By Pete Nicoletti, Field CISO, Check Point Software.
Major cyber security news is developing on two fronts: On the first front, the Lapsus$ group is breaching and exfiltrating corporate secrets from high-profile companies like Okta and Microsoft. The second front consists of escalating cyber threats from Russia related to the war in Ukraine.
The level of attack sophistication and the number of breaches are unprecedented and have made front page news. The FBI, CISA, and every security organization is blasting out cyber security warnings. Is the sky falling? For the companies that have been breached, yes, it certainly is.
Some folks will just ignore the news, thinking that “it” won’t happen to their business. This message is not for them. This message is intended for the smart business owner that does not want to incur unexpected expenses, business interruptions and reputational damage.
Now that I’ve established my audience, what are you to do now? Let’s first review what the threats and risks are, then for each risk, we will discuss the counter measures that urgently need your attention!
1. Insider threats: There are reports that hacking groups are paying company employees to compromise internal company networks and resources. Hackers may offer employees substantial additional compensation for access to companies that manage access or manage the IT operations of other companies, as they can amplify the number of victims with only one compromise (examples are Solar Winds, Kaseya).
Countermeasures: Enforce “least privilege” by ensuring that employees are only granted access to the appropriate level of resources required for their jobs and be sure to expire access when it’s no longer needed. Add additional levels of authentication, including multi-factor authentication, for highly sensitive systems and for your office suite. Ensure that privileged access is monitored, and that parameters are set to trigger an alarm if unusual access is detected, or if further intrusion can be prevented. Finally, when an exception occurs, your team must see it and act upon it at a rapid-fire pace.
2. Zero-Day exploits: Most security defenses can be penetrated because they lack the sophistication to stop zero-days. Zero-days are used as the initial compromise mechanism, then hackers land and expand, purloin credentials and look to escalate privileges and gain access to key assets, initiate ransomware encryption, disrupt operations or steal intellectual property.
Countermeasures: The tools you use must be able to prevent zero-day attacks. The dirty little secret in the security business is that most tools can only detect new types of attacks, and some even miss them entirely. Look for security suites that demonstrate prevention rather than just detection. Review the MITRE ATT&CK framework test results and select only the top performers. Ensure logging is in place for all authentication tools, SAAS access, audit and resource logs. Review your short list of companies’ results from the recent Solar Winds, Kaseya, Colonial Pipeline and Log4J zero-day attacks.
3. Ransomware and encryption blackmail: This is still the #1 vector for breaches and this risk should be reviewed and addressed immediately. Employees should not be counted on to be your last line of defense as we know that everyone can easily be fooled with the latest hacker tricks. Employee training may make you feel better about this risk but has negligible success.
Countermeasures: The latest email protection tools are now API-based, as the traditional email security gateway approach is being retired. API-based email protection is invisible to hackers attempting to know what tools you are using. The latest API based protection leverages artificial intelligence, machine learning and threat feed information.
4. Small and medium companies without security staff or big budgets: This is a threat similar to the above. Many companies can not afford security professionals, 24/7 monitoring or the latest tools and protections. With every hacker in the world 500 milliseconds from your virtual front door, ignoring the risks that come with substandard tools and no one to mind the store, so to speak, will have negative consequences.
Countermeasures: Lack of professionals and enterprise grade security can be addressed with reasonable cost outsourcing. Contact an MSSP that has the experience with your size company and vertical. Review the tools they are using, check out reports and tickets they send out to their customers. Ask for references and employee credentials. Sign short-term trial contracts initially to get to know them.
5. Remote worker risks: With knowledge workers working from everywhere -except the office- you should take a close look at the risks associated with remote work. Companies that let employees use personal laptops, personal phones and unsecured home wireless networks will significantly increase risks.
Countermeasures: It may cost more up front to provide your employees with company provided laptops and perhaps cell phones, but the alternative is a costly unplanned breach. Current endpoint tools for laptops and cellphones can eliminate dozens of risks related to remote workers: preventing password reuse, preventing data exfiltration, stopping access to dangerous web sites, and preventing malware and ransomware from executing.
Make sure that you deploy VPN or zero trust tools to reduce risks of compromised home networks. Look for tools that have a single console so that you can monitor and control all your remote workers, cloud resources and physical firewalls.
6. The risk of not being prepared for trouble: Most small companies are not prepared for a devastating cyber event. Most don’t have cyber insurance or contingency plans. When a security event happens, the business usually stops, and costs pile up.
Countermeasures: Review and update your business continuity plans, and your incident response plans. Reach out to a security partner that can help you craft these plans after understanding your business, your recovery time objectives and what resources you have. Most MSSP’s have this function available and if you are under a monitoring contract, it could be included. Take a hard look at NIST guidance and review example plans that your security vendor or MSSP offers to ensure that they are complete and cover all scenarios.
7. The risk of poor IT processes: Small and medium-sized companies are challenged to patch all their systems and keep up-to-date. Additionally, you need to ensure that all of your systems are backed up appropriately in case of a ransomware attack or other business disruption.
Countermeasures: If your internal staff cannot patch every OS and application with Critical, High and Medium risk level patches within 30 days, find a team that can. Make sure your backups occur frequently and consider using two different systems, so if one is compromised, you have a fallback. Find and work with a partner that is experienced at patching and backups if you can’t do it perfectly with internal staff. Test your restore process monthly.
Bottom Line: The threats and risks are real and increasing. It’s time to get your organization protected against these two tidal waves. Reach out to your security partner or Check Point Software to have a review of your risks in light of the recent heightened activity and threats. Do it now.