If you’ve followed part one and part two of this blog series, you’ll know what action is required to respond tactically to security threats, such as the one experienced by Travelex. You will also have learnt about the key components of implementing an effective security strategy, commensurate with time and budget constraints.
In part two we focused on the key strategic elements, which are:
Now it’s time to flesh out your security strategy.
Don’t expect your staff to treat cybersecurity seriously without rigorous and ongoing training. They need to learn how to spot phishing and social engineering attacks. Someone could ring the help desk pretending to be an employee, for example, or even gain access physically to your premises – skilled attackers know that putting on a hi-vis jacket and looking like they’re here to repair the elevators will get them through all sorts of corporate defenses.
You need to get into the mindset of your potential attackers. If you haven’t explored the dark web or talked to some serious hackers, it’s high time you sent key personnel to Black Hat and Defcon and got them talking to key security researchers – and possibly some shadier figures as well. In fiction, the great detectives, like Sherlock Holmes, were intimately familiar with the criminal underworld – and in the real world, so is any good policeman. You need to know your attackers in order to defend against them effectively. Hire some good pentesters to keep your organization’s defenses honed and use their services regularly.
Audit the software you’re using and ensure that you are proactive in reducing the number of software titles in use across the organization. Don’t forget to consider cloud-based services as well. You want to be sure that for a given software product, the number of different releases in use are ideally reduced to a single release, and that you’re using as few different solutions across software products as possible. If you have five CAD packages, six accounting systems and seven project management systems, for example, you are exposing yourself to a much wider attack surface, as well as an increased burden in keeping all systems patched securely.
The UK National Health Service (NHS) has been the victim of a number of cyberattacks over the years. One key weakness that is now being addressed is that they run a large number of systems which do not share a common authentication system. As a consequence, staff have to log on separately to each system. This obviously increases the attack surface enormously, and if passwords are shared across systems, an attacker can leverage this to ‘pivot’ their attack further.
You should ensure all systems, both on-premise and cloud-based, work with a single sign-on. This is a tough challenge, particularly in the cloud, but you must address it.
Better yet, move to two-factor authentication (2FA). Although mobile phone SMS authentication is vulnerable to ‘SIMJacking’ attacks, it’s still much better than relying on just passwords. Another approach is to use either a physical token device (such as a Yubikey device) or leverage the biometric authentication increasingly available on mobile devices, such as face or fingerprint recognition.
If you are stuck with passwords as an interim measure, then at least monitor for weak passwords by scanning endpoints and verifying that passwords aren’t on known attack lists. There are huge ‘rainbow tables’ of cracked passwords out there and simply enforcing a password complexity rule isn’t enough – you must ensure that users don’t choose a vulnerable password.
If they do, and the attacker can gain access to the password hash, then the protection afforded by the supposed cost of reverse-engineering the plaintext password from the hash is completely negated. With modern GPUs and cloud-based resources increasingly dropping in price, brute-force attacks previously regarded as infeasible are now becoming increasingly practical. An attacker might not hesitate to spend thousands of dollars in compute time to gain access to a large organization; the payoff could be millions.
Attackers can come from within your organization as well as from the outside. Edward Snowden had extensive administrator privileges, and poor access control auditing meant he could exfiltrate a large amount of classified material undetected. Financial organizations ensure that privileged access requires at least two individuals and that personnel are required to take at least several days contiguous leave every year, so that any anomalous activity can be correlated effectively. You should be taking the same precautions.
This might translate to implementing an effective, audited password access management (PAM) system, which ensures that privileged access must be granted through an audited workflow process, and that passwords are ephemeral and randomly changed by the infrastructure. An example of such a subsystem is Microsoft’s LAPS (Local Administrator Password Solution), though, by itself, LAPS lacks workflow management. You can augment LAPS with a solution such as 1E’s Tachyon to implement a PAM solution quickly and easily.
Zero Trust is a core principle of security risk management that is analogous to partitioned, sealed bulkheads in a submarine. With Zero Trust you ensure that fine-grained privileges are assigned to people and software processes so that they operate under the principle of least privilege – their access is enough to perform the required task but not more than is required. This way, even if an endpoint is compromised, an attacker can’t ‘pivot’ beyond this point, and the damage can be controlled and walled off before disaster strikes.
Most formal security qualifications require that the holder undertake a certain amount of CPD training annually. Ensure you encourage this and budget for it, both in time and resources, so that your key security personnel are always up to date with the latest issues. Cybersecurity is a cat and mouse game between adversary and target, and the bad guys are getting smarter and more agile all the time. You can’t become complacent about security, or it’s game over. Nor should you regard cybersecurity as a cost center, subject to budget cuts when times get tight. Many of the high-profile attack victims (most notably, Yahoo!) made this mistake and paid the price.
Mobile devices should have mandatory full disk encryption and, with the increasing availability of storage devices that can transparently encrypt data at rest, you should give serious consideration to company-wide encryption of stored data at rest. When sending data over the network, it’s assumed all network traffic is now Transport Layer Security (TLS) secured – i.e. https traffic. Ensure any obsolete protocols (such as ftp) are retired as soon as possible.
Regardless of your defenses, it’s possible an attacker will still get through. Having been hacked once, Travelex should have used the opportunity to develop and implement a plan for a future attack.
Having a disaster recovery plan that involves a cyberattack and verifying the plan regularly is critically important. Consider also how you will communicate an attack to your staff and external customers, as well as regulatory authorities. In the Travelex scenario, there are obligations under the GDPR regulations to report a data breach within 72 hours. At the point of writing, Travelex appear to be entirely unclear about whether or not sensitive data has in fact been exfiltrated and have apparently failed to make any regulatory disclosures. If data was in fact exfiltrated, a failure to meet regulatory requirements both for securing the data and disclosing a breach could expose them to significant financial penalties.
You’ve established an effective tactical defense against vulnerabilities, and then progressively implemented a comprehensive strategy for long-term protection. Congratulations!
Now you must guard against complacency. Remember, your attackers are motivated by potentially huge financial reward if they can penetrate your defenses. They have every incentive to work tirelessly at this, day after day.
You – and your staff – must work just as hard to ensure that you’re always one step ahead. Security is a journey, not a destination. Safe journey, and good luck!