5 Things to Learn from Recent Cybersecurity Attacks


5 Things to Learn from Recent Cybersecurity Attacks

Imagine that you live in a complex of high-end condominiums with high-end services.  The management office in your building keeps a master key that unlocks every condominium, so that they can seamlessly provide services to each owner.  For instance, they handle all home maintenance requests, they offer weekly condo cleaning, they will even have a chef prepare dinner for you, all while you are away at work.  Sounds like a great way to live!

Now, imagine two different criminals who are looking for an opportunity to make a score.  The first criminal scopes out one of the owners leaving their condo and attempts a break-in to the unit he sees as the best opportunity, perhaps successfully and perhaps not.  The return, if successful, could be good, but it is singular.  However, criminal number two has his eye on the management office, learns when they leave for lunch, figures out the locks, and gains entry.  He then enters the management office and makes a copy of the master key.  Over the next two weeks, he scopes out every condo, determines what is worth stealing, inventories his potential take, and executes a massive break-in for July 4th weekend when most people are out watching fireworks.

You may already know where I am headed.  What I have described in this very simplified account parallels recent cyber-attacks and the successful shift to targeting the supply chain.   Colonial Pipeline, the largest pipeline in the country, JBS, the world’s largest meatpacker, and Kaseya, one of the tech community’s most respected management platforms have all been targeted.  The goal of each hack and the resulting ransomware event was a larger take because of the impact on their customers.

Here are 5 things we can learn from these recent attacks:

1. Know Your Supply Chain. We have all moved some part of our operations to the cloud with the thought of reduced concern and maintenance of local resources. While this is a good thing, it is important to know your vendors and pay attention to their security notices.  In the case of Kaseya, fielding their security notice to shut down the Kaseya management tool was critical to safety.  In addition, particularly with smaller cloud vendors, if you see things that make you uneasy about security, call them on it, or change because of it.  Unencrypted data transmission, lack of password security, and remote access without things like encryption or MFA are common vendor oversights.  Often smaller ERP vendors or less sophisticated vertical market vendors will cut corners here.  If your cloud vendor does not seem a little overboard about security, it could be a sign that they are not diligent enough.

2. Consider Security Framework Alignment. Many industries are regulated and required to meet a security framework to meet compliance requirements. Some of these standards are rigorous and require network changes and additional monitoring services. However, they most certainly raise your level of security.  As we navigate a world filled with heightened cyber-crime, raising your security so you aren’t the easy target can make all the difference.  Consider aligning with a basic NIST or ISO security framework even if it is not required in your industry.  The process of doing this requires three steps: (1) Assess against the standard, (2) Make security and policy upgrades/fixes, (3) Monitor and maintain.  Meeting one of these standards will raise your game and give you peace of mind.

3. Take Enhanced Security Steps. The old way of doing things is just not enough. Some of the important things to implement include: regular Security Awareness Training and Testing for your team, multi-factor authentication for both email and remote access to your network, expansion of patching and updating to include not just Microsoft but 3rd party applications, and laptop and mobile device encryption.  These enhanced security steps reduce your risk of breach dramatically.

4. Add XDR or MDR Protection. To address the changes in the broadening cyber battlefield, both new and existing security vendors have enhanced their endpoint detection and response software (EDR), formerly known as antivirus, to include many new features. This new software has been dubbed extended detection and response (XDR). XDR looks at more than just the endpoint. It uses algorithms and machine learning to do anomaly detection, user behavior detection, malicious behavior detection, and track indicators of compromise.  It can also be integrated with SIEM or log file monitoring for an even deeper level of protection.  MDR takes XDR to yet another level and ties it to a monitoring service and adds another level of behavioral monitoring.  If something unusual is going on your network, you will be notified.

5. Reevaluate Your Backup and Disaster Recovery. In two of the recent hacks I mentioned above, the companies paid roughly 5 million and 11 million US dollars to have their data unlocked. In the case of Colonial Pipeline, they paid this after many days of trying to recover their systems. I’m sure that these large companies had spent tens of thousands or even hundreds of thousands of dollars on backup solutions.  Though we don’t know exactly what happened, we do know that the recovery was either not possible, or not fast enough. In some cases, the hacker has infiltrated the targets system long before they unleash the ransomware.  They use this advance time to disable or learn how to encrypt the backup as well as the main data.  In other cases, the backup solution, when put to the test, is either incomplete or takes too long to restore to full operational ability.  It is common to continue with the same backup solution you have been using for years without considering growth of data, operations, or changes in recovery objectives.  At the very least, an evaluation of how long to recover based on current data growth and operational changes should be performed regularly.  Better yet, a disaster recovery test where data and services are recovered in a test environment, can provide a true benchmark of your ability to recover.

It is a cyber security battlefield out there, and recent attacks have only proven that the cloud has broadened that battlefield.  There is more to protect and a broader attack surface with more people working remotely.  As business leaders, it is time once again to raise our level of diligence and employ new methods that keep up with our dependence on the exponentially growing world of technology. How ready is your company for the cybersecurity battlefield?