April 3, 2022
This video features Kelly Hynes McDermott interview with Kyle Lai: A comprehensive discussion of the 10 best practices for cyberattack prevention
10 Best Practices for Cyberattack Prevention
Kelly: So, Kyle today we talk about the best practices for cyberattack prevention. We go through our list of ten which are all really important. As we know cyber-attacks appear in the headline news every day. With the Russian-Ukraine war, cyber-attacks surge! So, the White House issued a news brief last week to warn U.S. businesses about the malicious cyber activity. A lot of these infiltrations come from Russia, businesses really need to be on the lookout. One thing that you talk about is validating the Access Control for regular users on their computers. Their system accounts, service accounts, and administrators. So, can you walk us through that? What does the validation process mean and why is it so, important?
The White House Issues Multiple warnings about cyberattack prevention
Kyle: The White House just put out another warning about all these best practices. We cover many here. They just released it – I think it was March 21st. Pretty affirming in the importance for us to implement all these best practices. We don’t want to implement this after the attack because – too late! We’ll talk about the validation of Access Controls for them. We want to make sure that regular users cannot access more resources than they need. They should have the access that’s appropriate for their roles.
1. Validate Access Controls
The regular user should only have access to do what they must do. That’s what we call “Least Privilege”. So, if you give them administrative access for example, while they are doing their regular jobs; Compromised accounts allow an attacker to use them to attack the network. So, then if they are only doing their daily job, they should not be able to install software for example.
When a hacker has the capability to install the software, they can install malicious software on their account. They will use their account as well to compromise other network systems. Because a hacker gains the ability to install viruses and malware. The compromised computer then attacks other systems as a launching point. It puts their environment at even more risk with even more exposure.
Cyberattack Prevention: Human Error Causes 52% of Security Breaches
Kelly: That’s a really important point. Human error and system failure cause 52% of security breaches. You can see where the vulnerabilities are if they’re not putting these processes in place. This is a really important thing for all businesses to know about.
Kyle: When staff transfers to different roles, take appropriate action right away. When they leave employment for another organization, they don’t need to have access from their previous organization. Just take out that access. If a person transfers from accounting to customer service, they don’t need access to the accounting database anymore. When the user leaves the company, terminate their account. Or disable it right away.
2. Conduct Vulnerability Assessments / Penetration Tests
Kelly: That’s right, that’s really good, that’s a really good tip. So, the second step in cyberattack prevention: Performance of a Vulnerability Assessment, Penetration Testing. I think the important thing here Kyle is that everyone has the potential to suffer a cyberattack. It doesn’t matter how large or small your company is, everybody is vulnerable. You look at the news a few weeks ago and saw Toyota in the headlines with a major data breach. It cost 3.1 million customers the impact of their personal information. So, it happens to large companies like Toyota. But they have very sophisticated IT systems and managers in place.
Both small and large businesses need periodic testing
Smaller businesses that don’t have those systems in place are equally vulnerable because they’re not paying attention. They don’t have those IT people in place to really put in the safeguards. Many small to mid-sized business owners don’t fully understand the impact that an attack could have on their company. 43% of cyber-attacks target small to mid-sized companies. They’re vulnerable and they know that they don’t have the watchdogs in place to keep track of malicious activity. Where does a small to mid-sized company begin to put together this Vulnerability Assessment Penetration Testing? First of all, what is it, and how does a business go about putting that in place?
Difference between Vulnerability Assessment and Penetration Testing Explained
Kyle: Software, systems, you know like, Windows Operating Systems, for example, Adobe PDF Reader, they’re software. Software always has vulnerabilities. So, Vulnerability Assessment helps remediate known vulnerabilities. Penetration Testing identifies “unknown vulnerabilities”. You don’t know what you don’t know and that’s why you conduct Penetration Testing. Do this regularly, at least for the Vulnerability Assessment. You can do this using an automated tool. Many options like Nessus and Qualys are readily available.
Cyberattack Prevention: Free tools available
Some companies make free software available for use in your cyber attack prevention efforts. Other free resources too. But if you don’t know what you’re doing, you should hire an expert to do it for you. They can better run it and be able to analyze these vulnerabilities for you. But you want to make sure that if you have these vulnerabilities, you patch them within your environment. If you want Penetration Testing, hire an experienced Penetration Tester with an OSCP certification.
How often should you perform these tests?
Kelly: And you said to do this regularly so, in your book what is regularly? Is that once a month is it once a quarter, or is it once a week? How often should companies be performing this Penetration Testing?
Kyle: For larger organizations, if you have an automated tool, you probably want to run this weekly. For smaller companies, you probably can do this monthly.
Kelly: All right, where would we go to get more information about companies that perform a Vulnerability Assessment and Penetration Testing?
Kyle: You can reach out to us we can provide you with the information about Penetration Testing because that’s something that we do. For automated vulnerability testing, I think we can put it in with a link in this video. We’ll provide some resources over there.
3. Enhance Network Perimeter Security
Kelly: That’s great thanks, that’s really helpful. So, another best practice for cyberattack prevention: “Enhance and Ensure Network Perimeter Security.” So, this is something like locking the doors and windows of your house, right? And you do everything you can to protect your home. You install a security monitoring system, you set up cameras around your mailbox, your house, and your doorways. When somebody breaks in the police are notified, your security company is notified, and help gets sent. So, with many organizations that don’t have these security monitoring systems in place to protect their network what would you recommend a business to do to secure their network perimeter?
Firewall Rules Review
Kyle: When we talk about network perimeters we mean the firewalls, their VPN, remote access, or something exposed. Maybe their website and web applications. So, the company should take measures to close these open attack vectors, it’s what we call them. Otherwise, that’s what the attackers are looking for. They look for ways to get into your environment. They look for ways to get in, hack your environment, and hack your system to steal information.
So, with cyberattack prevention, you have to make sure that you have the firewall rules reviewed. And understand why you have firewall rules. Make sure that you have the firewall rules for each of the open ports. Or if you have a protocol specifically for that application, use a web application firewall. For the network firewalls, I think it’s more common. A lot more people are aware of it, and what it is.
Web application firewalls
With a web application firewall, you want to hire someone familiar with the technology. Someone who understands protection for the firewall on the application, right. We can definitely help. But we just need to make sure to mitigate those exposures by using the appropriate technology. It can be a firewall application, firewall, or application API gateway.
APIs are very popular these days. You want to make sure that you have the proper control to protect those APIs for cyberattack prevention as well. When we’re talking about remote access let’s talk about email for example. A lot of companies use Gmail or Office 365. You want to make sure to create long passwords. Make them difficult to guess. So, review your parameters, the attack vectors, to make sure that the attackers can’t get into your environment easily.
Hybrid work models and cyberattack prevention
Kelly: And that’s really important. With this hybrid work mode, you have remote workers. And you have some in-office workers too. Protect your employees on both fronts; both in the workplace and remotely. So, that’s critical to set up these networks. Ensure that your perimeter security is really the best that it can be for today’s work environment. So, I think that’s a really good point and a great reminder for businesses.
Kyle: Right and we definitely see many vulnerabilities: unknown vulnerabilities. So, conduct Penetration Testing at least once a year. You don’t know what you don’t know. Best that your Pen Tester finds it before a hacker finds it.
4. Enable Multi-Factor Authentication (MFA)
Kelly: [laughs] Exactly, exactly! This leads us to the next best practice for cyberattack prevention. “Enable Multi-Factor Authentication” or MFA for all users. So, that’s remote users, users in the workplace. Inform everybody with devices on the internet or cloud services about MFA. So, you know, today there are 63% of confirmed data breaches because of weak or default or stolen passwords. Enabling MFA prevents many of these breaches. So, Kyle, walk us through how MFA helps with cyberattack prevention. And tell us a little bit more about how a business owner would use MFA.
The 3 Factors of MFA: What you have, what you know, and what you are
Kyle: Sure. Nowadays as you said, hackers stole many of our credentials: IDs and passwords during the past 10-15 years. So, the attackers have a database of billions of accounts that you can try out. So, for your organization, if your people use and reuse passwords, then you have vulnerability. You are very vulnerable. How MFA works: (1) something that you have, (2) something that you know, and (3) something that you are.
You want to have at least two of these types of factors. If you have an ID and password, that is something you know. You want to have a combination of something that you have, maybe your phone number, right. So, you – I can send a text. You’re probably familiar with this. You receive a code sent to your phone because your phone is something that you have. Use a combination. Biometrics uses your fingerprints, your retinal scan, or your face – facial recognition for cyberattack prevention. These are second factors as well. So, at least two factors. You can do more, some of you will go for up to three. If an attacker has your stolen ID and password, they cannot use them to get into your environment.
MFA enhances cyberattack prevention when passwords are stolen
If you have Office 365 and I have your ID and password I’ll be able to get into your email, unless you use MFA. As you know email is pretty much, a lot of people are using email to reset their passwords. I can use your email to reset the password. And suddenly I’ll be able to get into many other systems. Email compromises can be devastating.
So, here’s a real example: One of our clients has Microsoft 365. They have an email hosted by Microsoft 365 and they were in the process of putting in multi-factor authentication. But during this time a hacker compromised their account. The attacker set a rule to delete all emails after sending. So the end-user never knew about the emails sent from his hacked account. We discovered the hacker sent hundreds of thousands of emails from his account. But he didn’t know because there is nothing in his email sent mailbox. So, the attackers can get really creative. They can, once they compromise your email accounts without the two-factor authentication the results can be devastating.
Cyberattack Prevention Outweighs Convenience
Kelly: And you know I think the important thing here too, is that even though it does seem like an extra step that you have to look at your cell phone and get that code and type it in so, you have to go that one extra step to ensure that this is secure so, that’s a little bit of an inconvenience. But when you think about the devastation that it could have if you don’t go through MFA on your accounts, your bank accounts, your data, your security, all of that is so, compromised. I’d rather go through that one extra step to take the two extra seconds that it takes to type in a code using MFA. Because it really is such a great barrier against an attack and it’s a simple thing to do and put in place to help with cyberattack prevention.
Kyle: Right there are simpler ways for the company to do this because there are many different ways that you can use two-factor authentication. Companies definitely need to invest in multi-factor authentication technology for cyberattack prevention to ensure they are secure.
5. Validate Backup Functionality
Kelly: Right. So, speaking of ensuring that you’re secure it’s also important to “Ensure That Your Data is Backed Up and Validated and Tested” to be effective in this whole process of cyberattack prevention. So, you need to keep a copy offline. If you don’t have a solid backup solution you may not ever recover from a cyber incident. So, it’s really critical to have your data backed up and validated, and tested. Can you talk to us a little bit about that Kyle and let us know how to ensure that your data is being backed up and tested?
Kyle: Absolutely so, you want to make sure that you know your backup is it’s been validated and been tested regularly because you don’t want to be at the last moment: oh, I really need to have this backup, and then suddenly it’s like – oh where is this data? Because I thought we were backing it up, right.
A Painful Case Study of Backup Failure
So, we have seen this before. I mean you know in the earlier days when we were still using tape. My client was like: oh, no problem we lost some data we can always get this tape backup right. He never replaced the tape. He assumed it’s been backed up every night. But what we found out when you took out the tape, it’s like wow, it’s a cleaning tape! He put in the wrong tape. It’s a cleaning tape, it cannot be cleaning tape. It’s only meant to clean the machine. It’s not meant to do any backup. So, he has not replaced the tape. He has not checked the tape. So, the tape has been there for two months so, he lost two months of data so, because data has not been backed up. So, that’s a lesson learned.
Know the Location of Your Encryption Key
And we have seen that backup was done okay – we have the backup no problem. Now we want to restore it. But it’s like: oh I don’t have the decryption key! The type of backup is encrypted, which is good. But it’s like – how do I decrypt it? I’ve never gone through the decryption so, I don’t know how to do it. So, at that moment when you need to have the backup restored, right, you need to decrypt the data to restore the data, to put it into the system where you want to restore it.
If you don’t have this process already laid out, and the procedure is documented, and that is something that you can follow and or some of the critical decryption keys, you have to know where it is, right? To be able to test it regularly so, you know all those keys that you have still work, stored offline just in case you are compromised with ransomware. It’s important for cyberattack prevention.
Ransomware tries to encrypt your data backup too
Ransomware – the first thing they do is to look for all the files, right. If your online backup is “Onedrive”, or some other online drive; these connect to your computer. Ransomware destroys them too. So, you want to keep a copy offline as part of your cyberattack prevention efforts. Don’t think that hey, I have the backup, it’s on my Onedrive. I can just restore it. Ransomware encrypts online backup, preventing you from restoring it. So, if you have an off-site, offline backup that’ll be ideal. So, if you have a “write once” disk, you can only write to a drive one time. But you cannot delete it that would be the best way to keep your back up.
Kelly: Very important that offline, storing a copy offline is really critical. Especially where there was a 64 percent increase in cybercrimes in 2021 according to the FBI. These crimes continue to escalate. Store data offline so that you know that it’s protected regardless of what happens internally. So, that’s great advice.
6. Endpoint Detection and Response (EDR)
Kyle there’s something called “End Point Detection and Response”, otherwise known as EDR. EDR is a very critical component of cyberattack prevention. We might have heard that terminology tossed around before EDR, but what is it and how does it work?
Kyle: Right so, EDR the endpoint detection and response, that software. So, it is … I would say is the next-generation way of protecting and detecting the attacks and cyberattack prevention. EDR helps your security staff to be able to respond quickly. So, in the old days, with only had antivirus software which is good. We know this computer is being compromised. Let’s remove the virus or rebuild the computer and we are good with it.
EDR evolved from standalone antivirus solutions
Those days have passed. Nowadays the attackers are very sophisticated. They can try to bypass and try to attack one computer, then start attacking the other computers within your organization. So, security staff needs to know: where does the attack come from? Where is the originating computer? And what tactic attacked the other computers within my organization. If one computer, a regular user’s computer becomes compromised. How was it used as a launching point to attack my server? I want to know all the paths. So, EDR is the tool that will be able to show you what is the attack map for example, right.
Cyberattack Prevention: EDR shows cyberattack vectors
So, for me or for somebody security staff they will be able to very clearly see this is the originating computer that’s been attacked first and what are the tactics that are used by the attacker to traverse to my other computers or the servers. So, I will be able to, I will be able to apply the correct remediation to see like okay so, this is a, you know, to determine so, to determine to say if they really got into my server or database. Right, or are they just poking around. Right so, I will be able to have that knowledge, that intelligence, and do the right remediation. What kind of attack methods, and how do I block them?
EDR simplifies port management
So, for example, if they’re using a very specific port, I might just say okay, this is the port they use – block it. Right so, there will be no more attacks against this environment. Identify the original computer launching the attack. Be able to identify: how do they come in, how does the attack come in. What kind of payloads do they use for example; be able to say – all right so, this is how they work. Apply the right measure for cyberattack prevention. Maybe onto my firewall, to my web application firewall, and or, just these are the different applications that are coming in. Let’s block this type of malware application. So, there are many things that we’ll be able to do with the right information and that’s what the EDR will you know.
Cyberattack Prevention Analogy: EDR is similar to an Oncologist’s medical evaluation
Kelly: So, that’s really interesting. I liken it to, almost like an oncologist you know so, this is sort of cyber security hygiene. And health. An oncologist you know, if you have cancer, a virus, or something in your system, to really figure out where it started. What other parts it’s infected with, and how to then eradicate that. So, you know I liken this to almost like a surgeon going in to make sure that you have detected where it started, where it’s gone, and how you can get rid of it to prevent it from coming back again and to stop it in its tracks. So, this EDR is really a critical component here.
New EDR requirements in Federal government systems
Kyle: And for example, the Federal government. So, if you take a look at Biden’s executive order 14028 which is, what is the executive order to strengthen or enhance the nation’s cyber security. So, within that executive order there’s this EDR in that executive order they want to have, he wants the executive order says that all the Federal systems must have the EDR and that’s why. Because this will be very difficult if you don’t have an EDR to help you identify the incident, right. How does the attack come in? And they want to have a Federal government-wide EDR to help them solve this problem.
7. Verify Security Patching
Kelly: Yeah, it’s a great piece of advice and one to be taken seriously. So, the other thing that is important in cyberattack prevention is to “Ensure that All Systems Hardware, Software, and Network Devices have applied the latest patches” and you’ve talked earlier Kyle, about the importance of patching and keeping up with it and then testing it to make sure it’s working and all that. When you look at some of the histories of how these bad actors have been able to get into system networks and devices, it’s really pretty incredible. This is one of the things that we really just need to be vigilant about because it happens to some of the biggest companies.
cyberattack prevention: Yahoo’s infamous 2013 breach
We read about it all the time. In fact, one of the biggest cyber-attacks of all time, as you might recall, happened to Yahoo in august of 2013 when there were three billion accounts were hacked. At the time, that was 2013. It was a while ago. But even then, people weren’t taking a lot of this cyber security protection seriously enough even these big giants like Yahoo or Toyota. Couple that with the fact that these bad actors have gotten even more sophisticated as you mentioned a couple of minutes ago, on how to infiltrate systems. Please talk to us a little bit about the importance of making sure that your systems are patched, that you’re changing passwords across your networks, and that we can really protect our credentials from these bad actors. Tell us a little bit more about that.
Criminals stymie cyberattack prevention because old vulnerabilities remain unfixed
Kyle: Sure, absolutely. CISA – they provided the report about the top 10, top 20 vulnerabilities right. I have read the 2020 report. It indicated seven out of the top vulnerabilities, six or seven out of the top ten vulnerabilities were published before 2019. So, you can see that attackers know what is the most effective. Their effectiveness is that there are some known vulnerabilities, we know how to attack them, and we know some people are not patching. So, why waste time to create all these new vulnerabilities, you know new attacks, going against the new vulnerabilities; when we know hey these are old vulnerabilities, it’s very easy to get in, they’re very effective, we are going to go after this and, you know so, these are the most common attack vectors for the attackers, cyber-attackers right.
So since we know they are going after these common vulnerabilities we should just make sure I’m focusing on – just have the enhanced cyber hygiene for cyberattack prevention. Make sure that you patch these known vulnerabilities. If you apply the patches to the known vulnerabilities, I think you can block a lot of the attacks that are coming these days.
Scheduled Patch Management
Microsoft, they do the monthly patch Tuesday. They will release a bunch of you know, like tens or maybe sometimes hundreds of vulnerabilities. And all in one shot. It’s like here are the vulnerabilities, apply these patches. But you want to make sure that you don’t just deal with Microsoft because there are other vendors that you have, you know you might have Cisco firewalls.
For the firewalls or different firewalls you want to apply them to firmware as well. Right, you want to have applied the software for example if you have Adobe or Oracle, or some of this software they do have vulnerabilities right. So, you want to check and make sure that if there are new vulnerabilities published by them if there are new patches patched by published by them you want to apply these patches and make sure that you stay secure. Using this in combination with a Vulnerability Scan, I think will help you to identify the missing patches and the applied patches.
Emergency Patch Management
Just a note: if some of these companies will have – what they call out-of-band patch emergency patches. If they found – hey there are attackers taking advantage of this vulnerability, it might be out of sync with our regular patch Tuesday. You know for the Microsoft patch Tuesday cycle right well their patch Tuesday cycle might be two weeks away. But when an attack is happening right now Microsoft releases the emergency patch outside this regular cycle and if they do that you know it’s important is critical. Right because otherwise, they will not do this. You want to apply this patch to your environments right away to your systems, your software, and hardware right away. You know if you have a regular patch management process, right, it’s important for you to define what is your patch management process.
Regular patch management process: document it so you know what to do. Also, you want to have an emergency patch management process if somebody like Microsoft issued this today, when do you want to apply this patch? You can do some quick tests and apply it – apply this patch to your system right. So, as soon as possible, you want to make sure you are flexible in, you know, flexible and adaptable in this these days. Just to make sure that you have a patch applied as soon as possible.
8. Cyberattack prevention: Provide Cybersecurity Awareness Training
Kelly: And that leads me to my next point is yes, we have to be aware and we need to pay attention to these emergency patches and what’s coming out for patches and be very up-to-date but that’s part of a really big, part of the equation. Another part of the equation about cyberattack prevention is to make sure that we are “Training Our Staff” right, to be on the lookout for these things, and that they’re also doing it. So, CISA recently, the Cybersecurity and Infrastructure Security Agency – issued a “Shields Up” warning to all U.S. organizations big and small to be prepared. It’s not just business owners but it’s also the people that are working – all the employees, everybody really needs to be aware of these disruptive cyber incidents because of the Russian-Ukraine war.
54% of small-medium sized businesses lack a cyberattack prevention plan
And I was really surprised Kyle to learn that 54% of small to mid-sized businesses don’t have a plan in place to protect actively against a cyber-attack. Yet companies’ staff knowledge about the attacks, the malicious actors that are coming in, are happening all the time. They’re on the front lines of defense against these attacks, like phishing, and email attacks. So, what does a company do to help remind their staff and keep everybody on board with these latest patches and attacks? Can you tell us more about how business owners can go ahead and be more proactive in this fight against cyber-attacks?
Build a cybersecurity program to enhance cyberattack prevention
Kyle: Right so, it’s important to build a cybersecurity program. So, make sure that you know there are proper roles and responsibilities; they’re defined right, for these cybersecurity programs so, they can make sure that everybody knows their responsibilities. You know regular users, what they have to do and what IT has to do if they see some attacks: Security, HR, legal. What do they have to do when something like this happens. You need a plan documented, some procedures policies procedures documented. But it’s not good enough if nobody knows what the policy and procedures are, right. So, that’s why you have to train the users, train administrators, and different groups of people; different in their different roles, to let them understand what they have to do in the event of a cyber-attack.
a Phishing attack example
I’m only just using phishing as an attack vector example. We know we are using anti-phishing software right, to identify phishing emails. We want to block as much as possible. In the end, if there is an email that bypasses the tool, the anti-phishing tool, right that bypasses, and they still send a phishing email to your mailbox because attackers are pretty creative these days, they’ll find a way to bypass these tools. So, if you receive a phishing email what would you do? Right so, here is the training that you have to remind users. You want to do more than just once a year type of training.
You want to remind them, you know hey maybe during COVID it is you probably want to say COVID is here and there are going to be a lot of phishing attacks, phishing emails related to COVID so, be careful, right. Say something about the Ukraine-Russia war, there might be some emails that are related to this topic because there’s a hot topic. Be careful right. Don’t click on anything that’s sending out the Apple discounts right: 80% discount for buying Apple products. People are pretty tempted to click on those emails because we wouldn’t want to pass those good deals, right? So, but that’s what gets people. Consistently remind people about the topic of phishing. Make more training resources available. Simulate tests – to see if people clicked on those phishing emails.
Voice phishing, SMShing, and Deep Fakes
But nowadays there are also voice hackers – they’ll call you and try to get your information. That’s “Vishing” or voice phishing. And there’s SMS so, they call them “Smishing”. SMS they’ll send you an SMS text and just try to get the information, right. Try to ask you to respond. What we see during the Ukraine war is “Deep Fake.” It’s something that’s real now right. So, the president used that. Someone made some fake video of the president of Ukraine declaring that they have surrendered. Everybody’s instructed to give up their arms. That’s happening now.
Deep Fake is being used as a weapon. I know there is just more and more information – misinformation coming in. So, I want to let people know that Deep Fake is now used as a weapon. And if something sounds a little bit off from your expectation, don’t believe the email. Just try to check out the sources.
Cyberattack prevention: Hackers feast on compassionate good people
Kelly: That’s right good advice and you know there are also those emails going out to contribute to the Ukraine cause, and you know here’s a charity to help support click on this link. So, there are a lot of ways to pull at people’s heartstrings. They prey on people’s compassion and people’s vulnerabilities. If we’re not, I think that the key that you’re talking about here is that there are always going to be more sophisticated methods for the bad guys to get in right. So, we just need to keep ourselves aware and educated and trained. Because it’s hard to keep up sometimes and so, there’s information out there that we need to be aware of that could be really helpful in keeping us all more secure
Cyberattack prevention: DoD, FBI, and CISA offer free training
Kyle: And there are free training sites. We can put a link on to associate with this video here but DoD (the department of defense) and also the FBI, CISA, they all have some free training materials. But if you want to have something that’s more role-based training, that is required by some of the regulations, just contact us there are some pretty inexpensive options.
9. Segment and Patch IoT, OT, and Test Equipment
Kelly: Great. Another of the 10 best practices for cyberattack prevention is to Ensure to Segment and Patch the IoT, the OT, and Test Equipment. So, many small to mid-size businesses really don’t have a full understanding of the data that’s being transmitted and received. There’s an increasing number of testing equipment on your network. So, what is the best way to manage these different types of equipment?
Kyle: IoT – the Internet of Things. So, the Internet of Things within your environment is growing. For example, your TVs right. So, you might be connecting to the wi-fi because you want to download some streaming of some content right.
Or you have OT machines that are – if you are a manufacturer, for example, you will have OT machines: your CNC machines used for producing parts right. Or there is some equipment there for managing the machines that produce parts. So, that’s all considered IoT – the operational technologies and test equipment. It could be an oscilloscope, or in manufacturing right, testing the weights, testing the loads right. So, those are the test equipment. These are the machines – basically the equipment – I want to segregate. Because these might be your important machines. It’s for production right. You don’t want to have somebody’s email that compromises and then start attacking these production systems.
Create a virtual LAN (VLAN)
For cyberattack prevention, you want to separate them into a different virtual LAN or VLAN, or just block out with a firewall. Truly segregate the network. Prevent a compromise of one network from impacting others. Nowadays for an example of IoT, if you have a Samsung TV right, and the TV will connect back to Samsung – if you’re on the internet communicating with a Samsung network right. So, just in case hypothetically if Samsung got compromised, your TV might become compromised.
You don’t want to have something that’s from Samsung or their vendors attack your network through your TV because that’s very likely these days. If that happens, and you segregated your IoT into a separate network the impact is only on that IoT network. It’s not going to, attack the other networks, you know right away. So, that’s why we want to segregate and make sure we have control of this special equipment.
Cyberattack prevention: Segmentation promotes containment
Kelly: I see that’s really important even as you say, for a homeowner, you know with your Samsung TV, or we have these smart refrigerators now, or these security cameras around our houses. All of these things. It’s really important to segregate those pieces so, that they can’t infiltrate and get to our passwords and other personal data that we have stored on those.
Kyle: And nowadays I know, wi-fi, you have the capability to have a guest network in your real network. For home users, if you want to have your TV, toasters, coffee makers, whatever those are considered IoT because they’re on the TVs. Echo, your Echo – Amazon Echo, or some of these smart assistant devices, are all considered Internet of Things – IoT. Put them into your guest wi-fi. If there are attacks, only that section is being compromised. It’s not going to hit your internal computers for example.
10. Incident Response Plan Development and Testing
Kelly: That’s great advice. So, we talked a little bit earlier Kyle, about the Incident Response Plan (IRP). We talked about how you really need to have a plan in place for cyberattack prevention. You need to make sure that your staff knows about it and your key stakeholders know about incident response should you be attacked; should there be some sort of cybercrime committed. So, tell us a little bit about the IRP if you will and what are the most effective ways to implement this plan.
Kyle: It’s better to have an Incident Response Plan IRP in place before the incident because if you don’t have a plan the incident is going to be very stressful already. But if you don’t have a plan when the incident occurs it’s going to be even more stressful because people are going to be running around like chickens with their heads cut off. Nobody is going to understand what their roles should be in the event of an incident. And when this incident comes it’s like so, what do we do? Who do we have to call? Right, who do we have to talk to?
Large companies procrastinate IRP too
You see some companies haven’t prepared for an incident – you hear there’s a big incident but they don’t talk to anyone if they are not really, say have a gag order by the FBI, that means they don’t really have a true incident response plan. It could be two months later than they revealed: We have an incident but it’s like two months later. Some of these are big companies. Big companies likely have some cascading effects because they’re part of the supply chain right. So, you can see that some companies just don’t have a good Incident Response Plan. But you want to establish an Incident Response Plan. When there are security events, you want to identify them.
Detect, contain, remediate, and communicate
You want to be able to detect what’s going on, and be able to respond; remediate it right, and contain it. You want to contain it, and contain it means like I there’s one system got compromised let’s get it offline or get it, do something so, it’s not going to start attacking other computers. That’s containment right. Once we contain it, then let’s do remediation, right. To identify how do we fix this, so it doesn’t happen again. Then you can do recovery so, okay what did we lose. Let’s do the recovery and do a “Lessons Learned.” Say okay so, this is something that’s happened let’s update our policy and procedures to make sure this doesn’t happen again.
Have this type of mindset put into your Incident Response Plan so, you can prepare yourself for some incident like this and put that in place as an important component of cyberattack prevention.
KLC Consulting does IRP
Kelly: How does a company put that in place? Would they go to KLC Consulting to have KLC put that plan in place for them? Because I would imagine that this is very comprehensive to put all the pieces in place and do it right so, that you’re really prepared. You gain confidence knowing that should something happen, you have something like an insurance policy. What do you recommend a company does?
Implementing an Incident Response Plan as part of cyberattack prevention
Kyle: Develop policy, procedures, and an Incident Response Plan. Templates exist that people can download from different sources. But people often don’t have the experience to handle an incident. So, at KLC we dealt with several incidents in the past so, we have the experience to build the Incident Response Plan based on the size of a company, based on the structure of the company, and based on the regulations. Because you want to have an Incident Response Plan match your industry, and your regulatory requirements as well. So, it is going to be important to have somebody that has experience dealing with the incident and be able to put this Incident Response Plan to match your staffing, match with your geographical location, as well, if something happens.
Who will you call?
You have to know who to call and we’ll be able to say if you need to call your local FBI – regional FBI office. These are the offices that we have to file the plan, you need to know right, you know. So, if there are some vendors you know, you want to check the vendor list: who do you have to call to notify the vendors, your supply chain, or your customers. All these have to be planned out.
New government reporting requirements
Your customers might be Government, right? Who do you have to call to notify? And the Government just passed a new law. We know it’s going to be finalized soon, but if there is an incident, and if you’re a government contractor, you have to notify the government within 72 hours of the discovery right. The DoD already has the enforcement, and DHS, the TSA, right – Transportation Security Agency – you have to report within 12 hours of the incident. If you are a pipeline company, and that’s a result of the Colonial Pipeline incident.
Kelly: So, that Incident Response Plan is not only a “nice to have”, it’s soon to become a requirement, a must-have.
Test your IRP with Tabletop Exercises
Kyle: Oh absolutely. Test it as well. We always recommend a tabletop exercise, right. Have all the key stakeholders sit in the same room – virtually or physically – in the same call or same room to do a simulation of an incident. Simulating a ransomware attack at [say] 7:05 am right: two people got attacked, they don’t know what’s going on. Someone calls IT and reports that their screen seems to have this message saying the screen has been locked, the files being encrypted. What do we do?
Tabletop Exercise Overview
Here we go: IT – right start with IT, what will you do? Then IT might say “we’ll contact our Security Group right. Next, the Security Group, what do you do? We go through this exercise. On to the CEO, the CEO needs to be there so, all right so, you know the CEO got the call, what must does the CEO do? Is the CEO only to be just informed? The Security Group – they will contact the Communications person, the public PR person right. The Communications Group – to prep them with the message about what you say to the public.
Tabletop Exercise Coordinator
So, it’s a really coordinated process right to do this exercise. There’s going to be somebody that coordinates the exercise, somebody like us [KLC] externally. Or somebody from inside – they’ll be able to do the coordinating. They perform the documentation for all events that went well and some of the things that did not go well If somebody doesn’t know what the process is or some of those procedures seem to be confusing then we’ll update those types of procedures. And so, make sure everything is: make it simple, make it clear for everyone.
Need for “Out of Band” communication channels
There’s another thing that’s important is communication. You know okay so, you could – if – in the event of an incident you don’t know what systems are compromised. If you use Zoom, if we use Zoom for communications, the bad guys might be listening. So, you cannot even use Zoom or your phone system within your environment because you don’t know if they are listening.
KLC uses and recommends the Signal App
If there’s a big compromise, the bad guys they’ll try to hear what you’re going to do right. Use “Out of Band” communications – something like the Signal app. It’s encrypted, and you can use voice or video, and also share files. It’s a secure communication channel outside normal channels. You might use some other communication methods to enable Out of Band Communication. The bad guys will know will try to tap into your communications so, that’s going to be important.
Kelly: Kyle that is really great advice so, I’m going to put you on the spot here: I’m curious as to whether you can think of a company in recent history that had a cyber-attack and that they were a good example of having this Incident Response Plan in place. An IRP where they handled it well?
Who does IRP well?
Kyle: Amazon. They have AWS. AWS – that’s a cloud service provider. They do have some incidents before, or some server crash. [I should say] their cloud, their cloud services crashed, and some services went offline. I would say they’ve been there, done it right, and that there were some incidents. You don’t know what kind of incidents they have, but they will do very well in communications to let everybody know and put on their website and say: “This is what happened, on this time, this day, this is most likely what happened.”
AWS communicates progress well
AWS lets everybody know. They give a time estimate and if they are working on something, they will let you know. AWS goes through a clearance process to determine if this is a small incident or did somebody just mess up. They announce, for example, recovery in 20 minutes. Perhaps it’s more like a regional outage: A misapplied patch that took down the Eastern Region offline. We expect this incident will take us “X” amount of time to fix. They identify that “This” could be the problem. This is like a discovery. AWS is good about letting everybody know.
I know these are a little bit different from confidentiality breaches, but people have to know: is this a security breach or if this is an availability problem. Like, somebody just applied that patch and it took them down. So, it’s going to be important for people who use AWS. Outages impact revenue. So, I would say AWS, lets people know what is going on. AWS keeps people informed as they work through the problem. They provide updates say: This is an issue we’re working on.
And AWS publishes “Lessons Learned”
They’ve been through this many times already. Once they bring everything online, they release a “Lessons Learned” document. It’s like hey, this is a “Post Incident Message” to let everybody know this is what happened, this is what we did, and this is how we intend to prevent it from happening next time. AWS is a good example.
They followed the identification of the problem, containment, and say “This is the problem, we contained it, and then we started the remediation. We started working on the remediation.” And if data was lost during the incident, they get the data back to their customers. Then they follow through and do the post-incident communication, internally, but also to their customers, to let them know.
The Federal government takes a keen interest in companies like AWS
The Government, they’re always interested in what’s going on so, they will do the reporting to the right agencies right if there’s some security incident. So, I will say AWS – I think they do a pretty good job. I know the large companies have a lot more resources. But small companies can, and should, also follow the same procedure. The Incident Response Plan.
Kelly: Right that’s a great example and I think that they’re you know they’re a company that they’re not too big to fail, right. I mean they’re a large company they have all these resources available to them and yet even they are vulnerable too and I think the important point you’re making is that they follow this plan, with the containment, and the eradication of it, and the recovery and then the post-incident response. It’s reassuring to their stakeholders that they were being completely transparent about what happened. They took the steps and they communicated those steps and that is reassuring. Because as we said earlier everybody is vulnerable to an attack. And that they’re being very proactive about handling it in the right way, by putting this IRP in place is really the key. So, that’s a great example.
Cyberattack Prevention Discussion Wrapup
So, you know just to wrap here Kyle, cybersecurity it’s everywhere. You know it’s really just one of these things that that we’re confronted with every single day. You know I read recently that Microsoft launched a cybersecurity “Skilling Program” to help cybersecurity talent in schools, colleges, and non-profits in businesses. Because they know that cybersecurity is such a fertile ground for talent. To grow talent, and to have people attracted to the cybersecurity space. In fact, they predicted that in 2025, 3.5 million cybersecurity jobs are going to open.
Microsoft’s “Skilling” Program
So, there is a huge opportunity in this space for us to not only learn and implement these best practices but to also work in the cybersecurity space; because it is such an important part of our world today and it can’t be overlooked. I wanted to share that as well. It’s definitely important, there’s definitely a very big shortage and we definitely see more people learning about cybersecurity. It will be a nice program for Microsoft and the other large companies to encourage people and help people to get into this industry because it’s an industry that needs a lot of help. So, Kyle don’t quit your day job yet okay? [laughter] just keep on going. We need you!
Kelly: Don’t quit your day job, Kyle! 🙂
Kelly: All right thank you so, much Kyle it was a pleasure talking to you today about the “Best Practices to Prevent a Cyber-Attack” and we will keep the discussion going. There’s a lot to learn as you said. There are new things, new attacks, and new patches and advice coming out daily. I’m really excited to be here with you today and to share some of these tips with our listeners and we will keep this going!
Kyle: Right hey thank you so, much Kelly!
Kelly: Thank you, thanks Kyle.
Free advice and useful resources
Please visit our main page for more information about our NIST 800-171 and CMMC compliance services