Looking ahead at the rest of 2019, Lastline’s threat intelligence director Andy Norton has two words for everyone: WAKE UP! He sees that the economic losses resulting from cybercrime will be worse this year than ever before. In response, Andy thinks that there will be a mass awakening of governments, policymakers, industry actors, and others as they move to issue new guidance that corresponds with the reality of today’s evolving digital security risk.
I hope Andy’s right, at least in terms of the industry’s response. Given the rise of sophisticated attacks, adversarial machine learning, and other threats, it’s an important moment for defenders to recalibrate their understanding of digital risk. This effort will require looking forward to where the digital threat landscape might be going. But I think it’s about looking backward, too. Not just to the fears of yesteryear but also to the security controls which I know many of us have been using for years.
As we prepare to face 2019’s threat landscape, I think it’s extremely important that security professionals familiarize themselves with five top security best practices in particular. They also need to be aware of the key challenges facing them in this task as well as the best way for organizations to successfully implement those practices.
1. Implement Regular Data Backups
Security professionals can help their organization start 2019 on the right foot by implementing regular data backups. I understand that they might be tempted to make those backups available via the use of tape or on-site methods. But this is a bad idea. There are just too many risks. What happens if a site goes dark, for instance? Also, I’ve heard of cases where organizations’ backup tapes became corrupted.
Instead, I encourage security professionals to use the cloud for offsite back-up. It’s a cost-effective and easy way to protect sensitive data…assuming they choose a reliable CSP and fulfill their end of the Shared Responsibility Model. That means encrypting data in transit to the cloud service provider and making sure they have the ability to encrypt data at rest. To do this, you can either use an HSM or storage gateways.
Many organizations have ransomware on their minds when they’re formulating or modifying their backup strategy. It’s therefore crucial that your strategy, whatever it is, ensures protection against data loss in the event of a ransomware attack. Fortunately, you’re in luck! There are several tools out there that can help monitor file shares for ransomware activity. With these tools, security professionals can halt the syncing of backup data if any malicious behavior is detected in order to protect those backups’ integrity.
2. Use a Password Manager
Once you’ve helped your organization get its data backups in order, you can strengthen your organization’s password security. I need not remind you that using the same password on all sites is a terrible idea. This is because the weakest link (i.e., the initially compromised site) could expose all the sites to which you have access if the password is stolen.
I encourage you to use a password manager. Now, I know that some are concerned about these services; many people fear that these utilities store passwords in the cloud or, worse, on the local computer. But this is a huge misperception. A good password manager “reorganizes” passwords once someone submits a master password for their account. Until then, the data stored by the password manager is meaningless.
So how can you set up your organization with a password manager? In my opinion, the best way to move forward is to simply begin using it. This can involve creating an organizational project where personnel introduce a trusted password manager to a pilot group of users. Once that group has embraced adoption, you can expand use of the password manager to a broader audience.
3. Invest in People and Process
Many security professionals think that the best way to effectively mitigate digital security challenges is to decrease reliance on people by employing machine learning or other forms of AI. Doing so would put their organization at a serious disadvantage, however. Recall that the Golden Triangle of information security covers people, process, and technology. Organizations must pay attention to each of these elements if they hope to have a well-rounded digital security program.
That being said, it’s part of your role as a security leader to design clear and comprehensive security policies for your organization. These policies need to align with business processes and help protect the organization against digital threats. To defend against vendor fraud, for example, you can create a process by which authorized employees must call their vendor and verify the payment instructions if there’s a change in the vendor’s bank account.
Of course, these security policies mean nothing if organizations have employees who don’t know any better. Therefore it’s essential to complement policies with employee training. These training sessions brief employees not only on new social engineering attacks and evolving threats, they also need to emphasize the organization’s security policies and procedures to ensure that each employee knows how they can play a part in protecting valuable corporate computer systems and sensitive information.
4. Engage with Attachments in the Cloud
Numerous threats lurk within each employee’s inbox. Those dangers oftentimes include phishing emails designed to steal the credentials for their work accounts. Frequently, there are also attack emails capable of exploiting software vulnerabilities and downloading malware onto the recipient’s machine.
Given such email-borne risks, you can strengthen your organization’s email security. In particular, I recommend using a service like Google Drive to upload email attachments into a cloud environment, where employees can then open and modify them. Doing so will reduce the possibility that a potential exploit will infect workstations, as Google’s own vulnerability scanners are quite good at catching malicious code in files.
That being said, not all organizations use Google’s own email services by default. If you don’t, you need to download attachments first and then upload them to Google Drive, thereby endangering employees’ machines. You can mitigate this risk by advocating for the use of services like G Suite in the workplace.
5. Implement Multi-Factor Authentication (MFA)
Aside from improving organizations’ password security, I recommend using two-factor authentication (2FA) or some other form multi-factor authentication (MFA) on any of your online accounts, especially services that are remotely accessible, like SSH servers. Now, I realize that implementing MFA oftentimes comes down to a balancing act between usability and security. You don’t want to overly complicate digital security for the organization. Otherwise, employees won’t get on board with these measures or, worse, will try to find ways around them.
That being said, conducting a risk assessment can limit the negative influence of MFA’s usability and reduce the costs of maintaining the requisite infrastructure. Such an analysis can help you streamline implementation of MFA as much as possible. For instance, remote users will need to submit to MFA every time they authenticate, but as a user who goes into the office, I’ll need to use another factor only when there’s a reason for doing so, such as an unusual time or source of authentication, or I’m using a new device.
Just the Beginning…
The security practices discussed above are a great starting point for you as infosec professionals to defend your organizations in 2019. But they’re not the only measures that you can implement. For additional guidance, I encourage you to review the Center for Internet Security’s Critical Security Controls (CSC) or a similar resource of security controls.