Today, we embark on the next step of our journey through our current series "Fact or Hack." This cybersecurity initiative is designed to share knowledge, insights, and invaluable lessons to help you pave the way to a better cybersecurity posture.
During this Q&A session, we are diving into your questions with some help from Thomas Pioreck, Chief Information Security Officer (CISO) at Cybersafe Solutions. This is your platform to illuminate the path forward, clarify doubts, and gain deeper insights into the cybersecurity universe.
In an era where cyber threats evolve with alarming speed, your inquiries are the catalysts for building resilience, safeguarding data, and nurturing a culture of digital security.
*The questions covered today were sent in ahead of time, and additional questions can be sent to info@cybersafesolutions.com.*
What is the current cybersecurity threat landscape, and how has it evolved in recent years?
Thomas Pioreck: It's not so much that the landscape has changed that much but it feels far more crowded, if that makes sense. Ransomware attacks have continued to increase across all industries and at businesses of all sizes. There has been a slight pivot to seeing more of what we call supply-chain attacks, though it's not a new tactic—just one that seems to be occurring more and more
The onslaught is where companies are beginning to feel overwhelmed. One of the best ways to combat that is through awareness which comes from maintaining some regular monitoring of your corporate environment and assets. Threat actors are always finding new ways to strike, but it's often slight tweaks to their tried and true existing tactics, techniques, and procedures—what we refer to in security as the TTPs. Regular threat intelligence that can learn about these attacks, discern methods to detect them at their earliest stages, and adapting them into the continuous monitoring of a system becomes critical for an organization. That's something we really pride ourselves on here.
Your education series talked a lot about the CIS Controls, but that’s not all that’s out there. So, why are they important? What are some cybersecurity frameworks or standards that organizations should also be considering?
TP: The CIS Controls are a communal creation. Public and private organizations from around the world have contributed to this list of controls and each update over its many years. What makes these controls so valuable is that they inform organizations of any size of active steps they can take to improve their security posture. The term "controls," in general, refers to the safeguards that organizations put in place to help secure their environment. The CIS Controls provide a representation of what any and every organization can reference and implement. It's also industry and regulation agnostic and that enables it to be applicable to any type of organization.
The NIST's CSF is another excellent framework that organizations of any size can use. It's also adaptable and suitable for various levels of maturity so that it covers a wide array of organizations. As an organization matures and looks to improve their posture, they're able to identify what gaps they need to close so they can move up to that next tier of the framework. It maps directly to the CIS Controls, which enables an organization to see exactly what options and actions they can take to harden their environments.
Of course, there are the industry frameworks, such as HIPAA, which have their own requirements, though many of them also exist in the CIS and NIST CSF. If you're connected to the healthcare space, you'll need to maintain your compliance there, which requires annual risk assessments and penetration testing.
What are the best practices for securing endpoints and preventing attacks?
TP: At a high level, harden your configurations, educate and train your workforce, and monitor your environments. Basic maintenance fundamentals are often overlooked by many organizations. Maintaining current versions, regularly patching software and firmware as updates are released, and maintaining a vulnerability awareness program go a long way in setting you up for success.
Running current Operating Systems (OS) that are still supported and receive patches is a part of that hardening. Don't let systems run any service that they don't need to fulfill their role. An anti-virus is still needed, but you really ought to be running some form of endpoint detection and response (EDR) and have continuous monitoring of your network. Once you've established a baseline, you're able to quickly identify anomalous activity that could be indicative of the beginning stages of an attack.
How can organizations prepare for evolving threats such as zero-day exploits?
TP: A lot of the prep goes back to some of the prior areas that were discussed: a vulnerability and patch management program, hardware and software asset inventories, and being able to know the normal baseline for your organization and continuously monitor for any behaviors or actions that deviate from that norm. Those processes and policies in place enable you to be able to address and handle a zero-day exploit when it happens.
Awareness of the new zero-day is a separate component and that comes from threat intelligence. Do you have a near-real-time source of the latest information to be able to learn and gain that information when it's made public? This almost always requires some form of a partnership. There is a discernible difference between ingesting threat feeds and actual threat intelligence. While the former may help to seed the latter, just ingesting feeds is not providing you that intelligence. Having a trusted partner that's able to provide actionable intelligence and remediation options is what's critical here.
Can you explain the importance of two-factor authentication (2FA) and multi-factor authentication (MFA) in cybersecurity? What even is MFA fatigue?
TP: It's most commonly associated with logging into a system. We're all familiar with entering our username and password into a prompt as our means of unlocking the door and gaining access to a system. That system by itself has been proven to be entirely insufficient when it comes to securing an organizational account and access. The number of weaknesses in passwords alone is enough for its own question, but 2FA and MFA provide an additional layer of security to those accounts.
The most common way it's implemented is with what's called an authenticator app, which provides a code known only to the associated system. This code generally rotates on a 60-second cycle and the app is generally accessed by a user on their phone. After you enter your username and password, you are then prompted to enter the corresponding digits in the code to confirm that you are you. So, even if someone has gained or guessed your username and password, they’re stopped from gaining access because they are unable to provide that code.
Codes are one method. There are also hardware keys, SMS (text) messages that will send you the code, and the same apps that provide codes can send a push notification. Instead of entering a code, you receive a prompt on your phone to click “Accept” or “Deny” to finish the login process.
The push method may be nicer for most users, but it comes with its own threat vector and that's MFA fatigue. If I'm a threat actor and being stopped by MFA but I can discern that it's sending push notifications, I can have that system repeatedly try to login. That sends a constant stream of prompts to the user's device. Most people simply want the constant notifications to stop so they hit “Approve” to make it go away, not realizing that they've approved the login attempt by the threat actor and provided them with the illicit access.
How can organizations ensure compliance with data protection regulations, such as GDPR or CCPA?
TP: A lot of regulations are looking to ensure that organizations have implemented and maintain a lot of the general best practices. While some may be specific and more prescriptive around certain elements, their core values come from many of the same areas that are outlined for an organization in the CIS Controls. In fact, in many instances, it is possible to directly map the controls mentioned in the CIS to a specific regulation.
Compliance isn't a set-it-and-forget component though. It's a constant, which is why you need to generally be able to show that the controls you've identified and implemented maintain their functionality. Continuous monitoring of an environment is one of the best ways to maintain that kind of insight and awareness that the implemented controls are working and continue to work as designed and implemented.
What steps should organizations take to ensure proper incident response and recovery in case of a cybersecurity breach?
TP: Incident response (IR) is all about the preparation needed before the plan is executed. You should have your runbooks for how to handle the incident, know who is a part of your IR team and empowered to declare the start and end of an incident, as well as have all of the contact information for any external parties that need to be contacted in certain circumstances. That list would include law enforcement, outside counsel, insurance companies, critical hardware and software vendors, et cetera.
An IR team is not made up of strictly IT and security folks. If you have a Security Operations Center (SOC), either internally or externally, make sure you coordinate what internal declarations and communications look like, as well as who the empowered players are within your organization. That may include a representative from your managed services provider (MSP), if you use one. There are many components of an incident response plan that are not handled by IT or security. You need to outline representation and responsibilities to cover all of those elements too, which include finance, HR, and department heads in many cases. Never forget about the human element of an IR.
How do organizations balance cybersecurity with user convenience when implementing access controls and authentication methods?
TP: Cybersecurity—really, security—is just one part of the whole of a business process. It's the same consideration method that you employ with sales, marketing, and operations. You look at it from a risk-based approach. Ideally, the controls and methods you have in place should be almost transparent to your end users and cause minimal friction, if any friction at all. Security programs that feel intrusive and detrimental to your team’s ability to get their daily work done will make them feel encumbered and they will work to find ways to operate without that friction. A program that's too restrictive can almost have the opposite effect and actually weaken your security posture, as opposed to strengthen it.
Education, awareness, and understanding go a long way. And by education, it's really more about informing your people why certain controls are in place. You're making them aware of why they exist and how the controls are designed to help them operate securely, but without always having to be thinking about security in addition to their daily responsibilities. Leadership needs to express that there's a level of understanding on their end about what the general impact will be and that it's always considered when making decisions. It also means listening and encouraging your team to share their experiences where friction is becoming an issue.
You need to be able to make a risk-based decision in response to their sharing. If a change can be made, without moving risk to an unacceptable level, don't hesitate to make those changes and let your team know that you heard them and have acted upon their feedback. If for some reason there's no change that can be made that is acceptable, share that too, along with some of that rationale, but let them know that you'll continue to revisit the issue as technology and options evolve.
Cybersafe Solutions is an industry-leading managed security service provider (MSSP) leveraging top-tier threat intelligence and cutting-edge technology to help organizations enhance security posture, mitigate risks, and defend against evolving threats. To learn more, contact us today.
