Categories
Incident Response

The Benefits of Preparing for Cyber Security Incidents

Now, More Than Ever, Enterprises Are Learning the Benefits of Preparing for Cyber Security Incidents

2020 isn’t likely to be on anyone’s list of “Best Years of All-Time” and the sentiment is double for anyone involved in cyber security: the year is barely halfway over, and it’s already been full of frustrations and headaches for cyber experts.

When you look at the cyber attacks costs to business and the continuing high rate of incidents in 2020, there’s only one conclusion: there’s a need for enterprises to demonstrate readiness and embark on a journey toward cyber security resiliency.

To start, let’s look at some numbers to help underline why proper cyber security is a value-add and can help a business protect against losses.

Cyber Attack Costs to Businesses

There’s no question that enterprises are being challenged to keep up with a security environment that is showing no signs of becoming friendlier any time soon. The highlights of the 2020 Cost of a Data Breach Report paint a picture that can be eye-opening for both enterprises and small businesses:

  • $3.9 million average cost of a data breach
  • Time to identify and contain a data breach averages 280 days
  • $150 average cost per lost record
  • 43% of all attacks target small businesses
  • 86% of small businesses have no effective defenses against cyber attack
  • 60% of all small businesses close their doors within 6 months following a cyber attack

[Source for all statistics: IBM, 2020 Cost of a Data Breach Report]

These statistics show larger enterprises typically have the resources to at least maintain (though they are certainly not immune, as we will detail later), while small businesses generally have more difficulty managing the proliferation of cyber threats, vulnerabilities, and incidents. The findings of the report definitely shed light on the risk to small businesses, though there is a lot of positive insight that can be distilled.

For instance, the fifth bullet calls out that 86% of small businesses have no effective cyber attack defenses. The conclusion that should be drawn is businesses with proper cyber security measures in place are far less likely to suffer a cyber attack. A high level of organizational preparation and sufficient investment in cyber security resources can create enhanced resiliency and diminish the threat of damaging incidents.

Two of 2020’s most noteworthy security stories – the hack of high-profile accounts on Twitter and the troubles that have plagued the Zoom app – demonstrate how an ounce of prevention is worth a pound of cure.

Twitter Gets Hacked

2020 Twitter Hack Image

The most spectacular security event of the year is the recent Twitter hack. On July 15, 2020, 130 of the highest profile Twitter accounts – including those of Barack Obama, Joe Biden, Apple, Uber, Bill Gates, and Elon Musk – were hacked and used to push a bitcoin scam.

Federal and local law enforcement responded quickly and the investigation has led to several arrests in Florida, including a juvenile as the alleged ring leader. The actual monetary damages to victims are relatively small, probably less than $200,000. However, the implications of this breach are disconcerting.

The hack’s apparent lack of technical sophistication and small-potatoes level of ambition – prestigious Twitter handles were apparently more coveted than compromising sensitive accounts – leads to more questions. What if this was a more sophisticated operation, mounted by a genuine criminal enterprise and with more destructive goals? What if the private messages logs of the hacked accounts were shared with significant threat actors, including unfriendly nation states, corporate spies, and blackmailers?

Twitter has emerged from this relatively unscathed, but the accountholders appear unprepared for the future. If privileged information from those accounts is released, or if a similar attack is launched by someone with a more sinister agenda, the potential for damage is immense.

Lesson: With so many technology partners integral to operations, there are endless vulnerabilities outside of your control. Enterprises can’t rely solely on their own best efforts to maintain data security and must be prepared for catastrophic events that are external, unexpected, and unknowable. Align your behaviors, processes, operations, and strategies with the understanding that no amount of diligence can insulate against an incident that originates outside your organizational perimeter – disaster can strike and you must have a response framework and recovery process ready.

“Zoom Bombing” and Other Zoom Issues

2020 Zoom Bomb Hack Image

Before March, Zoom was just a little-known teleconferencing app. When the pandemic hit, it was suddenly vaulted into the spotlight as the go-to choice for virtual work meetings, school classroom sessions, or just friendly gatherings. For a while it worked, and then all the attention and traffic made Zoom’s incomplete approach to security noticeable, and malicious actors launched a series of attacks that exploited the app’s shortcomings.

Insecure meetings were frequently crashed by uninvited “Zoom bombers,” in a wave of incidents that were serious enough to merit an FBI warning. More unsettling were the multiple security flaws discovered by sharp-eyed researchers, including UNC path injection and local privilege escalation and code injection. The icing on the cake was the discovery of privacy concerns regarding misleading end-to-end encryption protection claims and undisclosed sharing of data with Facebook.

Zoom responded by issuing practical instructions for making meeting rooms more secure against bombing, patching multiple flaws, clarifying its use of encryption (it doesn’t use “end-to-end encryption” in the commonly understood sense), and addressing privacy concerns by promising to review its “processes and protocols for implementing… features in the future.” In retrospect, these incidents point to the human element as a source of vulnerability and the need for appropriate security training and controls.

Lesson: Crisis situations, like the rapid and ubiquitous move to remote workforces, can deprioritize normal precautions that support proper vetting of new technologies and services, which might be incompletely understood or poorly secured. Vulnerabilities in these solutions will eventually be exposed, which can create a snowballing crisis chain. Don’t allow a disruption to your normal operations interrupt your procedures for evaluating change, understanding risk, and integrating new services or partners into your enterprise environment. Proper employee training in encryption protocols, password sharing, and link sharing outside of your enterprise can eliminate many common vulnerabilities and threats.

Why Enterprises Might Underinvest in Threat Mitigation

Many enterprises were caught flatfooted by 2020’s security incidents. Companies with hacked Twitter accounts worked to understand how they had been compromised and likely still don’t know the complete tally of damages. Organizations that relied on Zoom to conduct business as normally as possible during the pandemic are struggling to contain the fallout from operations disrupted by Zoom’s failures, while scrambling to find alternative solutions.

Many of these organizations – or more accurately, the people within the organizations – did not to invest in sufficient cyber security assessment, response and recovery resources. Why is that? One common culprit is prospect theory.

In short, prospect theory demonstrates that our decision making is weighted toward loss aversion: people are more fearful of losses then they are encouraged by equivalent gains, and therefore will choose the option of loss avoidance when all things are perceived equal.

Cost Benefit Scale Image

In the context of whether or not to invest in enterprise cyber security, an organization’s decision makers might evaluate two possibilities:

  1. the cost (immediate loss) of implementing more resilient cyber security (long-term gain), or
  2. the savings (immediate gain) of not mitigating a potential cyber incident (long-term loss).

By prioritizing loss aversion (option 2), decision makers might overlook not only the likelihood that an event will occur, but also the potential value gains of being prepared and having a mitigation plan in place.

Here’s a Suggestion: Invest in Your Security Posture

The overall lesson here for enterprises is to make certain that, when deciding on a cyber security investment, you are properly evaluating the upside of hardening cyber security capabilities, preparing for security events, and having plans in place for response and recovery. Yes, this is an expense that shows up on the ledger as red ink. But it’s also an investment that returns its cost, and more: proper cyber security delivers value in the long term.

You can’t predict when an attack could happen and systems can be breached without you knowing you’ve been compromised, allowing malicious actors to thoroughly investigate your system and plan the most effective means of attack. The aforementioned IBM report demonstrates the precise value of preventing such a scenario.

Don’t let your only value determinant be loss (cost) aversion. Instead, perform a sensible risk analysis that spotlights the value benefit of a cyber security investment, and recommend the changes necessary to harden your defenses, install a response process, and create a recovery plan.

At SecurIT360, we are trusted advisors to small businesses and enterprises that are motivated to meet the security challenges of today’s digital environment. Contact us today to talk about your cyber security concerns and challenges.

Categories
Computer & Network Security

An Argument for Increased Focus on Data Backups

The necessity for backups has always existed, but the reason for backing up has changed significantly in recent years. Today, backing up data is just as important for cyber security reasons as it ever has been for disaster recovery. But our architecture must be rethought with this new emphasis.

When did we start conducting data backups?

A long time ago–in a galaxy far, far away…–backups we’re theoretically designed to mitigate against the risk of a disaster: fire, flooding, equipment failure etc. In reality, they were used primarily to correct bad decisions (we updated the server and it crashed, now we must go back to the previous version). A long standing practice of any IT change process I have been a part of has been “Back it up before you do that.” With the prevalence of virtual machines and the ease of taking a “snapshot,” back ups became very easy to do. Software and converged infrastructure have also made this increasingly robust and convenient as well.

However, with convenience comes a price. Many of our backup systems are on shared storage. We back up to the same place logically that our files are stored. And this is the underlying fallacy in our new cyber security reality. Our backups used to go to tape and get stored off-site. A return to this complexity needs to occur.

Backup Best Practices

Backups need to be on a completely separate storage volume that is not accessible to anyone or any bot, except that backup software. The credentials need to have strict complexity and policy to prevent access. Traffic should only be initiated from the backup network to the backup target and no traffic allowed to be initiated from the client network. Additionally, this information needs to be taken offline with regularity, removing it from the network.

Data Backup Illustration
Data Backup Best Practices

Here’s a scenario: Organization X is performing backups and test restores according to their risk management profile. Some info is backed up daily, some hourly. Everyone is happy with the results. Suddenly, ransomware attacks the network and begins encrypting any data that is exposed, including backup files on a shared drive. This renders the backups useless for recovery from this attack.

Finally, this needs to be an executive level discussion. If you were the CEO of an organization, you would immediately be informed if the network was “down.” Being operational and ensuring your employees are productive is the most important piece of information you can receive from your IT team. The second most important piece of information should be “the backup process didn’t work last night.” The amount of risk this puts you in, potentially having to replace work from an entire day or longer, should be a risk you are aware of and constantly guarding against.