[BreachExchange] Cyberattacks Are Inevitable -- Until We Stop Playing The Blame Game

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 30 19:30:25 EDT 2017


https://www.forbes.com/sites/williamsaito/2017/10/25/
cyberattacks-are-inevitable-until-we-stop-playing-the-
blame-game/#79fe48ab3fb0

As organizations around the world begin to take cybersecurity threats more
seriously, large-scale attacks like the recent breach of a major credit
reporting agency seem to be happening more frequently. At the same time,
there’s increased focus on who’s responsible for security vulnerabilities.

The aforementioned Equifax attack exposed the personal data of as many as
143 million Americans, triggered a lawsuit by the state of Massachusetts as
well as at least 50 class-action suits, Federal Trade Commission and FBI
investigations and questions from a Senate oversight committee.

Also in September, one of the world’s largest accounting firms was hit by
an attack which breached its internal email system, as well as a well-known
U.S. regulatory body, which revealed that hackers gained access to
information that could have given them an unfair trading advantage. In the
wake of these attacks, we must accept that almost anyone can be hit, which
means we all have to be prepared.

Don’t blame the victim

As I’ve written before, it’s crucial not to blame the victim in a
cyberattack. Pointing the finger at the perceived weakest links in the
chain of the organization can encourage them to hide breaches, or try to
fix things themselves. This kind of suppression of information and
awareness can be devastating for cybersecurity.

Basically, “blame the victim” and finding the “bad guy” inside the company
does not do any good and only fosters a mentality of “pretend it doesn’t
exist,” especially in a layered bureaucracy. Today, data has more value
than physical objects and crosses not only corporate lines but sovereignty.
That means we need a new mentality of reporting incidents quickly, and
without blame. If a stranger without a badge wanders into a company, it
will provoke a response from today’s workers. Similarly, suspicious data
has telltale signs that we need to report immediately -- it’s better to be
better safe than sorry.

Read the signs

Awareness of the basic stages of a cyberattack can help foster a culture of
vigilance and communication. Criminals don’t simply exploit an unpatched
vulnerability and then get the data and run. They have to traverse a
gauntlet of security measures in today’s IT-dependent organizations. This
process is known as the attack lifecycle. This model that describes the
tasks an adversary group must accomplish in order to complete its mission.
It must first reconnoiter for victim weaknesses -- this is the part that is
often automated and done broadly. After a vulnerability is found, the
initial attack is delivered and once the victim is compromised, a command
and control channel is installed while traversing the internal networks to
create other enclaves for attack

It’s important to remember that for an attack to be successful, these last
few steps are not only crucial steps but also take time to manually
execute. Thus, it is not only important for corporations to put automatic
prevention systems at these various stages but to also create a culture
where people will quickly notify security if there’s any unusual or
suspicious activity at these stages. Time is of the essence but there are
actually many opportunities to catch an attacker.

It’s not game over if your system gets penetrated, but it might be if you
don’t properly communicate this fact in a timely manner. You should also
communicate how further damage was mitigated and whether actual data loss
occurred because of this quick action. Thus, it’s critical in this day and
age that we not only be ready for cyberattacks but we also rehearse for
them and other, related scenarios. Because they will happen.

The following is a short list of absolute must-have preparations in place
to deal with cyberattacks.

1. The organization must have an executive chief information security
officer (CISO) or role with an equivalent function that regularly updates,
if not reports into, the board. He or she must be responsible for overall
cybersecurity with regular and direct reporting to board’s audit and/or
risk committee.

2. Every organization must have an incident response (IR) plan that is
developed by internal and external IR team members. The members must
periodically tabletop, refine, and update the plan to keep it current for
any possible eventuality.

3. It’s essential to carry out training and education programs on
cybersecurity awareness and response for employees as well as the security
team.

4. Vendors and contractors should not be the weakest link in organizational
security, but they often are. Many attacks penetrate via a supplier,
contractor or even law and accounting firms. Organizations should ensure
their partners are also protecting themselves and not being used as
beachheads for groups launching attacks. Some of the biggest breaches in
recent years have involved weak links in third party vendors.

5. The security team should carry out regular cybersecurity simulations or
tabletop exercises to rehearse response efforts and prepare for the
eventual crisis.

6. The organization must retain forensics, legal and public relations
experts to provide the board and stakeholders with all the information they
need about a breach.

7. Cyber insurance should be considered since it will become increasingly
prevalent. It will become second nature for companies to have insurance
that will cover the costs of forensic analysis, legal services, public
relations, credit monitoring, litigation and regulatory requirements if and
when a breach were to occur.

When it comes to cybersecurity, complacency is your enemy. To minimize your
risk of attack, review your security posture and culture and make the
necessary changes. There are many bad guys out there trying to get their
hands on valuable data, but instituting the proper precautions can make
their mission a lot more difficult and, hopefully, not worth the trouble.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171030/0e93527f/attachment.html>


More information about the BreachExchange mailing list