World News reveals a lot

Especially when dealing in security. When countries fight, bad actors will show up and this shouldn’t surprise anyone. In the past month, the statement has proven itself true with the sheer increase of alerts about cyber attacks coming out of the Eastern Bloc due to the deteriorating political situations occurring there. On January 18th CISA Insights included guidance on steps that organizations can take without delaying.

Here is a copy of an email some of our clients have received:

Current Geopolitical Events Increase Likelihood of Cyberattacks
Financial Institutions Included in Potential Targets to U.S. Critical Infrastructure
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued two alerts addressing risks from Russian State-Sponsored cyber threats and highlighting recent malicious cyber incidents suffered by public and private entities in Ukraine. Given current geopolitical events, the NCUA, along with CISA, the Federal Bureau of Investigation, and the National Security Agency encourage credit unions and their cybersecurity teams nationwide to adopt a heightened state of awareness and to conduct proactive threat hunting. In addition, COVID-related supply chain disruptions may require management to reevaluate previously held assumptions for business continuity and disaster recovery plans. Credit union leadership should be aware of critical cyber risks and take urgent steps to reduce the likelihood and impact of a potentially damaging compromise. We highly encourage you to review the two CISA issuances and act on the applicable recommendations. It is crucial that your organization does its part to improve its resilience, reducing the risk of compromise or severe business degradation. The NCUA recently created the Automated Cybersecurity Evaluation Toolbox (ACET) for federally insured credit unions to evaluate their cybersecurity posture. For more information, please visit the NCUA’s cybersecurity resources website.

Security is really a bear race

You don’t have to outrun the bear, just the slowest person. When you can place enough red tape around your environment, it’s simply easier to attack others. In security matters, I’ve learned two truths:

  1. The most secure system that is used will eventually be breached.
  2. Most bad actors are lazy.

100% security can’t exist without a total loss on business function and ease of use. The trick is to find the middle synergies that allow for greater security in a way that simultaneously increases functionality and ease of use. For example, despite some regulatory body’s best efforts to convince us otherwise, Microsoft’s best practice is to never change your password and enable Multi-Factor Authentication. Eventually, the most secure systems won’t have a password in the traditional sense. When you implement measures like this it’s simply easier for an attacker to find a new target.

Security, Functionality and Usability Triangle

Consistent Progress beats Immediate Change

The thing with finding these synergetic sweet spots is that it’s not an accident. Fluency in a system allows for a greater ability to leverage it towards the goals you intend. Developing that kind of fluency takes intentional investment over time. To the password example from earlier, the amount of time I’ve invested into understanding how this protection works is why I know that an extremely long password (50 characters) with no weird characters and numbers is a much better than a 12-character password that contains uppercase, lowercase, number, weird character, and the blood of an eagle feather.

Password Strength is easier than we think.

Being Wrong and Being Right

Kathryn Schulz, author of wrongology, explained that being wrong feels exactly like being right. The thing that feels different than being right is realizing you’re wrong. It’s an odd thing thinking that you have something together and then realizing you don’t. I have concerns anytime I meet someone who is responsible for their organization’s digital security that will tell me they have it covered. Even if you’re doing all the right things, there can still be extremely bad security days. This is where having continual progress to secure systems and respond to insecure systems is extremely helpful. Not only do you more readily find out about the security holes that you didn’t know of, you also respond faster due to continual practice.

Cybersecurity Maturity Models Win the day

There is a reason you would not be awarded CMMC (most of Level 3 is NIST 800-171) even if you were able to check all the boxes to comply overnight. The same is true for SOC 2 Type 2. This is because they are Maturity Models. They are an assessment of the organization’s security posture proven by continual improvement over time. Working towards these types of frameworks are one of the best long-term practices you can do to secure your organization more fully. 

It’s one of the primary reasons FFIEC’s cybersecurity assessment page lists a NIST policy mapping resource. If you want to have less concerns about your cybersecurity measures, then it’s an excellent long-term plan to begin working towards NIST 800-171. We have a clear process for moving clients towards this as a long-term plan. If you want to talk about potentially doing this Reach out to us for help.

There are also some immediate short-term items that we’ve seen every regulatory body suggest when releasing news about the Eastern Bloc. These specifically reference the recommendations from the January 18th CISA Insights newletter.

  • Reduce the likelihood of a damaging cyber intrusion 
  • Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
  • If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
  • Sign up for cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
  • Take steps to quickly detect a potential intrusion 
  • Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events. 
  • Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
  • Ensure that the organization is prepared to respond if an intrusion occurs
  • Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity. If you do not have policies setup around an incident, we can help..
  • Assure availability of key personnel; identify means to provide surge support for responding to an incident.
  • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident. If you have not done a tabletop test recently, we can assist with running a tabletop.
  • Maximize the organization’s resilience to a destructive cyber incident 
  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections. If you aren’t sure how to do this, or if it is not done, then we can help with an assessment to verify this is happening.
  • If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted. If you aren’t certain how separate these are from the rest of the network, we can help with an assessment to verify this is happening.

This should give you an idea of some items that can be controlled and increase security against all the malevolent forces on the great world wide web. If all the immediate recommendations from the list above were implemented, you would be faster in the cybersecurity bear race. We can help make sure this happens. These scares will come up again in the future. If we can help someone be better positioned for these threats and help make a better world with less cybercrime, we want to do so. If in the end there is one less organization full of people with hopes and dreams who have to wake up to find a terrible ransomware situation, then we’ve done our job.