5 Must-Ask Questions on Cybersecurity & Exposure

September 23, 2020

COVID-19, Cyber, Property & Casualty

M3 is dedicated to bringing you the most updated information in these uncertain times. We’ve tapped Tetra Defense, M3’s trusted cyber incident response partner, to offer you and your organization insight on cybersecurity.

The harsh reality for many organizations attempting to secure their cyber infrastructure is that their resources in this area may be lacking. There are few readable blueprints, too few IT team members, and little to no budget left for any semblance of project management. When tasked with creating a “structurally sound” cybersecurity program, there are several questions to consider to ensure its ongoing success.

When admiring a beautiful building, it’s nearly impossible to comprehend the amount of planning, brainstorming, and execution that went into creating it. Countless tests and years of “trial and error” help ensure the structural integrity of buildings, and those standards are well implemented across the industry to prevent disasters. This same collaborative, data-based approached should be considered in an organization’s cybersecurity environment.

Decision makers in senior management roles are often not formally trained in technical information security and risk management. As a result, they commonly don’t know what questions are important to ask. To properly unpack the blueprints within the cybersecurity field, it’s good to start with the following questions:

1. Can I effectively assess my risk for a cyberattack?

The very nature of cyberattacks (ransomware especially) relies on a certain amount of “invisibility” that covers tracks from beginning to end. A common misconception is that ransomware is a single-event occurrence such as the execution of a malicious email attachment or a click on a nefarious website link. That’s usually not the case. What we often see is that once an attacker gets into a network they linger, sometimes for months, to find the most important data and services in the environment before revealing their presence.

In order to equip a decision maker, an IT team, or even your entire organization with the right knowledge to assess exposure, we recommend Tetra Defense’s free Ransomware Stress Test (RST) as a starting point.

Cybersecurity is a vast field that demands in-depth resources from several domains. Backed by both reactive and proactive Tetra teams, and based in the existing framework of the Center for Internet Security, the RST is an in-depth assessment focused specifically on reducing the risk of ransomware.

2. Can I track activity across my systems?

In addition to asking the right questions, ongoing awareness is a must. Tetra recommends prioritizing vulnerability assessments, patching external exposure, and maintaining event logs to provide the clearest, truest insight into what goes on beyond what’s inherently “visible” within a network.

The first step to checking for vulnerabilities is to learn your external IP address space. There are a number of ways to do this:

Check with your Internet Service Provider (ISP) and ask for a static IP address
Perform Domain Name System (DNS) lookups on your public website and any other hosts exposed
Google, “What is my IP?”

Once all of your organization’s IP addresses are found, vulnerability scans are ready to begin against these IP spaces. In order to learn what ports are available externally, we recommend free scanning services like Shodan.io. Once identified, it’s possible to remediate any unnecessary services running on internet facing devices.

With external vulnerabilities determined, it’s time to look at the software and hardware within an organization. Tetra recommends patch management. Patch management is the process of updating software to remedy newly discovered vulnerabilities. This is one of the most affordable strategies that can help protect network infrastructure by keeping newly discovered exploits “patched.” Updating the software versions running on systems as frequently as possible is important for an organization to prevent the attacks most frequently and most recently exploited.

Finally, in the event of a cyber incident, it is imperative to leverage event logs. Event log information allows an organization to track and audit changes to systems. Changes like file access, unauthorized access, and activity by users is available in event logs; these can serve as cold hard proof of an attack. While logs can be cumbersome, organizations can benefit from tracking activity as it can alert them if a device or documents are accessed by an unauthorized user. There are many free and commercial solutions available to perform real-time monitoring and analysis of event logs.

3. Do I have a trained information security expert on staff or a third-party trusted information security and risk advisor?

Very few organizations are confident in their response to this question. With limited resources, staff and budgets, cybersecurity and risk management are easy to overlook. This is exactly the vulnerability threat actors hope to find in organizations.

Cybersecurity quickly becomes complicated across multiple white papers outlining numerous best practice “blueprints” – not to mention how to keep them in alignment with countless compliance frameworks and laws. Implementing a robust program that can evolve with changing threats requires guidance. To improve security, compliance, and even confidence in your cybersecurity program, a knowledgebase will be required. The the help of experienced cyber risk teams will also be necessary for on-going, sustainable protection.

4. Are my employees being appropriately trained on cybersecurity?

Employees are the gatekeepers to your organization’s internal networks. As such, it is necessary to train them on the websites, emails, and other interfaces they may come across that pose a threat. To highlight the ease with which employees can determine a cyberattack, Tetra’s Senior Vice President of Digital Forensics & Incident Response, Nathan Little notes: “Much of business today is conducted remotely – either over the phone or (more often) through email. Without that face-to-face verification of someone’s identity, it is possible for an attacker to trick either party in a transaction into transferring money to their bank account instead of that of an intended recipient, or deceive a party into thinking that a transfer of funds is necessary when it is not and provide fraudulent bank account information.”

To that effect, Tetra President, Cindy Murphy notes that “Awareness programs and employee security training initiatives are critically important for protecting the sensitive data that organizations possess. In 2020 alone, people haven’t become more gullible in the past year, they’ve become used to big changes in small messages.” When the next news headline could be a matter of safety, job security or even sickness, it’s much easier to believe information that appears right in your inbox. Training awareness equips employees with the knowledge of the latest threat trends, and only becomes more important as time passes.

5. Can we detect an attempted or successful cybersecurity incident?

Similar to how a building must periodically be inspected to ensure it’s still up to code, a sound cybersecurity program needs to be able to identify weak points, or worse, attacks actively taking place. Keep in mind the behavior of one of the most prolific threats: ransomware. Modern behavior of this crippling cyberattack has proven to linger unnoticed within networks for days, weeks, and even months to execute one single, devastating blow to an organization. What’s worse is that once ransomware groups have been discovered, they don’t surrender their newfound territory easily.

A mature information security program not only puts mechanisms and controls in place to prevent an incident, it also includes mechanisms to monitor the operation of networks, systems, and services. This allows users to notice when something bad or unintended is happening. The use of automated mechanisms like SentinelOne to aid an overworked and/or understaffed IT team is essential. With tools of this nature, appropriately tuned alerting is one of the primary goals as any internet-connected environment is considered to be under constant attack.

Crossing T’s and Dotting I’s

Just as physical structures require hours of planning, drawing, and implementing, a cybersecurity program requires the same detail in accordance with its blueprints. With strict budgets, tight timeframes, and limited resources, it’s difficult to contextualize the amount of preparation that needs to go into a cybersecurity program.

Key Takeaway

While it is unrealistic to become fully aware of all of the possible cyber risks, an organization should understand the implications cybersecurity has on their cyber infrastructure as a whole. Knowing the important questions to ask when faced with determining exposure and new threats provides a strong foundation.