Thu, Mar 15, 2018

How Basic Cyber Hygiene Can Lead to More Effective Vulnerability Assessments

As the Supervisor of an FBI Cyber Crimes Squad, I often heard many victims, including small businesses and local government entities, say they had never considered themselves a viable target. This lack of awareness was due in large part to the fact they didn’t believe they had sensitive or profitable information on their networks that would be highly sought after by cyber criminals.

These victims failed to recognize that in today’s world, most information can be monetized and criminals will attempt to steal anything they can offer on a multitude of sites on the deep and dark web. Additionally, most victims never spent time analyzing who their adversaries could be and then developing a strategy to mitigate risks from these attackers.

Many people talk about the need to develop a plan to address vulnerabilities. While there are a plethora of technical vulnerability scans you can run on your network and systems, this is almost putting the cart before the horse. 

A network inherently consists of many systems. The results of a broad vulnerability scan across the entire network could easily overwhelm an IT department, especially one within a local government agency or small business with limited resources.

For cyber vulnerability assessments to be effective, you must know your network and understand your critical data assets – that’s the essential foundation of a strong cyber hygiene program.

Case in Point: How a Lack of Cyber Hygiene on a Local Government’s Network Delayed Remediation

A local government was recently victimized by ransomware, which impacted the municipality’s police and fire dispatch systems, online utility payment system, centralized accounting system, and many other critical segments on its network. Upon initial consultation with responding law enforcement, it was revealed the IT Director was unaware of how many servers were on the network.

This lack of awareness delayed the initial remediation, especially when combined with limited viable backups for restoration. This case was very typical of the data breaches I witnessed in my career with the FBI, especially those concerning local government or small business victims.

Beware .Gov Portal Privilege Policies and Configuration

Many local agency websites are accessed through a main .gov portal. Although this is convenient for constituents, a common lack of basic cyber hygiene, such as instituting a policy of “least privilege,” accentuates vulnerabilities to the network. Threat actors easily identify this vulnerability and through a variety of techniques (phishing, social engineering, credential theft, etc.) are able to gain access to an employee’s account and then move laterally across the network, exfiltrating PII or other sensitive data and/or encrypting files across numerous systems in a ransomware attack.

Protect Your Network!

Vulnerability assessments need to start with the basics. Once you have a thorough understanding of the configuration of your network and where critical data is stored, you can start to reduce your vulnerabilities through a strong set of fundamentals:

  • Least privilege policies
  • Deletion of unused email addresses
  • Strong password policies
  • Multi-factor authentication
  • Viable backups
  • Application whitelisting
  • Configuration management

Join “Cyber Security Anonymous”

Being able to recognize threats is essential in creating an effective cyber vulnerability assessment. In law enforcement, we referred to this as the first step in joining Cyber Security Anonymous, i.e., admitting you are a target. Once you’ve accepted the fact that no matter who you are you possess information sought after by cyber criminals, you can begin to assess the vulnerabilities of the network where that critical information is stored.

The vulnerability assessment process cannot be relegated solely to your IT department, especially since many of its strategic drivers will go beyond technical concerns.

The C-Suite (in a corporate setting) or government leaders must participate in the vulnerability assessment since they may view the entity’s critical assets differently than those identified by the CISO or other IT department personnel. Meeting with industry executives in similar roles or participating in federal and local law enforcement and private sector information-sharing platforms, such as Infragard, can provide timely intelligence regarding current and emerging trends employed by cyber threat actors.

Knowing the tactics, techniques, and procedures (TTPs) typically deployed to gain access to your network is crucial. This will help you reduce the overwhelming results from a vulnerability scan and concentrate on mitigating high-priority risks to systems that hold your critical data.

Today’s threat actors are constantly evolving TTPs to gain access to victims’ networks. Implementing a strategy of defense-in-depth through measures such as least privilege, strong passwords, multi-factor authentication, application whitelisting, and configuration management is fundamental to cyber hygiene. They must be part of your cyber security strategy to allow you to effectively remediate flaws identified through a vulnerability assessment

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.