Cyber Defense – Empirical Education
OR Bloody Do-Gooders!
Your business has grown to an empire and the barbarians of cybercrime threaten it! Did you know cybercrime is now the world’s third largest economy? These enemies are state-funded and numerous, pillaging your data, money, and trying to erase you from the landscape. You need Policy, Education, and Technology working together, driven from the ownership, to be successful. While it may feel like a flying circus at times, this is your circus, and these are your monkeys.
All roads lead to Rome. Don’t tell Nashville. Your empire is under constant threat no matter where the citizens are. The only way to ensure their safety is to train them on the threats and how to avoid them. What did Rome ever give us? Well, besides sanitation, irrigation, wine, medicine, and roads, Rome reminds us that constant training is key. Let’s struggle together to overcome our adversaries while using one of Rome’s gifts, Education.
Caught Creeping Around the Policy – Training new employees, contractors, and vendors is commonly overlooked. Policy should dictate that any person with direct or indirect access to sensitive data must complete intensive training beyond simply reading and agreeing to the policy. Before anyone receives corporate assets, like a phone, computer, email, or access badge, training must be completed and the individual tested. You don’t pass, you don’t get the goods.
Be Different – Without proper training on the first day, new employees are targets for spearphishing, you know, emails with malicious links or programs. Instruct new employees to hold off on announcing their first day on social media as many have fallen victim to fake emails, texts, and calls appearing to come from HR to fill out a form or IT to install a program. This happens far more one would want to believe. Everyone must be trained to identify and avoid these attempts. “Stop. Think. Act. Review.” It’s a safety method to diffuse emotional responses on which most phishing attempts rely. Reviewing creates teachable lessons learned for others!
Stone Him! – Don’t let your words get you into trouble. Sadly, the phone culture isn’t so great on email etiquette. Many fresh faces in an organization and even the experienced should receive training on the “organization’s way” of writing emails. This MUST include what should never go in emails because they are sent in plain text, even to many Cloud providers. Encrypting email is great, but what if someone is shoulder surfing? Passwords, Personally Identifiable Information (PII), billing information, sensitive attachments, or any information deemed private by the organization should be sent via secure means or via a phone call. And no swearing!
Blessed Are the Legal-ease Makers – Communications with legal counsel do NOT automatically receive special privilege. When communicating with counsel, include only the attorney as the To party, leave others out, keep to a single topic, and also identify the Subject as Legal Advice or Attorney-Client. Adding other people, discussing other business, or not identifying the intent correctly could make the communications non-privileged even if it contains a legitimate legal correspondence. Don’t martyr yourself legally. Take the time to protect yourself and your organization.
Don’t Deny You Vulnerability – OSINT is Open Source Intelligence. This is information you can find about yourself or your organization through a Google search or scattered around various social media or opinion sites. Outsiders don’t have to guess about leadership if you have their pictures and biographies on the company website. Go ahead! Give them your wife and kids names. I’m sure some of your passwords include that info.
Wittle Wascal Has Spiwit! – Scrub your social media, whether LinkedIn, Facebook, or TikTok. I know it says it’s private, but the agreement you didn’t read and signed anyway with the social media provider doesn’t actually guarantee any security of your personal data. Private data online is extinct. Start by removing any private data, especially if you have a management or decision-making role. If you still insist on using social media, be sure to change your settings to ensure as much privacy as possible.
Struggle Together – Soldiers train constantly. Your IT staff may not be digging fox holes, but they are on the front lines. Be sure they are properly trained on the latest technology and threats. Sending staff to training boosts morale but ensures job rotation strategies are in place in their absence. Reliance on a single individual’s skills or knowledge must be avoided by training others for their roles. While they’re gone, scour their files and logs. Now would be a good time to run their credit again. Internal breaches are almost always financially motivated.
Biggus Attackus Surface – After social engineering, security failures by vendors has attributed to several well-known breaches. This includes your Cloud providers! Did you know AWS, Azure, and Google often have little or no security on your servers? This is a trade off to ensure ease of use. Far too many AWS users have wide open, public IP connections with no firewalls or protection. It is your responsibility to protect your data. If you use Kubernetes or Docker, several exploits exist that can give an attacker command-line access to the Cloud, which can be used to breach every other network you have!
Romani Ite Domum! – The tension between vendors and internal staff can be intense, especially if certain roles are outsourced. Positives and negatives abound and, ultimately, organizations make decisions based on their own unique situations. However, ensure your vendors are not only qualified but protected. Insurance requirements are great, but let’s hope to never need to use it. The outsiders can bring peace to IT but only if they protect you and themselves. ISO certification doesn’t guarantee their own IT isn’t in shambles. Force them to practice what they preach, such as CMMC, HIPAA, or PCI DSS compliance, in line with your own compliance requirements. Segmentation is also important. Vendors should not have direct access to the data network, only management access. The road to Rome that sends out soldiers can easily be used by an invading army.
Wome is yow Fwiend – Everyone groans when they get that email. Time for your annual training! Shoving all training in at the end of the year to ensure compliance is daunting and unwise. Many organizations train a few employees, contractors, and vendors from each department constantly to avoid disruptions. Forcing non-employees to abide by the same rules simplifies training and compliance. A point system for training and bonus points for early completion are a big hit when points can be redeemed for longer lunches, early departures, or tardy forgiveness. Motivation is key!
You Gonna Keep it in a Box? – Personal devices should never be allowed on the organization’s data network, nor should it have any access to email or other data without a control program. It’s always best, legally and technically, to use business assets for business. Programs exist to segment and encapsulate business data on personal devices but require the ability to wipe the device if lost or stolen. This goes double for vendors. NEVER let a vendor connect their device into the data network directly. You don’t know where it’s been!
A Very Naughty Employee! – Phishing and spearphishing simulations give employees, contractors, and vendors measurable practice with the STAR method. Reports can alert management to chronic clickers that need additional training or “motivation”. Even if an employee causes a breach through social engineering or phishing, Stop. Think. Temper, temper. We are all Human. I personally spread the Melissa virus when I was an IT Director by opening an email attachment in a previous job. Some organizations have resorted to removing email entirely for certain users, relying on instant messenging for communications internally. I would highly recommend, 5 of 5 STARs!
A Mess With No Savior – Why does your insurance agency ask all those questions each year? Do you…use multifactor authentication? Have a written policy? Perform background checks on your employees? Because these are the most common breaches. Famous hacker Kevin Mitnick always said, “it’s easier to manipulate people rather than technology.” Password theft through social engineering is the most common breach entry point.
Think For Yourselves! – So many people are swindled to send checks, wire transfers, and other funds to thieves. Why? Lack of policy and training. No technology exists to stop a poor decision by someone qualified to make the decision. No one-offs should be allowed, especially for wire transfers, without consent from several managers. Further, any request to change or send money should be verified by contacting the requesting company or party through known-good communication channels, like a phone number on a web page. Never be afraid to hang up the phone or simply tell someone you need to verify the request. If they are legitimate, they’ll get their money eventually.
By a Star or a Bottle – Train everyone to NEVER connect USB keys, drives, or other devices into their computers without first allowing IT to verify its contents in a lab or sandbox. So many breaches have started with an attacker leaving or sending a USB key and an unsuspecting, curious employee plugging it in. Malicious code runs, back doors are opened, and, viola, your sending an email to your customers apologizing for a data breach. In fact, IT should disable ALL physical external connections to corporate assets, especially servers. Unused network ports should be disabled and guest wireless should never provide connections to the data network, even in a pass-through capacity.
Bright Side of Life – Cheer up, folks. It’s not so bad! No one should expect regular employees to know the ins and outs of security, but everyone with data access is a target. Limiting data seems obvious, but many companies who have grown quickly sometimes overlook security for convenience. As one IT Director told me, “CIO said to get it done, so we did it but never went back because it was working.” Being proactive and not reactive can be difficult for many IT staff. So, it falls on management to push the necessary policies that drive education. Management should be FIRST to complete training and brag about it.
Sure feels like everyone is struggling with cyberdefense. But Education can ensure everyone is struggling together, rowing in the same direction, for the security of organization and the data entrusted to it. The final post in this series will discuss Technology and will be something completely different.
Want to see an article on a specific subject? Need help? Reach out. We are all in this together.
*Tired of following the wrong messiah? Palestine got you down? Cheer up! References in today’s post are from – Monty Python (Comedy troupe). Monty Python’s The Life of Brian (of Nazareth). London :Eyre Methuen, 1979.