Happy National Cyber Security Awareness Month! In honor of the month, we want to cover topics that align with this year’s overall theme: “OWN IT. SECURE IT. PROTECT IT.”
This week, we’re talking about how to OWN IT. What does it mean to OWN IT? Owning it means understanding what you have in your network. Also, it means knowing what steps you will need to take to minimize risk and protect your environment. You’re “owning” the devices, services, and protections that you use in the network. You’re “owning” the vulnerabilities and the risks that a new device, vendor, or workflow brings to your environment.
Why is owning it important?
Why is this important? It allows you to make informed, risk-based decisions. Also, it allows you to accept, mitigate, or transfer that risk. Even the CIS Top 20 Critical Controls lists hardware and software inventory as the first and second action that you take to secure your environment. Without understanding the things you have to secure, you can’t possibly secure them. Even worse, you can’t compensate for the risks associated with them.
Evolving technology makes it more difficult to perform these software inventories and truly “own” your network. There are a few factors that have contributed greatly to cyber security issues like this. For instance, the Internet of Things (IoT), use of 3rd party business partners, and an increase in — get ready for the obvious Halloween reference — tricks disguised as treats (phishing) all add to the risk.
One of the large factors that comes with the technology improvements of late is an increase in the number of devices that were not previously network-connected. The second is the use of 3rd party vendors. This includes SaaS platforms, managed service providers, and cloud instances. Finally, the increase in malicious phishing emails because they lead to malware and ransomware.
Internet of Things (IoT)
IoT refers to the number of devices that were previously not connected to the network; stoves, refrigerators, doorbells, manufacturing equipment, temperature sensors, etc. The challenge is that users or businesses are bringing devices into the network with no regard for the security implications. Usually, these devices are meant to make their lives easier or improve services. Yet, these devices are added to the network without consulting the IT or security folks in the organization.
Sometimes, even the most benign devices can cause a cyber security breach. In 2017 a malicious actor breached a casino after finding an unsecured PC. That PC connected to the temperature, cleaning, and feeding devices in the lobby aquarium. The security team didn’t know that this device connected to the network. Ultimately, this allowed the attacker to pivot to critical assets in the network and gain access to privileged information.
Preventing this is not easy. Educate your users. Be a part of the acquisition process. Perform regular network scans if you want to prevent IoT creep and “shadow IT”.
3rd Party Business Partners
Reduced budgets, lack of specific skill sets within the team, ease of use, and a remote workforce are all reasons to move into the cloud or to work with a managed service provider. But do you know how secure your 3rd party partner is? Do you know the delineation of your responsibility versus their responsibility? What access do you provide to 3rd party business partners to enable them to perform the work required?
The often-referenced Target breach of 2013 was the result of an HVAC management organization. Their accounts were breached and they had unfettered access to the network. How well do you know the types of access that you give to the contractors and 3rd party partners that operate in your network? How often do you ask for a list of required ports/protocols/IP addresses and hear that you should allow everything? Do your due diligence upfront, Then, you can ensure that you OWN these items and make sure you’re not blindsided by something preventable.
Lastly, phishing attacks are on the rise. Ransomware specifically increased in effectiveness by 350% over the last year. Email accounts for more than 94% of the total source of attacks. Malicious actors improve their methods and making it more and more difficult to determine what is real and what is not. It is no longer the Nigerian prince that is looking for someone to help him get his money back from the USA. Instead, they are using Amazon order tracking emails, gift certificates, or discounts/coupons from some of the largest retailers and these emails look REAL!
The entire point is making the trick look like a treat. As a result, malicious actors entice you to click because curiosity gets the best of you. By conducting an inventory and “owning” your network, you can ensure that vulnerabilities are remediated or compensating controls are in place to deny the success of these attempts. Education is also key to preventing the success of these attacks. Teach your teams how to avoid clicking on links that they don’t know. Education them on how to spot the difference between trusted emails and malicious ones.
Cyber Security: OWN IT
For some of our readers, this is old news. The unfortunate aspect of this is that we said the same thing since before the Target breach. For instance, we still run into organizations that have no software inventory, no idea what devices live in their network, and freely give full network access to 3rd party providers. These tried and true cyber security methods of preventing a successful attack in the network are ignored for many reasons.
We said this in previous blog posts and don’t want to beat a dead horse. One of the easiest ways to improve the security of your network is to take the time to know what you have. In conclusion, OWN IT and prepare to SECURE IT.