10 Steps to Cyber Security – Parts 6-10

The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks. The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below cover the second 5 sections of some 10 essential recommended steps that should be taken to achieve an effective level of cybersecurity and is based on guidance from NCSC.

Incident Management

A security incident is inevitable for all organisations. An effective systems of incident management policies and processes will reduce any likely impact, enable speedier recovery and improve business resilience. Without an effective management system in place, some of the possible risks of an attack include;

  • Greater business impact of an attack through failure to realise the attack early enough and consequent slowness to respond resulting in more significant and ongoing impact
  • Potential for continuous or repeated disruption due to failure to find the root cause
  • Failure to conform with legal and regulatory standards which could result in financial penalties

It is important to manage the risk by taking some of the following steps;

  • Establish an incident management capability using in-house or specialist external service provider, create a plan and test its effectiveness.
  • Define reporting requirements
  • Define roles and arrange specialist training to ensure the correct skill base
  • Establish and regularly test a data recovery strategy including offsite recovery
  • Collect and analyse post incident evidence for root cause analysis, lessons learned and evidence for crime and/or compliance reporting

Malware Prevention

Malware is the most common form of security compromise and it is a fact that all organisations interact with known malware sites. The risk of malware can include; email with malicious content or links to malicious sites, web browsing to sites containing malicious content, introduction of malware through uncontrolled devices such as USB media or smartphones.

Inadequate controls for protection against malware could result in business disruption and/or loss of access to critical data.
Malware risks can be managed effectively using some of the following techniques;

  • Create and implement effective malware policies
  • Control import and export of data and incorporate malware scanning
  • Use blacklisting to block access to known malicious sites
  • Establish a defence in depth approach which includes security controls for endpoints, anti-virus, content filtering to detect malicious code, disable browser plugins and auto run features, ensure baseline security configurations are in place
  • Users should be educated regularly to understand the risk of malware, their role in preventing it and the procedure for incident reporting

Systems Monitoring

Systems monitoring provides the ability to determine how systems are being used and whether they have been attacked or compromised. No or poor monitoring prevents organisations from; detecting attacks against infrastructure or services, slows reaction to an attack resulting in increased severity of an attack, cause non compliance with legal or regulatory requirements
Systems monitoring risks can be prevented by taking the following steps;

  • Develop and implement a monitoring strategy based on the business risk assessment
  • Ensure that all systems are monitored, should include the ability to detect known attacks as well as having heuristic capabilities
  • Monitor network traffic to identify unusual traffic or large uncharacteristic data transfers
  • Monitor user activity for unauthorised use of systems
  • Fine tune monitoring systems to collect relevant events and alerts
  • Deploy a centralised logging solution with collection and analysis capability, and automated anomaly and high priority alerts
  • Align policies and processes to manage and respond to incidents detected by monitoring systems

Removable Media

Removable media such as USB memory devices are often involved in introduction of malware or removal of sensitive data. A comprehensive cyber security strategy must implement controls such as those listed below to effectively manage the risk posed.

  • Devise and implement a policy to govern the use of removable media. A standard for information exchanged on corporate systems should use appropriate and protected measures
  • If essential, the use of removable media should be limited only to designated devices
  • Automatically scan removable media for malware before any data transfer
  • Issue removable media formally to users and prohibit use of personal media sticks
  • Encrypt information at rest on removable media
  • Manage reuse and disposal of media to ensure data is effectively deleted or media destroyed and data retrieval prevented

Remote Working

Remote working for staff or remote support from suppliers is an effective and popular trend but can expose organisations to risk. Mobile working will necessitate the transfer of data across the Internet, sometimes to public spaces. These risks could lead to; loss or theft of data if mobile devices get stolen, compromise of credentials or data if screens are overlooked in public places, loss of user credentials if stored on a device, remote tampering through insertion of malware or monitoring of activity
Some of the recommended controls are listed below;

  • Create a robust policy to address the risk, this should include identifying who is authorised, what kind of information they can access, increased monitoring for remote connections
  • User training to include; awareness of the risks, securely storing and managing credentials, incident reporting
  • Develop and apply a secure baseline for remote devices
  • Encrypt data at rest and data in transit for remote/mobile devices

Cyber Security Awareness Month

For the EU, the U.S., and many countries around the world, October is Cyber Security Awareness Month, a time to broaden awareness and expand the conversation on staying safe and secure online. This time of year presents an opportunity to reflect on the state of cybersecurity.

 

The Era of Exponential Connectivity

We live in ultra-connected digital world where people, processes, data, and things are connected in ever more imaginative ways. The digital age has spawned an era where 30 million new devices are connected to the Internet every week. IoT devices create almost 300 times the data that people create and that number will increase exponentially as we connect more devices. Mobility, cloud computing, smart devices, and our ability to connect globally in real time are so pervasive today that we already take them for granted.

Recent Cisco research forecasts that there will be at least 50 billion connected devices by 2020. By 2018, 78 percent of all computing will be done in the cloud. By 2025, 1 million new devices are projected to be connected to the Internet every hour. Global mobile data traffic will reach 11 exabytes (EB) per month by year’s end, and 49 EB per month by 2021. To put that in perspective: 1 EB is equivalent to 1 billion gigabytes; 5 EB equals all the words ever spoken by human beings.

Who could have anticipated this level of connectivity and growth even a decade ago?

 

Preparing for Tomorrow

So how can we prepare today for tomorrow’s threats? To be successful in the age of digital disruption, we need to commit to cybersecurity that enables as a critical foundation. To capture the benefits of this digital age, cybersecurity must be sewn tightly into the fabric of every business and it’s processes. It has to be a mindset that permeates governments, businesses, education, and our lives.

According to the National Association of Corporate Directors’ Handbook on Cyber-Risk Oversight, “some estimates predict that between $9 and $21 trillion of global economic value creation could be at risk if companies and governments are unable to successfully combat cyber threats.”

Cyber and financial controls need to be on par, businesses must ensure the protection of their customer’s as well as their own information.

With the imminent enforcement of GDPR across the EU and having global reach, businesses obligations now exceed protection against a breach. It extends to disclosing the risks companies face from cyberattacks and revealing more readily and quickly when a breach occurs.

Businesses need to approach cybersecurity as a strategic business imperative, not a defensive necessity. Cybersecurity needs to be a cornerstone of our digital strategy and the business strategy.

 

Skills Gap is a Big Challenge

Looking to the future one of the greatest hindrances to executing a comprehensive security strategy is a growing skills gap. With more than 1 million global cybersecurity jobs unfulfilled there is an urgent need for diverse thinking, diverse candidates, and a diverse workforce to fill these roles.

While globally women hold about half of the nontechnical positions, they account for only 25 percent of computing-related jobs, and 11 percent of the information security workforce. We can’t possibly meet the needs of the Digital Age if only one in four STEM professionals are women, and less than half of them are focusing on security.

Building a culture of cybersecurity is critical for any organization as is creating advocates in functions beyond the security team. Industry and government can help by partnering with learning institutions to raise awareness and promote available opportunities to train IT and security professionals, as well as the general public. Educators must continuously develop creative new training approaches that will prepare the next-generation workforce for the cybersecurity needs of the future.

 

The Future is Still Bright, Despite These Challenges

Every individual with an online presence must get involved. Stay informed, apply the appropriate security controls, share what’s working and work on what needs to improve. Help one-another to be cyber resilient and raise our collective security posture. Safe web, email, and social media habits, patching and updating systems, and better password management are actions we can all take today.

October is a time to lean in and engage. Learn new techniques and share your insights with your colleagues, family, friends, and us. The European Cyber Security Month, as well as other cybersecurity advocacy programs around the globe offer tremendous resources.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Nyetya Global Ransomware – actual costs

You may recall our recent blog post below which was posted in June.

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.


This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organizations IT infrastructure.

Some figures have been released about the actual financial damage caused by the virus

It cost the TNT division of parcel delivery company FedEx over $300m, losses are continuing and the company has not yet fully restored its systems. At one stage they had to resort to WhatsApp for internal communication because email systems were not useable.

Shipping company Maersk has announced damage around the $300m mark also.

Reckitt Benckiser the company behind household brand names such as Dettol and Durex have also taken a massive hit announcing potential attributable losses at a minimum of $140m. This figure is due to be updated when they announce results in October.

More details about these costs and impact on the businesses can be found in the BBC article below.

View the article

With such eye-watering figures from just a few selected companies who have been transparent enough to share the information, you really wonder the full scale of damage that this and other cyber attacks have caused.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Cyber Report – Detection time reducing to 4 hrs

Once Malware breaches a business, it goes about whatever activity it has been programmed to undertake to be that CnC, file encryption or just general reconnaissance and infection of other devices and networks. The longer the malware remains undetected, the more potential damage it can do.

Cisco’s inception the Cisco Security report has tracked the time to detection of malware. Time to detection, or TTD, is the window of time between a compromise and the detection of a threat. The industry average for 20 known malware was a staggering 100 days and while it has fallen this year, it still means that for 20 known malware types, cyber attackers have on average a vast amount of time to probe and create maximum damage. Cisco research base on telemetry contained with it’s globally deployed devices has steadily seen it’s own detection time reduce to 3.5 hours as of April 2017.

Increases in the median TTD indicate times when cyber attackers introduce new threats. Decreases show periods where defenders are identifying known threats quickly. Since the summer of 2016, the ongoing tug-of-war between attackers and defenders has been less dramatic, with the latter taking back ground quickly after each attempt by adversaries to gain—and maintain—the upper hand.

Developments in the cyber threat landscape, especially within the past six months, show that cyber criminals are under even more pressure to evolve their threats to evade detection and devise new techniques.

The figure below shows the median TTD for the top 20 malware families by percentage of detections that researchers observed from November 2016 to April 2017. Many of the families that Cisco products are detecting within their median TTD of 3.5 hours are industrialized threats that move fast and are widespread. Old and prevalent threats are also typically detected below the median TTD.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Their methods are effective: As the Figure above shows, all these families were outside the Cisco median TTD window of 3.5 hours— Kryptik significantly so. Even Nemucod, the most frequently detected among the top families shown, takes longer to identify because it evolves so rapidly.

In many instances, businesses are using outdated modes of protection against these threats and may typically fall in the industry average which days not hours. Many businesses are still dependent on Anti-Virus software and Firewalls rules as their principle means of protection.

Given the evolved nature of threats and their ability to easily evade traditional methods of detection, the traditional approach is akin to using a colander to catch water.

A more sophisticated approach to cyber threat defences involving a combination of adaptive, integrated detection techniques with automated protection is necessary for business today.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.