As cybersecurity threats continue to rise around the globe, organizations are racing against the clock to create and protect resilient
network infrastructure. Pennsylvania experienced a 38% increase in Cyber-attacks, with SMB’s spending 200k on average for a data breach. Planning for unwanted attacks, includes evaluating technology, risk assessments, reviewing security policies, and selecting a risk management plan. Developing a Risk Management Framework (RMF), not only assists SMBs in planning effective network security, but can also streamline processes throughout the business and minimize downtime. The RMF process was established by The National Institute of Standards and Technology (NIST), with the goal of guiding organizations to better understand the priorities of managing a cybersecurity related risk. There are five basic steps to the RMF, identify, protect, detect, respond, and recover. These steps are essential in disrupting attackers at every step.
An organization must continuously identify their threat landscape too effectively to assess the risks they face. Similar to medicine, you can’t treat the affected areas until you know what they are. The first critical aspect to identifying your organizations risk surface, is knowing what assets or devices are present in the environment. Often, SMB’s have numerous unidentified or dormant devices in the organization’s environment. Identifying all electronic devices within the organization are critical to understanding the attack surface. Secondly, an organization must identify the true threats it faces, as those can come in the shape of an outside attacker, a malicious email, or even accidental human interference. More than often, employees may accidentally click on links in malicious email, delete critical information, or alter business critical inputs into production systems. Third, an organization needs to review and analyze the internal IT access controls, to locate employees with unnecessary administrative privileges within the domain or production environment.
Ideally, identifying risks and fully completing the steps above are best achieved through a Security Gap Analysis. Many businesses rely on penetration testing service help determine whether a threat actor can penetrate your infra- structure. However, penetration tests typically only provide a snap-shot in time of current risks. The ideal approach is to pair a Gap Analysis with MSSP (Managed Security Services Provider). As MSSP’s can provide organizations with continuous monitoring tools that identify devices, monitor privileges, environment access, and threats.
Security Gap Analysis
The previously discussed Gap Analysis, is an effective method for third-party or MSSP to holistically assess the organization, the internal staff access controls, specific business goals, and IT processes. To conduct the most thorough assessment, the Third-Party MSSP needs to learn which security practices the organization already has in place. Dependent on the organizations affiliated industry, the gap Analysis will also evaluate what security risks the organization could face within the coming years.
Utilizing the NIST cybersecurity framework, your contracted MSSP will conduct an analysis of the organizations control points, network security gaps, internal security controls, and analyze cur- rent incident response times. Properly testing and analyzing the organizations network, devices, and vulnerabilities. The contracted MSSP will be in a position to make the necessary recommendations to keep the organization safe. Finally, a plan of action will be put in place to remediate existing gaps within the network. The Security Gap Analysis will protect the organization from the hidden vulnerabilities with- in the organization.
Threat actors will scan an organizations network in order to identify which assets are most vulnerable to attack and provide the most valuable tar- get. It’s important to note, that an attack will not occur in any one specific place within the net- work. An attack can occur anywhere network wide and is included but not limited to malware, backdoors, or data collection. A data breach can open the organization to many different ramifications in the event of a breach.
In May of 2021 a lawsuit was filed against the Pennsylvania Department of Health as well as, Insight Global, whom the PA Dept. of Health had hired to conduct COVID-19 contact tracing. The lawsuit cited failure to implement proper cyber- security procedures, with some employees creating and using Google email accounts to share sensitive data. The breach saw the private information of approximately 72,000 people, including their COVID-19 exposure history. Data breaches can impact an organization’s ability to receive insurance, loans, and can negatively impact customer trust. There are numerous attack angles criminals utilize to exploit vulnerabilities. Below, some of the most common attacks are outlined.
According to IBM, the total cost of a ransomware attack costs on average $4.5 million. Threat actors gain access to an organization’s networked drives and encrypt them, threatening to wipe the drives unless the organization agrees to pay. There are dangers and benefits to paying the ransomware, however, after you pay the money, you risk the attackers wiping the network drives anyway. Conversely, if an organization does not pay, the business may experience permanent data loss and long-term business interruption. Another factor to keep in mind, it can take an organization up to forty-nine days to identify and respond to the ransomware breach and several days further to restore the systems once the decryption key has been obtained.
Once credentials are stolen, threat actors can use them to gain access to sensitive information, including PII (Personal Identifiable Information). Typically, PII and banking information are the most valuable to criminals. On aver- age, SSNs are sold for $15 on the dark web and $1,000 for stolen identities. Banking credentials are typically sought to wire money from businesses accounts directly into accounts con- trolled by criminals. Staff training is very important in the case of banking access within the organization, as they may be the last frontier between an organization’s funds and the illegally initiated wire. Transactions with larger funds will trigger banks to contact their clients and authorize the transaction. Employees responsible for banking require the correct training to identify and halt non- authorized transactions. In order to ensure secure credentials, organizations are implored to offer proper training for the use of Multi-Factor Authentication. Another proactive step that organizations can take is the use of corporate password manager.
The great benefit is that password access is controlled, and no singular person has access to all password(s) at any given time. When some- one needs to access a file, they will request the password from the vault. Upon log-out the pass- word manager will automatically refresh the password.
The earlier discussion of stolen credentials brings us to the second common attack angle: a lack in password management. Poor corporate password management can lead to major risk factors when protecting an organization’s data. A simple way to help mitigate this problem is Multi- Factor Authentication (MFA). MFA is a safety net to ensure that the individual(s) attempting to gain access to the server are who they’re purported to be. During MFA Authentication, users enter their username and password and attempt to log in. A temporary code is then provided to the user, in the form of an email or text message, and they’re given thirty-seconds to input the code. If the code is inputted correctly, the user is authenticated and allowed to proceed with the login process. The 24/7- 365 continuous monitoring of core assets is a must in the cur- rent threat landscape, therefore, the importance of MFA cannot be stressed enough.
Anyone who used AOL in the early 200’s remembers the “Love Bug”. Hackers would send an email with, “ILOVEYOU” as the subject and the email would inform the recipient that their secret admirer wanted to reveal themselves. It is estimated that at least forty-five million computers were hit due to the attack. Today phishing has evolved into a more complicated issue. Phishing can come in the form of what looks like a legitimate email from a company or business that a user might be associated with. An exam- ple of recent phishing attempts comes in the form of Microsoft © 365 emails in which the user is asked to provide their password in order to help fix an issue on their device. In an event close to home, Highmark Health Network experienced a breach through a phishing email after an employee clicked on a suspicious link. This led to a breach in data for approximately three- thousand patients.
While these scams are easy to spot for well- seasoned IT-Staff, an untrained accountant or production manager, or even a healthcare work- er can often not differentiate real from fake, due to the level of email sophistication.
While threat actors can attack a business of any size, Energy Organizations always form a solid target, as they often host royalty databases containing PII or form a part of critical infrastructure for i.e., delivery of natural, electricity, etc. The interruption of daily businesses for an energy company can cause devastating loss of production data and revenue. Organizations need to select the right security product for their business environment. At a minimum, the security product needs to contain any impact to an organization’s day to day business in the event of an attack. Organizations should encrypt sensitive data to decrease threat actors from accessing data/information from servers, the data will be encrypted and unreadable. Updating software to current industry standards will lead to less staff being dedicated to constant cybersecurity issues/updates. Benefits will include less upfront investment with more return on investment (ROI) overall.
Secondly, patching is a must for organizations who want to protect their devices on their net- work. Patches should be applied as soon as they become available from vendors. This is imperative as the longer it takes to patch the system, the longer you’re vulnerable to an attack. Coordinated patching is always the best practice along with ensuring priority patches are applied as soon as available. Investing in an external automated patch provider can help organizations suffering from staffing issues.
Extended Detection and Response (XDR) offers organizations advanced protection. Advanced XDR deploys an agent to a device and utilizes AI driven technology to monitor activity on the device. This will eliminate constant updates to Traditional Anti-Virus Software. With the use of AI malicious activity will be detected in real-time. Some XDR products have advanced capabilities to provide organizations freedom from ransomware by rolling back devices to their pre- infection state. Organizations will have the ability to configure automated system remediation for fast threat incident response.
Through the advanced capabilities of XDR, organizations can monitor processes before, during, and after execution to prevent new threats from slipping in.
How does XDR benefit an organization?
Gone are the days when organizations were installing anti-virus (AV) solutions and ensure that the AV software was kept up to date. In today’s ever evolving threat-landscape, so do the tactics morph. Organizations must now par- take in the multi-layered security approach discussed earlier, including asset management, patching, Staff Training, and XDR. (Extended Detection and Response) Extended Detection and Response will minimize an organizations downtime caused by threat events, saving time and money. Some XDR products use advanced artificial intelligence to detect and prevent cur- rent and emerging threats using continuous monitoring and applying continuous updates to the platform.
What about Ransomware?
Some XDR resources offer forensic analysis which will allow for an understanding of the ransomware campaign that was used against the organization. It will detect at risk devices on the network by looking for out-of-date software, misconfigurations, default passwords, operating system flaws, and open service ports.
Cybersecurity threats can happen any time, day or night. An organization should be set to receive alerts of suspicious activity as soon as it is detected. Continuous monitoring can’t be stressed enough, if an organization isn’t receiving real-time notification of a breach detected, the threat actors will have come and gone with whatever data they were looking for. When thinking of threat actors, nine times out of ten we think of external threats that can cause harm to an organization. There are, however, times when the threat is located internally within the organization. It is imperative that procedures are put into place that will monitor information flow and institute “need to know” user access.
On June 26, 2023 a class-action lawsuit was filed against a Scranton, Pennsylvania-based cardiology group, due to a data breach that compromised sensitive information of more than 181,000 patients. Great Valley Cardiology was hacked in February of 2023; however, the breach was not discovered until April 13. Immediate detection and notification would have allowed time to ensure that the systems attempting to be accessed were secured. Continuous monitoring systems, internal access control, incident response planning, and voluntary reporting is a critical driver in responding effectively to a data breach.
How an organization responds to a breach or attempted breach will ensure fast damage control and in the impact. First organizations need to ensure Response Planning process are executed during and after an incident. Second, the designated staff is managing communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate. Third, typically an analysis is conducted by a third-party to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents. Additionally, mitigation activities are per- formed to prevent expansion of an event and to resolve the incident. Finally, the organization implements improvements by incorporating lessons learned from current and previous detection/response activities.
Can a threat actor be identified during an attack?
With the correct protection, yes, threat actors can be lured into identifying themselves. This can occur in real-time while the attempted attack on information on the organizations sever is taking place. With real-time notification of the breach (or attempted breach) an organization can be made aware of network traffic, file servers, and any lockouts. The event and what response is being taken to contain the event should be addressed by the incident response plan discussed above. The importance of using the correct response tools will allow an organization to stop an attack at any phase. The impact of an attack will be dependent on how quick the response came.
Without the correct protection and services, recovering from a breach could be substantial.
According to IBM, in 2022 the global average cost of a data breach cost upward of four-million dollars. Within the United States, however, the average breach cost was approximately nine- million dollars. This loss in revenue is an accumulation of loss of business due to the diminished consumer trust and costs associated with a breach post event. With the proper services in place, organizations would be able to recover features such as, full image recovery and virtualization, archiving, and automated testing.
An organization with a planned-out recovery plan will experience timely recovery to normal operations, and a reduced impact from a cyber- security incident. A recovery plan includes but is not limited to ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents. The implementation of improvements based on lessons learned and reviews of existing strategies. Lastly, management needs to ensure that internal and external communications are coordinated during and following the recovery from a cybersecurity incident. Cyber threat-actors are not biased, business both large and small are susceptible to a breach. Organizations need to continue to evolve at the same pace of that of cyber-threats. This evolution will come in the form of updating an organizations security service to the more current and modern products available.
As discussed earlier in the article, an organization gains a better understanding of the risks associated with cybersecurity when they’re able to identify the risks themselves. The understanding of the risks as well as the resources avail- able to identify those risks will allow the organization to focus and prioritize strengthening the identifiable weaknesses. Business should note that not all resources come in the form of products. Organizations need to invest in staffs training, and assess whether their internal IT-Team can be improved by the third-party, such as an MSSP. Through an MSSP the best response action will be presented in occurrence of the threat event, and the notification process to management notifies the organization as to what steps were taken and how and when the event was contained.
Coupled with the quick response time, recovery with the resources of an MSSP will provide a quick turnaround, forensic analysis, and incident response. Through the use of services such as Extended-Detection and Response (XDR), organizations are empowered with tools such as, forensic analysis, detection of out-of-date software, misconfigurations, and system flaws. Further, organizations will benefit from decreased or no down-time, and quick critical businesses recovery. Generally, organizations arming themselves with the correct products and resources, will find themselves with improved business processes and solid ROI on security services.