awareness: Organizations must be able to understand the context of their data. Data is not just about types but also about the context around it.
- “Action: Use real-world examples to show how data can be misused if taken out of context. Encourage employees to think before they share.
- “What You Need to Know: Context matters. Data that seems harmless can become a security risk when placed in a different context. Employees need to be aware of and trained to consider the broader implications of the data they handle, including how it interacts with other data and systems.
- “For example, consider an employee’s first name. On its own, a first name like "John" seems harmless. But combined with other pieces of data such as a last name, email address, or office location, it can be used to craft a convincing phishing email. Imagine if you receive an email that addresses you by your full name and references your specific office location or recent company activities. It would appear legitimate and could trick an unsuspecting employee into revealing sensitive information or clicking on a malicious link.
“Risk Assessment Drills: Preparing for the Worst
- “Awareness: Organizations need to understand where there is risk to sensitive data in order to protect it. Knowing the vulnerabilities can help in crafting better security policies.
- “Action: Conduct mock drills to simulate scenarios where sensitive data might be at risk due to inappropriate permissions or risky sharing. This happens far more often than you think.
- “What You Need to Know: Mock drills can help employees understand the real-world implications of data breaches. These drills can simulate phishing attacks, unauthorized data sharing, and even insider threats. The key is to help employees understand the importance of following data security protocols. Hint: while employees need to know these implications, your organization should be leveraging solutions that reduce the burden on employees.
“Permission Audits: Who Has Access?
- “Awareness: It is very important for organizations to be able to track and understand data lineage and permissions. Knowing who has access to what data is crucial.
- “Action: Dedicate a week to auditing and correcting data permissions across all platforms. Make it a company-wide initiative.
- “What You Need to Know: Regular audits of data permissions can prevent unauthorized or risky access to sensitive information. During Cybersecurity Awareness Month, make it a point to review and update permissions, ensuring that employees have access to only the data necessary to do their jobs. The principles of least privilege and zero trust are applicable here.
“Actionable Insights: The Path Forward
- “Awareness: Finally, organizations need to be able to take action and remediate any risk. Proactive measures can significantly reduce the risk of a data breach.
- “Action: Share weekly insights on the company’s data risk posture. Highlight any successful remediations as well as areas that need attention.
- “What You Need to Know: Transparency is key. Sharing insights about the company’s data risk posture can empower employees to take individual actions that contribute to the organization’s overall security. Celebrate the wins, but also highlight any underlying risks that need to be mitigated.
- “Cybersecurity Awareness Success: Combining security awareness with robust Data Security Posture Management
Krishnan concluded, “Cybersecurity is a shared responsibility, and Cybersecurity Awareness Month is the perfect time to reinforce this message. Combining data security awareness with robust DSPM is key for keeping data secure. All organizations can achieve a strong level of data security via a solid cybersecurity awareness program, and by following tips and best practices in order to minimize the impact of a data breach. Having the best of both worlds is achievable with a security-aware workforce and a robust DSPM solution.”