Friday, December 17, 2021

Cyber Security ROI for the CEO - Part Five - Incident Response Realities

 


"...If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle..."
Sun Tzu, The Art of War

Bottom Line Up Front

The bedrock of a mature Incident Response Capability is a brutally honest understanding of where your preventative and detective controls are strong and where they are weak, and your personnel's confidence in a "...no fear..." incident reporting policy.

Incident response is a "...people thing..." not a technology thing, the ease of use of the process, spells either the success or failure of the program - maybe the same for your business.

What we will discuss in this section:

  • Why your Communication Plan IS the Incident Response Program [IRP]
  • Insurance and Corporate Risk
  • Types of "incidents"
  • What works re: triage "incidents"
  • Your Incident Response Process
  • Why tools cannot save you...
  • Why your Risk Register is the backbone of your Incident Response Program
  • Why your Risk Committee must own the Incident Response Program
  • Resources, where can you get some help?

Why your Communication Plan IS the Incident Response Program

An "incident" can and should be reportable by anyone... the ease of and familiarity with the process by all personnel will define the effectiveness of the program. An easy to use, "...no fear..." (of blow-back) based process will give you timely results you can use, right now to protect your business.

Since we're talking people here, communication is the key:

  • Who is the point of contact [POC] for the IRP? Are they available 7x24x365? Here's a hint, your "Service Desk" staff should be extremely well trained and "own" the possible incident until handed off to the Leadership Team. You must empower them (really) to expend resources to protect your business until someone more knowledgeable arrives on the scene.
  • How well is the POC trained to calm down the person reporting and gather information?
  • How quickly can the POC contact a business decision maker to take action?
  • Who "owns" the incident, cradle to grave?

The quality of your Service Desk staff's Incident Response training will be 90% of the success of your IR Program, bank on it.

Insurance and Corporate Risk

Cyber Security insurance has become a significant component of an organizations’ cyber risk mitigation planning. Cyber Security insurance primarily covers the often excessive and normally under budgeted expense of responding to a major cyber incident. Unfortunately, most cyber insurance policies are purchased in conjunction with Workers Comp, E&O, D&O, etc., and without direct input from the cyber security group.

If this is the case, take action now to ensure that your Legal, Compliance, Risk and Cyber Security Leaders sit down now, and review your Cyber Security Insurance Policy, and if necessary, develop a punch list of "issues" and facilitate a negotiation with your Insurer to tailor your coverage to exceed the needs of your business to protect your market share and competitive advantages.

Cyber insurance policies are contracts that establish expectations between the insurer(s) and the insured. If these expectations are not satisfied, the insurance policy may not deliver on its promise.

More importantly, these policies will provide your incident response team with a plethora of tools to move swiftly and decisively to reassure customers, investors and to protect your business.

Types of "incidents"

From a policy perspective, document your types or phases of incidents, so that in the event of legal action, you can adequately justify your actions.

There are normally, three types of incidents:

Potential Cyber Incidents: these are "incidents" where so little is known that they are not actionable. As a matter of policy, until a "potential incident" is handed off to the Incident Response Team, it should only be referred to as a "potential incident.

Cyber Incidents: these are identified, "Cyber Security Related Incidents", we believe they are Cyber Incidents, however, we are still collecting information and performing triage.

Reportable Cyber Incidents: these are the real deal, these meet all the legislative, legal, regulatory or policy requirements as "reportable", you may still be collecting information and performing triage but you have legitimate business risk involved. You are required to notify your insurer at a minimum, legal, any regulated oversight bodies, etc... Before you do, find your Corporate Communications Polices and Officer and take a few minutes to assign tasks and set expectations. This is where people are navigating in uncharted territory and may get emotional. Work hard to keep things low key and level headed.

What works re: triage "incidents"

How do you get real time visualization of your enterprise, so that your IR Team can function rapidly? How will you contact the correct key personnel in a timely manner for decision making and consensus building? Better to work that out now.

The neat thing about this is that the requirements here are functional, as opposed to the nonfunctional ones in prevention and detection. So, the good will beat out the mediocre. We need to build good things and bring people and technology together to mirror less of IT and more of generic risk management. We can learn a lot from other domains that have been doing this for decades.

Your Incident Response Process

The classic approach to Incident Response is made up of four phases: (1.) Preparation; (2.) Detection & Analysis; (3.) Recovery; (4.) Post Incident Activities. Let's look at each in a little depth:

Preparation Phase: This is your training and "risk register" phase. Creation, care and feeding of your "risk register", attention at the Risk Committee meetings, grooming, validation, allocation of resources to mitigate, etc... Training of your Service Desk team in their role of "Incident Response - First Responders" are your key performance indicators in this phase.

Detention & Analysis Phase: This is where your training pays off, your "first responders" are appropriately trained and resourced to act swiftly and decisively to protect your business. Bringing the right people together at the right time to ACT!

Recovery Phase: The worst is over and now it's time to manage resources to get back to customer focused resource allocation. Hold the Champagne until your customers are happy again...

Post Incident Activities: This is where most business scrimp, but in reality where most businesses should lavish resources. What did we learn? How can we, proactively, work to ensure that that never happens again? What training, policies, processes, procedures, people, etc... need to be modified to better support the business continuity plan should we find ourselves in an other emergency situation? Do yourself a big favor, spend the most of your IR time here...

Ensure if you can that your Cyber Security Insurance covers these post incident activity costs, if it does not, see if you can negotiate a "rifer" to cover these costs, it will be money well spent.

Why tools cannot save you...

As technologists, most people, when facing a challenge, look for a tool to "...do the work...", like it or not, the Incident Response world is the people world, a tool cannot interview an employee about what happened, it cannot talk to the press, it cannot brief the Board of Directors, the Audit Committee, the CEO, etc...

Give alot of thought to the folks that will make up your IR team and specifically, who will lead that team. Do yourself a favor and don't make it an emotional appointment, make it a solidly merit based appointment, a cool headed person, who can clearly see the guard rails and understands that a "policy" is just guidance, not stone tablets from on high...

Why your Risk Register is the backbone of your Incident Response Program

In a perfect world, your "risk register" contains the "...indicators of compromise..." of your next incident and may very well be your roadmap for your next "incident". If your next incident in the final analysis, was not related to an item on your risk register, there is something wrong with your risk identification and analysis process.

Is your "risk register" open to anyone to comment on it? For example, during a new customer assessment we were pleased to find that one of the Service Desk staff had been keeping notes on root cause analysis of problems for years... apparently, no one had been willing to listen...

Why your Risk Committee must own the Incident Response Program

Hopefully, we've made the case that the effectiveness of your Incident Response Program is easily within your grasp, that it can be managed in a cost effective manner without major expenditures and deliver significant risk mitigation benefits. That your "risk register" if properly managed can be your early warning system of potential incidents. That the training and sweat you spend, now, with hour "first responders" will pay major benefits when that day comes (and it will). That your Cyber Security Insurance investment must be proactively managed by your key stakeholders to address unforeseen costs and drive meaningful benefits during and after your incident.

Resources, where can you get some help?

Cyber Security Insurance - primer

Bruce Schneier on Incident Response

NIST Incident Response Guidance

NIST - Computer Security Incident Handling Guide

 

Wednesday, December 15, 2021

Who is "KAX17" and why are they turning TOR against us?

 


...Privacy? Is it still a thing? As Cyber Security Practitioners, this topic is extremely relevant and timely.

Here is some interesting analysis on the threat actor "...KAX17..." group. 

Since 2017 they've been working tirelessly to undermine the anonymity engine we know as "TOR" (which has a sketchy history, to say the least).

KAX17, for an outlier and threat actor appears to be extremely well funded... and as a wise one once said, "...if the popular press is behind you, you're not the resistance...".

Read the full article for yourself, here.

And enjoy the video!

https://www.youtube.com/watch?v=pvBAaUPzvBQ

#cybersecurityawareness #privacy #cybersecurity

Tuesday, November 9, 2021

Cyber Security ROI for the CEO - Part Four - Risk Management

 


 

"...'Risk management' is just a fancy term for the cost-benefit tradeoff associated with any decision. It’s what we do when we react to fear, or try to make ourselves feel secure. It’s the fight-or-flight reflex ... It’s instinctual, intuitive and fundamental to life, and one of the brain’s primary functions..."
Bruce Schneier

Bottom Line Up Front

If you cannot in the next sixty seconds state: (1.) What are the business critical processes that comprise success and competitive advantage; (2.) Discuss the concept of "residual risk"; you then need to stop reading until you can.

If you do not know what is critical to your ongoing success, you cannot identify, measure and mitigate the risks to those things.

What we will discuss in this section:

  • How to identify, measure and mitigate business risks
  • Do you need a "Risk Committee"?
  • Managing your "Risk Register"
  • Business Risk and Architecture
  • Risk Managements dirty little secret, "Residual Risk"
  • Resources, where can I get some help?

How to identify, measure and mitigate business risks

What is truly critical to the success of your business (you'd be surprised how many CEO's can't give a qualitative answer to that question). Is it key processes? Supply Chain fragility? Accounts Receivable? Sales pipeline? What, in sixty seconds or less explains your competitive advantage and allows you to dominate your markets?

If it is critical to your business you better understand in no uncertain terms, what are the risks that are associated maintaining "IT" in sufficient quality and quantity. Or... a competitor will make sure to deny "IT" to you.

If you are like most business's, you think your "stuff" is critical to your business but in all reality, your processes are where your competitive advantage is, not a software application. Software applications are like Lego's, we snap them together to create business processes that get work done. Our customers feel these processes, accounts receivable reflect customer satisfaction with these very same processes.

Do you know, really know, which business processes are key to your success?

Once you know that, you can document them. Once you document them, you can look for the way information flows between software applications to enable the smooth operation of those same processes.

Then you will be able to see the unfortunate fragility of those same processes...

Once you document the process and information flow, you will where the risks are...

Once you can see the risks, you can quantify them and make qualitative business decisions to mitigate the risks...

Sounds simple? If only...

Why you need a Risk Committee

Misery loves company, and your risk committee will be the additional duty that no one wants, but, where the real power in a business rests. Mountains will be moved when the Risk Committee makes a decision.

Trust me... you want to have a seat at that table.

If the Risk Committee makes a decision to mitigate the risk of the companies flagship customer facing Web Portal, like magic, there will be budget money for those tasks. And Board Room exposure for the CISO or CIO smart enough to grab a seat on the Risk Committee.

The Risk Committee hears the arguments then "...calls the ball...", everyone lines up to deliver. It's like David Copperfield at Caesar's Palace, amazing!

Managing your "Risk Register"

Also known as feeding the Beast (the Risk Committee Beast).

I keep a Risk Register as the CISO (I privately refer to it as the "...things to fix..." list), see the graphic below...

No alt text provided for this image

I maintain an entry for each risk like the one above and encourage the folks on the leadership team to add items at will. Each entry clearly shows the business driver, cost and ROI, a perfect Board Room discussion starter.

Let the Risk Committee prioritize the items in the Risk Register and let the Risk Committee fund mitigating those very same risks.

Business Risk and Architecture

If you are building your Risk Register, facilitating discussions within your Risk Committee to validate and prioritize the items in the Risk Register, your next step will be to take these decisions and organize them into Architectural Standards (driving budgeting - based on the decisions of the Risk Committee) for implementation by IT and Cyber Security to proactively mitigate future risks before they can occur in future projects...

While you're at it, talk to the CFO about adding some standard "terms and conditions" to future contracts in support of Risk and Architecture... this is getting exciting!

Read that last part out loud... "...proactively mitigate future risks...". Now we're onto something...

Risk Managements dirty little secret, "Residual Risk"

Just when we thought it was going so splendidly, someone brings up "residual risk"...

Residual Risk is that risk that is "...left over...", not addressed at this time the project goes live. Discovered a few weeks before Project Launch, it's a last minute risk that someone needs to "...own..." until it is mitigated.

Whip out a Plan of Action and Milestones [P.O.A.M.] template, find a stakeholder / project sponsor and sign them up to own the residual risk and report on it to the Risk Committee, you'll find that these residual risks get cleaned up promptly with a Risk Owner and mandatory participation at the Risk Committee.

Resources, where can I get some help?

There are numerous folks eager to assist you with Risk Management, below are only a few recommendations:

As is the case in most instances, the National Institute of Standards and Technology - Computer Security Resource Center or NIST-CSRC has got your back.

NIST Special Publication - 800-39, "Managing Information Security Risk: Organization, Mission, and Information System View"

NIST Special Publication - 800-37 Rev. 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy"

NIST Special Publication -800-30 Rev. 1, "Guide for Conducting Risk Assessments"

Cyber Security and Infrastructure Security Agency - has some great capabilities for the Public and Government sectors. https://us-cert.cisa.gov/ics/Assessments

Your local ISACA chapter can also assist you. https://www.isaca.org/

Next Steps

If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com

Monday, November 1, 2021

Cyber Security ROI for the CEO - Part Three - Compliance & Audit

"...There has to be a regular performance audit to do a comprehensive analysis to determine how the funds are performing. We can't come to the bargaining table without both qualitative and quantitative performance metrics..." - the Author 

 

BOTTOM LINE UP FRONT: Compliance and Audit are expenses, yes, they are necessary and yes they can drive quantitative and qualitative value for the business, however, done without business acumen, they are almost always perceived as disruptive and overly costly for the business you serve. 

In this installment of the series, we'll discuss how to strike a meaningful balance, bring value via automation, and increase engagement and awareness with your Business Leadership Team. 

What we will discuss in this section: 

  • Who should develop a strategy for Compliance and Audit success? 
  • Do you need a "Compliance and Audit" committee? 
  • Do you need Compliance and Audit SDLC gates in your IT processes? 
  • Who will call the ball between IT and Cyber Security Disagree (yes, they will disagree) 
  • Maximize automation in your compliance requirements? 
 
Why you should develop a Compliance and Audit Strategy 

You need a way to relentlessly streamline your methodology for dealing with both internal and external auditors: as the saying goes, the best defense is a good offense. Developing a solid strategy for proactively giving the auditors what they require will reduce uncertainty within your IT organization and allow your teams to prepare audit artifacts as a normal course of doing IT business, this is a big value add to the business you are supporting, your auditors and your team members. Reducing uncertainty, allowing the IT teams to gain confidence with the generation of their assigned audit artifacts, confidence thrives in an environment where there are clear performance goals that support business drivers. 

Do everything in your power as a Leader to make Compliance and Audit support tasks (the generation of audit artifacts), part of required day-to-day IT team operations. Granted, it will be a change, however you can in the end, quantify the value of your approach to the business leadership team in dollars saved - you'll receive desirable cudo's for managing your teams like a business, and for proactively supporting the business. 

The business leadership team will forever look at you as a more valuable Leader - and that's what it's all about. 

Why you need a "Compliance and Audit" committee. 

Everything we do in Information / Cyber Security requires business buy in. Most folks in the business leadership team do not understand Security and in the back of their minds they see Governance, Risk, Compliance, Privacy and Security [GRCPS] as costs to be contained. 

This is natural, you should be aware of this and always work to increase executive awareness of the GRCPS Teams proactive role in cost containment - in all areas of the GRCPS System Development Life Cycle. 

By working with the business leadership to champion the creation of a joint, Business and Security "Compliance and Audit" Committee, you bring the business to the forefront of informed decision making for GRCPS requirements. 

By doing so, your frustration level for all things GRCPS will plummet as the business takes a leadership role in prioritizing and funding GRCPS initiatives for you. 

Let that sink in for a few minutes... 

Why you need Compliance and Audit SDLC gates in your IT processes. 

EXAMPLE: We've been patching systems since the 90's, going on thirty years now, we should be very good at patching! You most likely have a well refined process for patching each family of IT assets that support your business. Why not leverage and enhance these time tested processes to enhance the generation of audit artifacts for your GRCPS requirements? 

If you're using NIST 800-53 as your governance framework (or another time tested framework like ISO 27001) you know that there are a variety of "...vulnerability and patch management..." related controls that benefit from some well documented "stuff": 

  • Having a control owner assigned 
  • Having a control manager assigned 
  • One of these: a detective control; a preventative control or a procedural control - for every "control requirement" 

By mapping your IT tools to your compliance families and identifying audit artifacts that each tool is capable of generating, you can set a goal to have the tool automatically without labor dollars, generate high quality audit artifacts that are stored in a secure location for the auditors to review at their leisure. 

Let's look at the business advantages of this strategy: 

  • This will reduce the actual IT workload, audit artifacts that are generated without employee labor free up employee labor dollars to be repurposed for other tasks. Be sure and brief that to the business. 
  • This will break the cycle of the auditors showing up and billing your business to nag IT employees for audit artifacts. 
  • This will save alot of normal audit costs. Be sure to brief that to the business and to find a way to quantify the savings! 
  • By assigning an individual contributor who is responsible for the day-to-day operation of the tool that generates the audit artifacts as the "Control Manager" with the added responsibility of maintaining the "procedure" documentation, those documents should be always updated and relevant. 
  • By assigning a Manager as the "Control Owner", they will provide valuable oversight and quality control functions in support of your GRCPS program and the IT SDLC process "gates" that support the generation of audit artifacts. 

Who will call the ball between IT and Cyber Security Disagree? 

All of this change will make some folks hackles go up, no one likes change... the mantra of "that's the way we've always done it..." (also known as entropy) is a powerful de-motivator. 

How do you break this log jam without becoming a pariah? 

Glad you asked! You have a Super Power to help with that... bring these entropy events to the "Compliance and Audit" Committee, let the business hear the arguments, pro and con then let the business have the final word. 

You are just the messenger here, the Business Leadership Team has the absolute responsibility to manage resource allocation to drive risk management and profitability - those are powerful motivators - let the business make the decisions, then carry out their decisions. It's never personal (though change feels personal some times) it's just business. 

Maximize automation in your Compliance and Audit requirements 

By taking a long, hard look at your GRCPS and Audit requirements, inserting them into existing mature IT SDLC gates and automating the generation of audit artifacts, you are in essence differentiating yourself from the average Manager and ensuring that the Business Leadership Team sees you as a force multiplier, increasing the competitive advantage of the Business. 

Once you've made this point it will forever change the way the Business Leadership Team looks at you, your value to the Business will increase exponentially. 

The value you bring to the Business as a GRCPS Leader is not by turning a wrench on a tool, it's by effectively managing risk, resources and bringing efficiencies to the forefront in business meetings - help the business understand that you as a Leader can drive efficiency, maximize tool investment dollares, free up IT labor for other more creative tasks and increase competitive advantage, you'll get peoples attention, and I'll wager you'll also get that next promotion with alot less friction. 

You have made the transition from Manager to Leader, not alot of folks in the Technology Teams see the value in doing that, but your Business Leadership Team does...

Wednesday, January 13, 2021

Cyber Security ROI for the CEO - Part Two - Ransomware Prevention

 


"...you can't defend. You can't prevent. The only thing you can do is detect and respond..." Bruce Schneier

What we will discuss in this section:

  1. Review of Part One 
  2. Let's discuss what Ransomware is...
  3.  What does a Ransomware attack look like?
  4.  Let's talk about Cyber Security Architecture
  5.  What is your business's appetite for change?

Setting the stage for success: Recapping Part One's Homework...

So we begin Part Two on solid footing. You are or should be well on your way to ensuring that your Cyber Security Tools (People, Process and Technologies) are aligned with your business critical requirements and that Risk, Compliance and Audit are meeting early and often with your Cyber Security Teams to leverage and enhance these alignments...

Let's discuss what Ransomware is...

You need to understand that ransomware is a business, very profitable, low risk , low cost, its all upside to the attacker. You need to have a solid plan to remove these incentives and drive up the "cost" to the attackers to incentivize them to go elsewhere.

It's not easy to find a scholarly definition of ransomware. Every vendor seems to have a definition that makes their product appear to be the silver bullet that will protect your business from ransomware. The following, is the best research paper and analysis of ransomware that I could find: via Science Direct, Technology University of Malaysia, July 9th, 2017 Ransomware Threat Success Factors Reference

It's dense and chewy but it gets us to a vendor agnostic point of reference.

Ransomware is an attack against your business - with the intent to deny you access to resources and extort money from you - bottom line, it is a crime. 

There is a lot you can do to protect yourself without spending a lot of money, that approach [People, Process & Technology] will be the focus of this article.

THE BOTTOM LINE: There is a high likelihood that your business currently owns and is not using or incorrectly implementing capabilities that can dramatically lower your risks of ransomware. That is the premise that the following recommendations are based on.

I was discussing Ransomware Prevention with a customer not long ago, a very profitable business with Billions in recurring revenue to protect, solid brand recognition and a consumer loyalty metric that was the envy of their competitors. They weren't really taking Cyber Security in general and ransomware in particular seriously (of course that statement is my opinion). Not being a FUD [Fear, Uncertainty and Doubt] person, I explained to them that a determined attacker could invest millions, hire the best hackers, etc...and target them because the potential payoff was so lucrative (the conversation was longer and more involved than this), they finally agreed to some of the recommendations you will find in this article, but, as always the greatest problem was and will always be, people's ability to absorb change. Some things never change, it all boils down to two things: (1.) people; and (2.) change management. You can have the greatest plans on the planet but if people will not utilize them, they are useless.

What does a Ransomware attack look like? 

Hopefully, if you are hit with a ransomware attack it will not be the well coordinated, targeted attack like Maersk shipping experienced in 2017, that attack is the stuff of legends.

Maersk Shipping and Not Petya

Most ransomware attacks progress something like this:

  1. An attacker gets in your network and gains elevated privileges
  2. The attacker uses these elevated privileges to identify your disaster recovery tools or site and/or backup tools
  3. The attacker downloads encryption keys to encrypt your backup media, regardless of type
  4. The attacker may take over other key systems or software applications in your business
  5. The attacker notifies you and demands payment

Let's talk about Cyber Security Architecture

Most businesses have adopted what we call a "defense in depth" approach to Cyber Security. It is neither good nor bad, but it does carry with it a burden of risk that given our evolving technology landscape may no longer be wise.

Minimizing risk in the following ways means you must also manage the change - People, Process and Technology.

From a practical perspective, we are making the recommendations below. These are not all inclusive nor are they intended to be, these recommendations are focused at small to medium sized businesses and common tools in most businesses IT / Cyber Security shops.

DISCLAIMER: I want to apologize in advance, given the nature of the current topic, what follows will be somewhat technical yet dramatically over simplified. Feel free to reach out for details if you would like them.

Things that remove a lot of risk, with little capitol expenditure:

Implement Structured Hardening - One source for system and application hardening recommendations

There are numerous sources for recommendations for system and software application hardening (chances are good that if you ask, the vendor will give you their hardening guides for free), it is in your best interest to invest the time to adopt an evolutionary approach to structures hardening.

Start out slowly, set a goal and stick with the plan. Make your systems and software applications hard to break into, by increasing hardening settings on a quarterly basis. Over time you will be dramatically reducing your attack surface.

Here is a great example of an evolving approach

Consider implementing the NIST Privileged Access Workstation [PAW] methodologies for your IT and Cyber Security Staff.

Implementing PAW as a standardized, hardened virtual machine can mitigate an ocean of risks. You can significantly enhance the security of this approach by putting the PAW VM's on their own VLAN and requiring multi-factor authentication or MFA to authenticate into the PAW VM. In this manner, the inherent risk of an IT or Cyber Security privileged account can be almost completely mitigated.

Consider implementing a "privileged access workstation VM" model

Decouple Cyber Security Tools from Active Directory

It is a well documented fact that all of your IT and Cyber Security tools have a dark side that can be used against your business as a weapon if compromised.

By removing Active Directory integration form these tools and making them an "island of authentication" a compromised Active Directory USERID cannot be used to turn your trusted tools against your business. Yes, it is inconvenient, but the risk reduction and piece of mind more than make up for that. If you go the extra mile to enhance this by requiring Multi Factor Authentication [MFA] to use the tool, you will be dramatically increasing the trust of the tool as well.

Protection Profiles for your High Risk Workforce   

Make sure that your Cyber Security dollars are focused on those employees that are associated with high risk positions. Using a one size fits all approach to Cyber Security spending for all employees, regardless of the inherent risk of their position needlessly drives up the costs of Cyber Security. You would be better served by developing standardized "Protection Profiles" and allocating resources based on that model.

Elevated Privilege Account - Lifecycle Management

If you are like most businesses, your employees with "elevated privilege" accounts have a 7x24x365 risk profile. If their account is compromised by an attacker, that attacker also has a 7x24x365 window to prosecute an attack against YOU. 

If you are using Windows Server 2016 or 2019, you own a capability knows as "just in time administration" which allows you to "loan" elevated privileges to authorized personnel for a short time, then automatically remove them, dramatically shrinking the attack surface against your business. This capability you own now, and allows you to shrink this risk windows down to hours instead of always on. See the two examples below for how to implement and test this capability in your business.

EXAMPLE ONE

EXAMPLE TWO

Windows Service Accounts - Lifecycle Management

Your service accounts represent a large attack surface within your enterprise that can be used against you by an attacker. Service Account passwords are rarely if ever changed and a great many service accounts have elevated privileges. This represents an unacceptable risk to your business and chances you own the tools to remove this risk now.

Microsoft Active Directory has a capability currently referred to as "Group Managed Service Accounts" [GMSA], if you are like most businesses you are not leveraging this to minimize risk. By implementing GMSA's you can turn over password management and complexity to an automation, and specify the time to live for the GMSA's. You can migrate them from never changing (high risk) to say, changing every twenty-four hours. This greatly reduces the attack surface of non human accounts.

Here is a great reference to free cyber security capabilities in Windows Server 2019

Here is a great reference on GMSA's

E-mail Risk Reduction

There are many low cost ways to minimize risk in your current email systems. 

Going by the following acronyms: SPF; DKIM and DMARC. These may seem like small steps, but they can add up to a big risk reduction plus helping stop bad actors from impersonating your company and alerting you to such efforts. 

These mainstream email security tools are free to use and most likely built into your current email systems capabilities.

Here is a great reference on email risk mitigation

Defang URL's

Allowing URL's (hypertext links) in email is convenient but brings with it an unacceptable burden of risk. Depending on your email routing architecture, you can configure technologies to convert these URL's to plain text thus denying an attacker this convenience based attack surface.

Things that remove a lot of risk, but require capitol expenditure:

Enterprise Password Manager

An enterprise password manager is something that can reduce your attack surface significantly. A password manager should be able to: Manage work and personal passwords for your personnel (to minimize friction with adoption); and control password length, complexity and time to live.

An enterprise password manager should allow your human and non-human passwords to be long, complex and change often to minimize the attack surface and reduce risk.

Security Orchestration, Automation and Response [SOAR]

"...SOAR is a solution stack of integrated software programs that allow an organization to collect data about security threats, and respond without human intervention..."

The current threat landscape is an automation attacking your business, but, your business response is based on human reaction time. This gives the nonhuman attacker a significant advantage. The goal of SOAR is to move your business to a nonhuman response posture to greatly enhance your chances of mitigating an attack.

The following are some possible technologies that could be combined to create a SOAR capability for your business.

A great SOAR analysis

802.1x

802.1x is a capability that is built into your network now. It allows your wired and wireless network to become the first line of defense for your business. 802.1x can be implemented to require an authorization token from either the computer or the human or both BEFORE either is allowed to join your corporate network. This is a very powerful risk mitigation.

802.1x can be configured to notify your SOAR stack if a computer or human does not properly authenticate and your SOAR can, without human intervention, disable that network port the attacker is trying to utilize and call a human for assistance. Powerful stuff.

Here is a great 802.1x primer

DNS / IP reputation

Should an attacker get into your network, they will need to "phone home" for encryption keys to prosecute a ransomware attack against your business. By implementing a DNS and/or IP firewall technology, your SOAR can be notified of an outbound connection request to a known attack site and stop the attack instantly, then communicate with your SOAR to disable the network port of the threat actor, almost instantaneously.

SANS case study on the DNS Firewall ROI

Security Information and Event Management (SIEM)

Your SIEM tool should be integrated into your SOAR "solution stack" such that your SOAR can automate defensive measures based on patterns that the SIEM can be configured to alert on.

For example: Your firewall logs are sent to your SIEM. Your SIEM is configured to compare outbound connection requests against your IP and DNS firewall threat intelligence database. If there is a match, your SOAR tool will tell your network management system to disable the connection to the computer from which the request was sent and notify a human to go take a look. This could happen in nano-seconds, compared to waiting for a human SOC analyst to "catch" the attack which might take minutes to hours or not at all.

What is your business's appetite for change?

Implementing any of the recommendations above will mean change. Change for your IT and Cyber Security Teams, for your Network Team, etc... As well as for your non technical employees.

Protecting your business against a sophisticated attacker will require your Executive Team to manage these changes and support your technology teams to implement the changes to protect your business.

There are no silver bullets nor easy answers. Just awareness and willingness. This does not have to be costly in dollars, but change also comes with a cost.

Next Steps

If you have questions or comments, please let me know: the_Secret_CISO@Protonmail.com

 

Copyright © 2021 by"the Secret CISO"

All Rights Reserved.