Laying the groundwork for Stronger Cybersecurity and Incorporating a Written Information Security Plan

The goal of this article is to help you improve your cybersecurity plan.  By implementing even one or two of the suggestions in this article, you’ll be taking a step toward reducing the likelihood of data loss, downtime, reputation damage, and lost revenue.  Proactively enhancing your cybersecurity plan is a smart business move.

Before writing any cybersecurity plan, it’s important to have a cybersecurity risk assessment under your belt.  Risk assessments highlight exactly where and how your workforce, technology, and physical environment are at risk and therefore where you need to place your risk-reducing budget dollars in future budget years.  An upfront risk assessment is also THE key input into your cybersecurity plan.  After all, the whole point of a cybersecurity plan is to reduce the areas of risk uncovered by a risk assessment.

Chances are you probably already have a cybersecurity plan for your organization.  It may be a plan that was written to meet regulatory requirements.  Alternatively, it may have been written because you value the continuous operation of your organization and want to protect the private data it stores and processes.  Regardless of the stated intent, every cybersecurity plan should include the following elements.  If you’re wondering where these came from, they correspond to the NIST SP800-53 cybersecurity framework.

  • The organization’s general attitude toward risk-averse, neutral, or accepting.
  • A statement on the importance of cybersecurity from leadership to individual contributors.
  • A statement of commitment to adhere to any applicable regulations such as HIPAA, PCI, 23 NYCRR 500, etc.
  • Specific incident response procedures outlining what each internal and external stakeholder will do in the event of a data breach or other adverse cybersecurity event.
  • A statement of the importance and frequency of performing ongoing cybersecurity tasks such as risk assessments, vulnerability assessments, and penetration tests. Remember, as your environment changes (new technology, merger, acquisition, or re-org), your initial risk baseline will shift significantly.
  • A statement on how your organization handles logical access control such as users logging into systems, firewall requirements, and network traffic filtering.
  • A statement on physical security including visitor sign-in requirements, door locks or keypads, fire suppression, and security cameras.
  • A statement on data protection including handling malware and malicious activity.
  • A statement on how your organization manages hardware and software configurations and also manages changes to them.
  • A statement of how information security monitoring is to be handled including how stakeholders are notified in the event of a red flag.
  • A statement on how the organization will recover from a physical or cyber disaster to ensure the continuous operation of the organization, even if in a degraded state.
  • A statement on data privacy practices and expectations for employees to ensure the privacy of sensitive or confidential data.

Sometimes these policy statements are broken out into different policies.  Sometimes they’re included in a bigger, overarching Written Information Security Program (WISP).  Whether broken out or lumped into an all-encompassing WISP, each of these areas requires thoughtful consideration and written statements for how the company will handle every area of concern.

Once your plan contains the right elements, it’s important to bake the plan into regular conversations with employees.  The main problem with policy is that it’s often written only to be set aside in a three-ring binder and never revisited.  If you’re going to do this, you may as well not write the policy in the first place.

For policy to be effective, it needs to be regularly reviewed with staff and updated upon significant changes to the business or its technology.  An easy way to ensure your cyber policy is being reviewed is to incorporate it in your annual or bi-annual employee review discussions.  And please, do not simply hand the employee a stack of paper and trust them to read it on their own.  Discuss it together and answer any questions the employee may have.  Again, policy is pointless unless it’s updated regularly and understood and followed by all employees.

The groundwork for establishing a solid cybersecurity plan has been laid.  However, good plans aren’t static.  They change.  They adapt.  Football teams go into each game with a plan.  They know their own strengths and weaknesses.  They’ve reviewed countless hours of video footage of the opposing team.  A head coach’s plan is designed to maximize his team’s strengths while leveraging the opposing team’s weaknesses.

Three current threat trends and what to do about them

Cybersecurity plans are exactly like football strategy.  They’re designed for your team to win.  While the offensive line protects the quarterback and the football, a WISP helps you protect private data and fend off cyber-attacks ensuring your company’s ability to operate with minimal interruption.  Just like a football team has to adjust their strategy when facing a new team, businesses need to adjust their cybersecurity plan to protect against new threats.  The remainder of this article outlines three current cybersecurity threat trends and what savvy business professionals are doing to combat them.  If you aren’t implementing the protections discussed, please initiate a conversation with your IT staff and work toward building them into your next budget cycle.

Threat 1: Most network traffic is encrypted and it’s going in and out of your network uninspected

As of November 24, 2018, 80% of web pages accessed by the Google Chrome browser on Microsoft Windows PCs are encrypted.  For Mac users, this figure is 87%. [1]  This means that well over two-thirds of the data coming into and leaving your network is encrypted, including potentially malicious traffic.  If you aren’t decrypting, inspecting, then re-encrypting this traffic as it flows to and from your organization, your security posture is dubious at best.

Percentage of pages loaded over HTTPS in Chrome by platform

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You may be asking: “So what?  Who cares that my network traffic is encrypted?  Afterall, I thought encryption provided confidentiality, which is supposed to be a good thing.”  The issue is that malware authors are hiding their malicious code in HTTPS.  When you visit an HTTPS-encrypted site in your web browser, you see the little green lock icon and think “I’m safe.”  However, you could have a false sense of security as malware writers are buying digital certificates to encrypt traffic going to and from their websites which host malicious code. According to cybersecurity firm Cyren, “the real extent to which malware is being hidden in HTTPS has been an open question—until now.  Our security researchers have found that HTTPS is now being utilized in 37% of all malware.  And recent growth in HTTPS use for malware has been dramatic, with malvertizing use of HTTPS jumping 30 percent in the first half of 2017.” [2]

 

Percentage of Malware Entering Undetected

 

 

 

 

 

 

 

 

 

 

 

The problem is that malware is hiding under your nose in encrypted web sessions.  The solution is to perform decryption of all web-based traffic on your firewall, inspect the traffic once it’s decrypted, then re-encrypt it and send it along.  All modern firewalls have this capability and it’s typically called “SSL Inspection” in the settings.  Unfortunately, most business professionals don’t have this setting turned on.

So, today’s marching orders are to ask your IT folks if they can enable SSL Inspection on the firewall because you don’t want malware to hide within encrypted traffic streams.  After all, being blind to over two-thirds of your web traffic is not good security!

Threat 2: Online account takeover is at a record high

We all use the Internet.  Whether for personal email, social media, corporate email, or data processing, the Internet is a huge part of our everyday lives.  The Internet makes things easier and more accessible.  It makes the world a smaller place and allows businesses to reach a large audience with minimal effort.

For all the good that the Internet brings, it also comes with significant security issues that should be addressed in your cybersecurity plan.  Every year for the last decade, Verizon’s Data Breach Investigation Report has shown that social engineering is the most common method criminals use to take over online accounts.  It starts with a phishing email that tricks you into giving up your username and password.  From there, criminals can take over your email account and pose as you.

It is universally accepted that passwords alone are not sufficient to protect your online accounts.  Whether through social engineering or simple brute force password cracking, criminals can easily obtain your password and thus gain access to your online accounts.  To overcome this, companies need to step up their authentication game.  This means enabling multi-factor authentication for all online accounts.  Multi-factor authentication (MFA) simply means adding another authentication factor such as a hardware token, fingerprint, or smartphone-based authenticator to your primary authentication factor (your password).

According to KrebsOnSecurity, “Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017 when it began requiring all employees to use physical security keys in addition to passwords.” [3]  In other words, MFA works.

The best way to combat online account takeover is to add a second authentication factor to each of your online accounts.

Threat 3: Sensitive data keeps getting leaked via email

Just as Internet use is a fact of life, email is also a critical workflow for all businesses.  Because we’re all humans, we’re all imperfect.  We may inadvertently send private information via email to the wrong recipient.  Additionally, we may send private information via email in clear text to a receiving mail server that doesn’t support encryption.  When this happens, businesses are liable for any loss associated with the private data leak.  They’re required to notify authorities as well as affected customers, leading to potential fines and reputation loss.  These pitfalls can be avoided, though.

Myriad email encryption and data loss prevention (DLP) solutions are available.  These solutions can either force encryption on all outbound email, ensuring the 100% confidentiality of all email, or they can “look for” sensitive data and selectively encrypt emails that contain it.  Gateway solutions include a device that sits on the edge of your network and performs email encryption and DLP.  There are also cloud-based solutions, many of which cost no more than a cup of coffee per user, per month.  You don’t think twice about ordering a $5 coffee from your favorite barista.  So why not invest in protecting email, one of the most-used and most-hacked cyber workflows?

References

[1] Google Transparency Report. (n.d.). Retrieved November 30, 2018, from https://transparencyreport.google.com/https

[2] Magnúsardóttir, A. (2017, June 7).  Malware is Moving Heavily to HTTPS.  Retrieved November 30, 2018, from https://www.cyren.com/blog/articles/over-one-third-of-malware-uses-https

[3] Krebs, B. (2018, July 23). Google: Security Keys Neutralized Employee Phishing.  Retrieved November 30, 2018 from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing

Leave a Reply

Your email address will not be published. Required fields are marked *

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>