“Whatever you do, don’t fall asleep.”
“Be afraid. Be very afraid.”
Fans of scary movies might recognize these infamous lines. They suggest that something very, very bad is looming and that the protagonist of the story is in imminent danger. Typically, these lines are followed by an awful decision, resulting in an unnecessarily difficult and arduous escape.
Sometimes, running an information security program can feel a lot like being in the middle of a horror film. Turn down the lights, grab some popcorn, and queue the ominous music. Here are five of the scariest things a CISO (or infosec leader) could hear from their security or IT team—and what decisions you can make to avoid the quintessential difficult escape.
“I forgot to tell you that [insert employee] left a couple months ago. Now their shared login has unusual activity on it.”
You can’t manage what you don’t know you have. It’s one of the quintessential concerns we run into with organizations we provide security recommendations to. It’s critical for organizations and their CISO to have complete insight to their people, devices, and data so that they can accurately monitor and measure risk (or compromise). A situation like this proves to the security leader in the organization that 1) their visibility isn’t as high as it needs to be, and 2) that the process around employee transition leaves something to be desired.
A key component to information security is people. People are both our biggest weakness and strength when it comes to security, and it’s necessary to have controls in place to account for that. Things like password requirements, internet usage policies, and access management are types of administrative controls that organizations should evaluate and implement regularly. In this case, offboarding policies and practices aren’t as effective as they need to be. For the CISO, it’s important to be confident that once an employee leaves the organization that their access (particularly to internet-facing devices and platforms) is either transitioned or removed.
Logging and alerting
Logging and alerting are effective practices across numerous information security measures and are particularly important for incident detection and response. Logging allows us to understand what events are occurring in our environment, and alerting tells us about the potentially problematic events. To effectively do this, it’s important to have a segmented log server where all devices (domain controllers, firewalls, and switches at minimum) synchronize to the segmented server simultaneously. In doing so, we can quickly understand where the incident is coming from and ensure the attacker won’t be able to cover their tracks as easily. And, with automatic alerting, the CISO will be immediately notified if something is awry.
Don’t Share Credentials
Shared accounts are less secure. In an ideal situation, each employee who needs access to an account or software would have their own license and credentials. The more people who have access to an account, the harder it is for the CISO to keep tabs on and the more likely it is for error to occur. If there’s no need to share accounts, don’t.
“I tried logging in to [insert program] through the email link so I could download the file I was asked to, but it didn’t work.”
What seems obvious to a CISO and security professional is not always obvious to everyone else. The fact of the matter is, no one should ever be clicking links from emails they haven’t vetted first. Additionally, you should never log in to an account through an email link. It’s significantly safer to go directly to the site you need to access and log in there instead. Attackers are not afraid to mimic login screens with the hope that you’ll trust it enough to input your actual credentials. If employees are logging in to sites through email, it speaks to a lack of training, and potentially to a weak security culture at the organization.
Multifactor Authentication and Password Managers
Effective information security programs have a combination of technology, automation, and human intervention that fit their business model and mitigate risk best. We’ve already mentioned how people can both our biggest strength and our biggest weakness around security. In this case, social engineers target employees by implying trustworthiness. Multifactor authentication and online password managers are ways to take the human error out of situations like this. With multifactor, it would ensure that if anyone did try to log in using your credentials, they wouldn’t be able to without having access to your mobile device or email to complete the verification step of the login. With password managers, you save the credentials in an online program based on the URL. If an employee tried to login to a fake site, the password manager wouldn’t populate your credentials since it wouldn’t match the URL you have a login for.
Access controls should be implemented to some extent in every business. Essentially, your employees should only be given access to what they absolutely need. By granting an individual permission to access certain networks, files, computers, and software the person needs to do their job, we can ensure that the employee has permissions to do only the things they need to complete their job—nothing more. At least this way, if your employee is compromised in a similar manner, very limited systems will be affected, and we’ll easily be able to tell which those are.
Logging and Alerting
This will be a common theme for all incident-based issues. If we’re properly logging events in a segmented manner and getting alerted when those events look problematic, it’s significantly easier to contain a compromise quickly and fully.
“[Insert hardware] is failing.” or “The server failed.”
This can certainly be a panic-inducing moment in any CISO’s career. Even with effective measures in place to combat failures, we never like to hear that something is going down or has gone down. Whether protective measures failed, an employee mistake occurred, or faulty equipment was purchased, server and hardware failure usually disrupt the business. Downtime often impacts sales, daily employee functions, and typically reflects poorly on the IT/security department—the CISO in particular. Worst of all, if our employees are telling the security and IT team that something is failing, it means our monitoring is ineffective or nonexistent. Our CISO should be telling the company something is not working properly, not the other way around.
Logging and Alerting (Again)
Not to beat a dead horse, but putting effective logging and alerting practices in place is critical to catching this stuff before it becomes a major problem for the CISO and their team. Automated alerts will ensure that you know when a problem exists right away so that you can fix it before it makes its rounds through the office.
A Vetted Disaster Recovery Plan
Incident response and disaster recovery plans are necessary in our industry. Incidents happen to everyone. No one is immune to them. Knowing that, we need to be prepared for them. Do you currently know what to do if your server completely shut down for a few minutes? A few hours? A few days? We need to know who is going to be involved, know what activities each person will be responsible for, know what kinds of backups are needed (technology, physical locations), and understand who externally we might need to elicit for help to get us back up and running ASAP. Don’t wait until something happens, either. Prepare the plan preemptively, and consistently test it to make sure it works the way it needs to.
“Our network files are unavailable.”
This usually screams ransomware, which unfortunately isn’t going away any time soon. To this day, we still see a growing number of ransomware attempts. Schools, cities, and utilities are seeing a dramatic increase in these types of attacks. It’s not uncommon for attackers in ransomware incidents to lock down files, rename them, or remove them altogether. Obviously, someone telling you that you’re in the middle of a compromise is nerve-wracking. Depending on what measures your company takes to mitigate ransomware risk, a ransomware attack could cause an extreme halt to your organization.
This doesn’t prevent attacks, but it can help contain them. Segmented networks are large networks split into smaller ones. Effectively, the goal is to limit communication between certain devices, workstations, etc. If an attacker can get into to a network in your environment, but it’s segmented, they hopefully won’t be able to get far once they get in. This also helps with things like access control, logging, and alerting that we mentioned before. Segmented networks allow us to more easily monitor and log activity and events within each one and traffic can be both isolated and limited as well.
Remember working on a paper in grade school, forgetting to save, and having to re-type a ridiculous amount of thoughts? Afterwards, you probably saved your work more frequently. This is effectively the concept of a backup. Consistent backups allow you to revert your environment back to the way it was. If you’re in the middle of an incident, compromise, or breach, having a recent (and tested) backup will allow you to revert everything to where “you last left off.” One caveat: it’s important we don’t skimp on backup platforms. Many companies don’t include all important files and limit the number of times they run backups in order to save money. Any machine and file that is critical to business needs to be backed up on a consistent basis so that if you do experience an attack, you can wipe affected machines clean and restore them to their latest good version.
Another commonality among these concerns, access controls limit the number of incidents and the damage they cause. We already mentioned that employees should only get access to what they need in order to do their jobs. Taking that a step further, what do they need to be able to do with a file? Should they be allowed to edit, move, and rename, or is it okay for them to just be able to read it? This concept, called the principle of least privilege, gives the employee only those privileges that are essential to perform an intended function. By limiting privileges, we can ensure that our employees aren’t the ones messing with the files and that if anyone other than employees gains unauthorized access, it’s not likely they’ll be able to do much with the access.
“I think we have a problem.”
If you hear, “I think we have a problem” from one of your employees, you DEFINITELY have a problem. First and foremost, when you hear this, your brain is immediately going to go to the worst place possible. And that can be a very, very scary place depending on what your business does. Secondly, the key word here is “think.” If your employees can’t tell our CISO with certainty whether there is a problem or not, it’s far worse than whatever the incident is. In this scenario, you’re not only likely to have to deal with remedying the situation, but you’re also going to have to take a serious look at your internal processes and training.
Asset Inventory and Logging
To accurately plan for incidents and compromise, we need to be aware of every asset that exists within our environment. This includes hardware, software, and data. Knowing what exists is the first step to eliminating “I think” from your security alerting. Once we know everything in our environment, then we can figure out how to segment our networks, and set up logging and alerting accordingly. This will eliminate all confusion about if there is current compromise and where it’s coming from.
Processes and Procedures
The best way to avoid the terror of an incident or compromise is to plan for it ahead of time. Be proactive by putting together policies like we’ve already touched on. Access controls, administrative policies, network segmentation, and consistent backups with testing will all limit the amount of compromise your business faces in the first place. And when it does, rely on good procedures to make the process less of a panic. Create an incident response plan that defines roles, maps out communication, determines mitigation steps, and assigns post-incident responsibilities. By developing strong processes and procedures, you build a strong security culture that can handle any “scary” compromise that comes your way.
Sometimes, being a CISO or running an information security program can feel a lot like being in the middle of a horror film. But it doesn’t have to. Practices like logging and alerting, employee training, consistent backups, network segmentation, tested policies, and tested procedures can go a long way in making a downright disaster seem like a manageable escape. In this story, the good guys get away relatively unscathed.