[BreachExchange] Yogi Berra was never in the cybersecurity business

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 13 19:39:18 EST 2016


http://www.csoonline.com/article/3149560/internet/yogi-
berra-was-never-in-the-cybersecurity-business.html

'Tis the season for making predictions. I love predictions. I love the
crashing sound they make as they fall flat on their faces. They are very
rarely right and so often wrong that it prompted Yogi Berra to say, "It's
tough to make predictions, especially about the future."

One thing is for sure: Yogi was never in the cybersecurity business. How do
I know?  Because making predictions in the cybersecurity business is easy.
Here's mine: Your company will get hacked in 2017.

In fact, the corollary prediction is that you may not even know it. At the
end of the year you'll look back and say, "not us - we weren't hacked."
Uh-huh. Maybe you think not but in the end there are only two kinds of
companies:

Companies that have been hacked.
Companies that have been hacked and don't know it.

What can you, as a C-level executive or even a director on a company's
board, do to prevent this prediction from coming true in your company? In
short, nothing.

Hackers will do what hackers do - they will probe, attempt, retry and poke
until they find a back door to enter, or they'll find a single computer
that doesn't have two-factor authentication installed on it. (Think that's
not a big deal? Ask JP Morgan Chase, who suffered a $150 million breach as
the result of a single computer being exposed.) They will steal
credentials, send phishing emails and set up phony websites in an attempt
to lure someone in your company into clicking a link or entering critical
information and then… you're toast.

So let's talk about reality and what you - particularly the aforementioned
C-level execs and directors - can do to build a culture of cybersecurity
within the company that will minimize damage and expedite recovery. It's a
question of resolutely following what I call "The Four Rs Of Cybersecurity":

Resist
Restrict
Recover
Report

Having the right culture revolving around these Four Rs will help you
minimize the frequency of successful hacks, mitigate the severity of the
damage and facilitate recuperation after the fact.

Resist

Resistance is your most important tool because the more successful it is
the less the others will be needed. How to resist? Foster a culture within
the company of "safety first" in the same way that manufacturers do. In a
manufacturing plant everyone must wear hard hats or hair nets, protective
shoes and eyewear and must remain within safety lines painted on the floor.
Manufacturers create policies and procedures that, if followed, prevent
accidents. Cybersecurity requires a "safety first" attitude too. Set up
firewalls, don't allow specific types of attachments in emails, encrypt
your messages, develop password policies and reinforce how important it is
to never click links in emails. Resist means to always be thinking
"cyber-safety first."

Restrict

If hackers penetrate your defenses you need to minimize the damage by
containing it.  Make sure that you have procedures in place to limit access
privileges to only areas that are necessary for someone to do their job.
Don't let "access creep" create needless exposure. On the physical side you
make sure that employees no longer with the company turn in keys, badges,
authentication dongles, laptops and cell phones. Similarly, on the
electronic side, change the passwords of any area that they have access to,
make sure that they haven’t "backed up" (that's code for stolen) any files
to external sources such as thumb drives or cloud services like Dropbox or
OneDrive.

The best way to think about this is to imagine a ship with watertight
compartments.  Water may get into one compartment but it won't sink the
ship. That's how you want your cyber-ship to be built, too – putting in the
electronic equivalent of water-tight compartments keeps the ship afloat.

Recover

After hackers have successfully breached your defenses, even if you have
done a good job restricting access and containing damage, you must be ready
to recover quickly. Regular, preferably real-time, backups of your data are
critical. Think about how much work – and what a hit to your reputation –
it would take to recover if you lost an entire day or order entry, call
logging, sales prospecting and everything else on your system.

To be clear, you'll need much than backup tapes with a snapshot of
yesterday's system. If you're hit with ransomware you might have to roll
back days or even weeks to make a practical recovery. My personal
philosophy is to backup in real-time, plus daily, weekly and monthly
snapshots. When I get hacked (or a computer gets destroyed or stolen) I'll
be ready to restore my system on a new computer or hard drive from five
minutes, five days or even five weeks ago. Call me paranoid if you like,
but I call it realistic because eventually I will get hacked (and so will
you).

Report

This isn't the time to be shy or clandestine. Fess up and the sooner the
better. Once you have minimized the damage and put your recovery procedures
into action tell your employees, your customers and your shareholders. If
you get the message out early you can control the damage. Realize one
thing: The information always gets out and you want to be in front of it,
not behind it. Prepare separate statements to each of those constituencies
and tell them what happened, why it happened, how much damage was done,
what steps you have taken to recover and what you are doing to prevent
being hacked that way again.

I'll make one more prediction. Follow this advice and you will be a lot
better off than if you don't. Hacking is an unfortunate fact of both
business and personal life. Be prepared, be vigilant and be cyberaware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161213/059dc637/attachment.html>


More information about the BreachExchange mailing list