This episode was created in alignment with October Cyber Security Month. In part one of this two part series, podcasters Jason Pufahl and Steve Maresca talk candidly about security essentials for every business. Jason and Steve share a critical laundry list of elements that, based on their collective experience in Incident Response, cause about 90% of the issues that result in data compromise.
[00:00:00.380] - Speaker 1
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity with your host, Jason Pufahl and Stephen Maresca.
[00:00:10.990] - Jason
Welcome to CyberSound. I'm your host, Jason Pufahl and, as always, joined by Steve Maresca. Hi, Steve.
[00:00:18.300] - Steven
[00:00:19.310] - Jason
So this is going to be part one of what I think is going to be a two part series. So we're going to talk today about basic security must haves really focused on business. So we'll call this the Business Edition. And for us, I think we've identified a few really critical elements I think, that every business has to pay attention to, and I think it's largely born out of our experience in the incident response space, issues we've seen, frankly, that cause probably 90 percent of the incidents that we deal with on a regular basis.
[00:00:51.720] - Jason
So we really think about how best to protect the data. Generally speaking, with every incident we deal with, the first question you have is, is your business data at risk? And that might be PII, that might be intellectual property, regulated data rate, any variety of things. But the difference between a hugely problematic incident and one that might have real hopes of being successfully restored really is data protection. Steve, can you talk a little bit about data backups and just the idea of how you would protect that and what we're concerned about there.
[00:01:28.600] - Steven
So today we operate in a world which is dominated by ransomware in the news. First and foremost, businesses are being impacted because their data is being locked up. So data backups, in that context are simply a way to avoid paying a ransom, a way to avoid major down time as a result of an attack like that. But more generally, of course, we have natural disasters. We have hurricanes, power outages, you name it. Backups are a way to ensure that if infrastructure is lost, you can rebuild it.
[00:02:03.600] - Steven
Soundly, on a day to day basis of course, people delete data too. So backups are an underpinning of keeping things afloat in turbulent times.
[00:02:15.020] - Jason
So the hard part about everything you just said, for me is backups feels over generalized. And I mean that in the sense that backups are fine. We've had a whole variety of clients with incidents where their backups have been encrypted or deleted. So it's more than just saying I've taken a back up and I've got a copy of my data, right? I think a lot of it is, what do you do with those backups and how do you protect them afterwards?
[00:02:39.120] - Steven
Right. It's about making sure the backups are usable when they're needed. And candidly, backups are often built and then not tested rigorously. So part of the process, of course, is ensuring that you're backing up the right data from the right systems. You have processes in place to actually restore that data. And in the context of keeping it isolated and safe, have the means to ensure that the bad guys don't actually have it within their realm of deletion.
[00:03:11.490] - Jason
I'm trying to think practical tips. So what do we want to tell people? And I think one, certainly having an offline backup is critical. So something that you know attackers can never touch, can never spoil, right, can never impact it anyway.
[00:03:26.720] - Steven
And we're not necessarily talking about going back to the realm of tapes. In 2021, that's less common, certainly. I would say that in general, having an isolation of data is the most important. If you're sending your data to Amazon, if you're sending your data to a secondary physical location, just having an ability to say that that data has been copied elsewhere for secure storage, and it's not directly in the line of data flow, that's the way to avoid it. In the practical, data stays since it's ensuring that the attacker can't use your own credentials against you and delete the backup data.
[00:04:05.780] - Jason
Yeah, and I feel we see that all the time, right. The attackers using the stolen credentials. Ultimately, you're pretty easily getting access to backups, right. So we always talk to clients about making sure that you have backups that are isolated from your normal credential store, right. Active directory or whatever it is that you're using.
[00:04:23.570] - Steven
[00:04:25.910] - Jason
One thing you said that's interesting to me, though, is because you specifically said you're sending your data to Amazon, you're encrypting that data in transit. Clearly, there's a lot of great reasons for having your data somewhere like that. But effective backups can be as straightforward as for smaller organizations, right? Is straightforward as maybe backing your data up to a USB drive that you rotate periodically. So I think I want to make sure that a takeaway from this isn't... Well, I really need to figure out how these cloud providers or some of these, say more expensive or more maybe challenging to implement solutions when some businesses are small enough that they can get away with or variety of other ways to keep that data.
[00:05:05.580] - Steven
Right. And be somewhat liberal with definition of backup. If you have electronic systems, maybe have a backup paper based practice. We've all moved away from it. It's not quite the same concept of data backups, but it's a backup business process as well.
[00:05:21.620] - Jason
Right. Let's transition a little bit then to the idea of MFA or two factor. So MFA multifactor authentication. The idea that you're combining your username and password with some secondary form of authentication, right? Typically a key verb or some sort of prompt, right?
[00:05:42.680] - Steven
Basically something you have and something you know.
[00:05:45.210] - Jason
Right. Something you have something you know-
[00:05:47.540] - Steven
Very commonly used and encountered on the day to day basis in the personal world with your banking website, for example, you get a text message, you log in, it's more secure.
[00:05:56.330] - Jason
Right. And they can be that straightforward to implement, right. But you really want to make sure that you have a way to protect your credentials because ultimately, that tends to be the target activity of a lot of attackers.
[00:06:09.640] - Steven
Right. The number we've seen in the last several years is 80 to 90 percent of all incidents are rooted in stolen passwords. Given away freely, of course because you were contacted by someone purporting to be your superior, some key business partner, you log in to what seems like a valid website, and off they go, they can log in immediately if you don't have secondary protection like this in place.
[00:06:33.440] - Jason
So it feels like there's maybe a future episode for talking about phishing and social engineering and how to actually get credentials, because I think that's somewhat the underpinning of this, right. We've talked a little bit in the past around how technical controls are really valuable. But if people freely give away their credentials, you basically have circumvented all those controls. And that's where two factor comes into play.
[00:06:55.380] - Steven
Right? Controlling identities and what those identities are able to access, whether they be systems or data or remote access into a network. Traditional organizations might use a virtual private network, VPN. Others might use Office 365, cloud-based email entirely and not need access to local infrastructure. Protecting both of those sides of the equation with a second-factor authentication is how you ensure that attackers, even if they have your password, can't get in.
[00:07:26.810] - Jason
The thing that you mentioned that's interesting to me is you want to be judicious about where you use two factor because it certainly has some say, convenience overhead associated with it. Any time you have to use that second factor, it slows down access to certain sites. You mentioned email and I think people very often think of protecting email because it might have documents that are sent from clients and things like that.
[00:07:51.510] - Steven
It certainly does.
[00:07:52.820] - Jason
But I tend to think about email as sort of the gateway for the password change process, right. So there's a lot of reasons to protect email just so that you know attackers can't use your email system against you.
[00:08:04.420] - Steven
[00:08:08.350] - Jason
It's probably not that exciting. And I feel like we talk about it all the time. But again, from what should a business do standpoint, you're doing basic vulnerability scans and actually addressing known patches from your application providers, your operating system providers remains key and is typically are a free activity to do.
[00:08:32.660] - Steven
What we don't want to do is have any business with known flaws have effectively an open door to an attacker with minimal effort. And simply keeping abreast of those updates, which are freely offered regularly, automatically applied, it just ensures that they'll look elsewhere because the effort required to breach a business it's well defended with good practices like this, exceeds what they're willing to invest.
[00:08:58.380] - Jason
It's not that difficult to do. Some organizations, I think struggle with it because they're busy day to day with other things that keep them distracted, maybe. But frankly, certainly your operating systems typically are able to update themselves regularly. Maybe your applications you need to pay a little bit more attention to, but simply monitoring some of the advisory sites to know what the critical vulnerabilities are is going to be critical.
[00:09:22.800] - Steven
Right. And if you have a legacy application or something you can't patch easily, that's fine. Keep using it. It's not a reason necessarily to back away from it, but change things to make sure you can do so securely.
[00:09:33.570] - Jason
Right. Find compensating controls for that. And a common thing I think almost every organization does have is a firewall. And I'd say most places or most companies that we work with, the most people we talk to probably have one. I think the challenge is keeping those firewall rules up to date and actually making sure that they're providing the protection that you think that they should be.
[00:09:59.650] - Steven
Right. And we're in a slightly different world today where merely controlling what can get in is not sufficient, it's really the case that those firewalls need to manage what data leaves the network as well in order to defend appropriately.
[00:10:13.520] - Steven
So having a bi directional security analysis for your firewall network protection is a criticality.
[00:10:22.780] - Jason
A secondary benefit of that is for us in an instant response standpoint, is it often gives you a lot of clarity about types of data that may have been taken, right. So a lot of times we'll see a ransomware event coupled with data theft of some sort for the purpose of extortion, right. We maybe talk about that a little bit. Firewalls will give you some of that context if configured properly.
[00:10:46.140] - Jason
You really want that network flow information.
[00:10:48.300] - Steven
That's a great segue into really the most important subject from a security standpoint in terms of what you want to use as critical things that businesses should employ, and that's visibility in general. Some mechanism that allows recording of data from a firewall, from systems, from logins just so that you know after the fact what actually happened, because in the event of an attack, you may not have that information at hand, and you can't reconstruct what occurred. That means more effort for restoration. That means potentially more effort in working with a liability insurer.
[00:11:27.740] - Steven
That means potentially needing to notify customers that you would prefer not to. And if you simply log system events from anything that might generate a security event, you'll be in better shape.
[00:11:39.820] - Jason
So I want to actually segue a little bit then into the idea of cost, because I think what you just said is really interesting. Security is generally considered a cost center, I think. We've certainly had that conversation many times. A few of the items we're talking about here are largely free to do for most organizations. You can get patches from your vendors, generally speaking, for free. Logging, if you simply want to make sure you have data, you can log all of your data locally to the service that generate typically for free.
[00:12:11.040] - Jason
Backups generally probably a cost to that, but it doesn't have to be really expensive, I think.
[00:12:17.320] - Jason
As long as you put the effort into making sure the data is protected, it doesn't have to be the most elegant solution. But you almost touch on the idea that security can provide companies an opportunity to potentially save, right. Well protected networks that give you clarity about what an event may have been will let you notify the right people and keep your costs down. And frankly, some of these activities here are required by insurance, which actually can potentially help premium, so there's some real benefit to this.
[00:12:47.170] - Steven
Right. And you can even make an argument on the business intelligence side. If you have good data about how all of your systems work, how your users act, then you can save money and licensing costs and understand how your customers use your services like. They're all part of the same spectrum of information and in security, they all matter.
[00:13:05.330] - Jason
Right. They all matter. And the same, I think we'll talk a little bit about this because I expect it will go in this direction. But the idea that what you would do at home to protect data isn't that wildly different for what you need to do from an organization. Scale might be different clearly, but these are really basic concepts, and there's something that's accessible, I think to every business of every size.
[00:13:26.040] - Steven
The most important thing is that these subjects should be broached before an incident requires you to talk about them and preparation is 95 percent of the problem.
[00:13:39.070] - Jason
[00:13:39.600] - Jason
Well, on that note, I say, thanks for listening. I do hope that people got value out of this. We want to keep these topics pretty short and pretty simple, so limit this one to three or four areas. Backups, two factor, collecting log data, and simply patching machines as you need to would be takeaways that we want people to walk away from today. If you have anything you'd like to add to this topic, feel free to let us know @VancordSecurity at Twitter. Follow us on LinkedIn and of course, you can follow the podcast at Apple or Spotify.
[00:14:10.420] - Jason
And as always, Steve, thanks for joining. It's been a pleasure.
[00:14:13.580] - Steven
[00:14:16.390] - Speaker 1
Stay vigilant. Stay resilience. This has been CyberSound.