Author’s Note: Apologies for the absence of articles. I am currently deployed for Uncle Sam. I remain committed to supporting information technology and information security professionals, as well as cybersecurity resilience for all individuals and businesses.
The benefit of Colonial Pipeline’s ransomware attack was the return of national attention to a prevalent, on-going danger of cyber-attacks that consistently threaten every aspect of infrastructure in the United States. Repeatedly reported by major news outlets this week, ransomware is the new “terrorism” according to the FBI, as it leverages victim fear and economic interests for profit while threatening critical infrastructure.
Unfortunately, there is no guidebook for seasoned executives without cybersecurity backgrounds on how to prevent cyber incidents, vet and hire cybersecurity professionals or vendors, or even identify who or what is needed. Often, a client will believe that it/he/she is in capable hands because it retained an “IT” vendor that fixes printers, install Microsoft products, or creates new user accounts.
However, information technology administration vendors are not cybersecurity professionals. And, it’s unlikely that human resources or the marketing department know or can accurately describe the necessary cybersecurity role in job postings.
Below is a list of important terms to understand, what to ask potential vendors and interviewees, and those items designated with an “***” are bare minimum needs for any business.
1. Important Terms:
· ***CISO: Stands for “Chief Information Security Officer,” this individual often works with a Chief Information Officer (CIO) and is responsible for establishing security strategy and ensuring all data assets are protected. These individuals juggle regulatory compliance against risk management, while keeping up with technology developments. This is the smartest person in the room and should work alongside the Chief Finance Officer, Chief Operations Officer, Chief Legal Officer, and be paid accordingly. If the CISO is not paid, treated, and performing like any other top-tier member of our organization, reevaluate the situation immediately. ***If a CISO cannot be obtained in-house, a business must retain the services of a qualified MSSP to protect itself as a virtual CISO.
· MSP/MSSP: While MSP and MSSPs used to be distinct and separate, the terms are slowly fusing together per market demands. MSP stands for “Managed Service Provider.” MSSP stands for “Managed Security Service Provider.” The difference between MSPs and MSSPs is that the former focuses on IT administration, while MSSPs focuses on cybersecurity and (usually) administration as well. MSSPs are responsible for ensuring that a client’s networks are only accessible by those authorized to access it and the data contained therein, while compliant with applicable regulations like HIPAA and PCI-DSS. MSPs ensure only that systems and networks function as desired by the client.
· ***SIEM: This acronym stands for “Security Information and Event Management,” which is a set of tools that log events by consolidating data from multiple sources within the computer. The process also analyzes the data it collects to create alerts to improve incident response processes. It finds security incidents that are about to occur or as they are occurring and creates alerts to the appropriate personnel. For entities with audit requirements, SIEM ensures that processes are efficiently operating for compliance purposes. SIEM can also serve an essential forensic function following incidents of cyber-crime.
· Zero-Trust: According to Palo Alto Networks, Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. In other words, a computer network never trusts that any other network, user, or application that attempts to access its data is who it says it is, even if it recognizes it as a previously trusted or authenticated source. It’s like requiring your in-laws to produce identification before allowing them into your home for a visit. This tool prevents the “big bad wolf” wearing little red riding hood’s cloak from fooling you by merely knocking on the door.
· Administrative Credentials/Accounts: These are computer or network user accounts that can perform system and security related functions that ordinary users are not authorized to perform such as downloading software, patching software, removing applications, and/or executing processes that can affect an individual user or a fleet of users on a network. These privileges are akin to playing God and cyber criminals actively seek to exploit administrator accounts because of data access and the ability to inflict the most damage.
***Administrative Credentials/Accounts should be extremely limited in any business; 95% of network users should be limited to “user accounts.” Ideally, “user accounts” may only run the applications permitted by the administrators and subject to the content filtering and SIEM logging imposed by the administrators.***
· ***Firewall: A firewall is a security device that monitors incoming and outgoing network traffic and stops malicious activity based on a set of pre-programmed rules. Similar to its name, is creates a virtual barrier between the internet and the network that blocks suspicious I.P. addresses often linked to malware, hostile nations, or known hacking groups.
· VPN: Standing for “Virtual Private Network,” VPNs disguise your I.P. address online to prevent anyone from tracking online activity. By preventing unknown individuals from tracking online activity, the internet users enjoys greater security, privacy, and often encrypted data use while using the internet. ***Required for all remote workers logging into a network from unknown locations and Wi-Fi sources.***
· Malware: A short term for “malicious software” that is designed to damage a computer, steal data, and/or perform other functions advantageous to cyber-criminals.
· ***Endpoint Detection and Response Software (EDR): An advancement from the old days of anti-virus software, this is software that combines 24/7 contemporaneous monitoring, collection, and endpoint (individual computers) data analysis with automated responses based upon the alerts/threat patterns detected. Not all EDR programs are created equal, some include alerts back to live individuals at security operations centers, forensic analysis tools, and advanced logging and network isolation functions.
· Network Domain: A collection of user IDs, workstations (laptops, computers), printers, servers, or other internet-connected devices that share access to data at same or varying levels. The domain manages all basic functions for the shared resources of the network and the levels of access for the individual user accounts.
· Penetration Testing: A simulated cyber-attack to test the existence, performance, or functionality of cybersecurity measures on a network, application, or device. The test may be performed through software or by a Certified Ethical Hacker ® and often highlights where the weakness or access point was/is within the hacked entity.
· ***Multi-Factor Authentication: An authentication system that requires more than one distinct authentication factor for successful authentication; such as a password and entering a code received via a text message that was sent to a telephone number on record as belonging to the original user.
· ***Incident Response Plan: Addressing issues like cybercrime, data loss, and service outages that threaten daily work, these plans outline an organization’s procedures, steps, and responsibilities following the discovery an unexpected event. Plans include the following minimum details: 1) VIPs to alert and in which order; 2) Triage of activities; 3) Risk management techniques; 4) Data preservation; 5) Legal compliance.
2. What to Ask Vendors/Interviewees:
· Credential List: Most reputable companies require their professionals to possess or obtain demonstrable certifications from private courses. Examples of such certifications include the following: CISSP, CompTIA, Microsoft Azure Certifications, Certified Ethical Hacking (CEH), GIAC Cloud Security Essentials (GCLD), AWS Certified Advanced Networking, etc. These credentials usually require renewal every few years.
Depending on the need, be cautious of vendors that cannot produce credential lists and merely act as software “resellers.”
· References/Other Clients: Ask the vendor for a list of his/her/its other clients to verify satisfaction. If the vendor is discreet, these clients should not be listed on his/her/its public-facing website to avoid targeting following a disclosed vulnerability. Once a reference or client list is obtained, google those entities to check for reports of data breaches or cyber-attacks.
· Website: MSP/MSSPs are a booming business, especially low-quality MSP/MSSPs. And with the limited pool of qualified workers, many vendors only provide telework helpdesks and discount software services. Therefore, review the vendor’s website and the copyright date at the bottom. Also, look for a physical address and state of incorporation (within the U.S.A.) to determine if the MSP/MSSP is actually a domestic entity. Most states (not Texas) provide free access to their domestic records on corporations, limited liability companies, and partnerships that will show the date of formal incorporation, principal place of business, domiciliary address, and the name of an agent/representative.
· Cloud Based Solutions: Certain vendors may seek the ability to install applications and executable files on the customer’s servers and endpoints. While this is an acceptable practice for EDR software, it generally preferred that other applications be “cloud-based.”
A cloud-based solution is an application, storage solution, network, firewall, virtual server, or other program that is accessed through the internet and hosted on another, third-party’s cloud framework. There are both financial and security benefits to cloud-based solutions.
From a security perspective, there is less to maintain and exploitable vulnerabilities are more easily contained by users. Following the discovery and patching of the vulnerability, credentials and passwords can be changed to remediate the problem. However, vulnerabilities on installed programs create exponentially more havoc depending on access to administrative credentials and data availability. Furthermore, the rehabilitation process may require reimaging the machine, scrubbing the existing network and domain, and significant downtime for impacted users. Financially, cloud-based programs are less expensive because they permit the users to pay for what is utilized – either in tiered or cafeteria-styled models.
· Recommended v. Reseller Products: Many vendors in the IT and/or cybersecurity field are authorized resellers of certain products and software. This means that they promote products in exchange for a small commission and discounted rates for their customers. Those with integrity will not act as resellers for products that are garbage or unproven as such vendors guard their insurance premiums and reputation. Alternatively, inexperienced MSP/MSSPs can be unwise. Therefore, do independent research on the products recommended by vendors, ask the vendor if he/she/it is an authorized reseller of said product, and compare the product reviews. Would you let the car dealer select your car for you? Probably not…