Revisiting Cybersecurity Fundamentals

Matt Fusaro 00:19
Hello.Jason Pufahl 00:20
So, we’re coming back with, essentially episode one in certain ways, right. So we want to talk about security fundamentals again, revisiting the topic, I think for a couple of reasons, right, we just recently had that rebrand where we’ve combined our infrastructure and security divisions. And we’ve been talking about a lot internally, right. So as I think we continue to reinforce with everybody that the importance of fundamentals and some of the real security, core elements that we’ve talked about, but I think we’ve done a lot of incident response over the last couple of years, and certainly since we’ve recorded last, and I think, you know, our list has grown a little bit, right, so we want to add a couple of additions to this. You know, I think what I want to throw out before we start getting into our list of what exactly are these controls, I’ll ask it slightly differently. Is there anybody who shouldn’t implement these fundamentals?Matt Fusaro 01:16
I mean, I’d say, probably not.Steven Maresca 01:21
I mean, we’ve been talking about security tools worth using for everyone, for 20 years, 25 years, if you really think about it, you know, early 90’s if you’re paying close attention, and you had a computer back then, right. Everybody should have some sort of reasonable defense. The degree, the variety, and complexity varies, but it applies to everybody.

Jason Pufahl 01:47
But it’s a loaded question. I mean, they’re fundamentals for a reason. And honestly, I think, when we go through this, there are fundamentals, in some ways, if you’re an individual just trying to maintain your personal workstation at home, or the company, right, it might just be the degree to which you do these things.

Steven Maresca 02:04
So let’s take a step back. What do we mean by fundamentals? I mean, I hear that and I think, steps that every single person or organization needs to take to fulfill their minimum defensive expectations for security.

Jason Pufahl 02:22
And I would argue, if we go through this list, almost all of them can be done for free. You know, there’s a couple in here that I think that probably might have a cost, it might be a little bit more robust than your home user. But for the most part, cost isn’t a barrier to doing this. It’s just a matter of making sure that you’ve got the sort of the operational maturity, or at least some routine built-in to do these things.

Steven Maresca 02:47
Or just forethought, which is, you know, half the battle, right?

Matt Fusaro 02:50
Yeah, making sure you’ve got a process to do this. And next year, spending time on it, someone following up and saying, hey, do we do these things this year, or this month? Or this quarter? Whatever it is.

Jason Pufahl 02:59
Right. And, you know, this year sounds long, but the reality is, in some cases is, hey, at least you did that last year, right, which is better than not doing it at all. Alright, so we’re all comfortable saying every single person who’s listening to this, it’s a valuable podcast, because it’s something that you can do, personally, at your workplace, whatever it is, but everybody needs to be doing this.

Steven Maresca 03:19
This is the preventative maintenance on your vehicle, or your health kind of conversation for security.

Jason Pufahl 03:25
Zen in the Art of Motorcycle Maintenance. Remember that, so step one, right. And, boy, it doesn’t get any more basic than this, right? Update your systems. I just had a conversation with somebody the other day, a really small doctor’s practice, where I said the word patch, and they had no idea what that meant. So the two things that I think we want to talk about are patching and vulnerability management, right?

Steven Maresca 03:50
Sure. Your computer’s nagging you? Yeah. Do what it’s asking.

Jason Pufahl 03:54
Right.

Steven Maresca 03:55
It’s for a reason.

Matt Fusaro 03:57
Yeah. So much software is out there now, you probably have a lot more installed these days than you did before, and we’re finding vulnerabilities faster and faster, and which means attackers are finding it faster. Just patching those, you take that low bar of entry away. It’s easy to do.

Jason Pufahl 04:14
So from a basic PC or Mac, I guess system, they’re going to update automatically, right? They’ve got settings to simply download patches and install them on a regular basis, probably monthly or something.

Matt Fusaro 04:28
If you’re in an organization that enforces it, sure. Home users, they turn that stuff off all the time.

Jason Pufahl 04:34
Yeah.

Matt Fusaro 04:34
Always, I mean, from a personal standpoint, most people probably are not doing that. You should, especially these days, they’re, you know, there’s so much more personal information online, should probably follow those steps. But in an organization, yeah, those things should be just by policy, by definition, should be done.

Steven Maresca 04:55
If you as an individual have been, you know, habitually hitting ignore or defer or tell me later about an update, you know, sit down this afternoon and be inconvenienced for an hour. But you know, let it happen, because it’s something that, at the very least, will put you in a better position than most of the incidents that have been caused by a vulnerability.

Jason Pufahl 05:18
Right. And, you know, we’ve seen in the incident response work we’ve done, you know, attackers commonly take advantage of missing patches.

Matt Fusaro 05:27
Yep.

Jason Pufahl 05:27
Or, you know, vulnerabilities that haven’t been addressed, that can be exploited, right, because it’s quickest, it’s, frankly, the quickest way to get access to a company or exploit a system, whatever that might be.

Steven Maresca 05:37
Right, if something is fully patched, the odds are very good that an attacker has to expend more energy, more effort. And that means that they might stop, that means that they might look elsewhere, that only helps you withstand some sort of targeted attention. That said, you know, patching is just part of the problem. And you mentioned vulnerabilities. What we mean by that is actually the regular discovery and correction of flaws that are in systems. And that does not need to be a very onerous exercise, it may simply be going to the vendor’s website of a piece of software and checking to see if there’s some sort of an advisory, right, that there’s something amiss. More involved organizations, you know, you use vulnerability scanners, that they will tell you where the flaws exist, and then simply make a plan to correct them in priority order.

Matt Fusaro 06:31
Right, I know a lot of organizations tried to, well, I should say that IT directors of these organizations try to get this done, the business tells them no, right? We can’t have downtime, whatever the excuse might be.

Jason Pufahl 06:40
Right. Right, we’re worried about our application, yeah.

Matt Fusaro 06:45
Yeah, stability of application, or it’s a vendor system that, hey, we have a contract, they should be doing that, right? And then three years later, you find out still the same system.

Steven Maresca 06:52
Right. So vulnerability management is one of those things that is a perpetual task, it never really ends. Same thing with patching. The goal is not necessarily to get to zero vulnerabilities, that’s, in most cases, An impossibility. The better outcome is to document the risks that might impact the business, might impact you as an individual, if you’re sophisticated enough to be running a vulnerability scanner in your home stuff. And then, you know, carve away at the things that might harm the systems where your data is located or where your key business software is running. That’s it.

Jason Pufahl 07:28
So two elements, patching and vulnerability management, for large part, both free, I mean, there’s a lot of this information exists for free, you can often run some scans, they might be a bit more basic, but you can do that for free, and make some substantive progress from a security standpoint.

Steven Maresca 07:46
And returning to the forethought comment I made earlier. It’s okay to simply say we will not be solving this particular vulnerability because it doesn’t impact us.

Jason Pufahl 07:57
Sure, reasonable.

Steven Maresca 07:58
Document it and move on.

Jason Pufahl 08:00
So, moving maybe from a little bit less of a technical discussion, to something that I think every organization should be doing, which is security awareness training, or having discussions around basic and widely-known security risks, right, like phishing, like running phishing awareness tests, right, like doing social engineering experience, like there’s a lot of things in this space. But, we are certainly, we’re real advocates of a well-trained workforce is probably your first and best defense against a lot of these really common social engineering attacks that we see.

Matt Fusaro 08:37
Yeah, I’d say, you know, look for programs or try to implement programs that aren’t motivational versus habitual, right, you want more habitual type of training and material that you can give your employees. Don’t just because, oh hey, we saw a phishing email today, we should do a security awareness training for everybody. Or, hey, we’ll do it once a year. That falls off so fast, you know, people don’t learn that way, either.

Steven Maresca 08:37
Right. And the truth of it is that attackers in today’s world abuse trust, more often than they do abuse some of the system flaws, we’re talking about vulnerabilities, right, that’s a part of the problem. But people are predictable, more so than computers. And if an attacker can convince someone to give away their password, there’s no system flaw that they need to exploit, they’re in the door. So people and their tendencies are what need to be reinforced and an aware staffer is frankly better than someone who’s operating obliviously. This does not need to be awareness training about what attackers are doing or how they operate. That’s beside the point. Technical discussions for security awareness training are not super helpful. But talking about privacy, the data that’s being used on an everyday basis by a given staffer, simply being aware of that data, and its importance to outside parties, is enough to change behavior and make people be a little more cautious about how they interact with it.

Jason Pufahl 09:43
Right.

Matt Fusaro 09:45
You need reinforcement, you need it to be habitual, great habits that people can use every day, you’ll get better results out of that.

Jason Pufahl 10:17
And frankly, a lot of organizations have your regular meetings, right, whether they’re, if it’s a small company, you might be meeting on a monthly basis, spend five minutes on security awareness topics, right? Like threats of the month, or, you know, things that we want to see improvement on. These don’t have to be really long and complicated presentations.

Steven Maresca 10:37
And, you know, for actual programmatic phishing, training, they’re services, they’re cheap, they’re effective, you should use them. They are far more capable at delivering a phishing training via email than, you know, rolling your own. And there’s always a risk of, you know, perception, you don’t want your staff to feel like you’re targeting them. It’s intended to bolster security and awareness, not necessarily make people feel like they’re being accused of missing something.

Jason Pufahl 10:51
Right.

Matt Fusaro 11:06
Yeah, I feel a lot of places kind of stop there too, which I know it can be difficult to go much past that. Lots of people are just busy with their business.

Jason Pufahl 11:17
Right.

Matt Fusaro 11:18
But yeah, if you can go beyond the scheduled phishing emails, and even if it’s just talking about why certain data in your company matters, or why it would matter if it left the organization, that’s good enough too, right?

Steven Maresca 11:30
We’re edging into a segue to the later parts of our discussion today. And just to help with that bridge, security awareness training is one of those expectations that outside entities want to see in businesses. Examples include insurers, banks, you know, other agencies that are sharing data with a business, they want to know that your staff is thinking about that sort of thing. And it helps to facilitate business as much as it does to protect a business.

Jason Pufahl 12:00
So it’d be fine in a way to do some of that segue now, right? There are a couple of new additions to our list. For probably two reasons, right, we’re starting to see insurance carriers and regulatory requirements, really push a couple of technologies that we have seen make tremendous difference, as it relates to sort of incident preparedness and incident protection, you have two-factor certainly being one of those, right, we didn’t, I think it makes our list anyway, because it’s such a valuable way to protect credentials. But it’s also now becoming a requirement for a lot of different entities.

Steven Maresca 12:36
Right, and let’s be expansive on that subject, two-factor, multi-factor, two-phase authentication, there are lots of different variants on the subject. And it doesn’t have to be a technology you employ in terms of your internal systems. But if you’re working with an email provider, or a bank, or some other piece of software or service, enable that function when logging in so that you get a text message, so that you get prompted on your phone. Simply doing that will ensure that the loss of a password doesn’t mean that your systems are impacted, or your data is impacted.

Jason Pufahl 13:13
For me, two-factor, it’s such a core requirement, and we see entities not employ it a lot of times because people feel like it’s a hindrance, right, it’s a security control that is too inconvenient, and I would argue it’s probably one of the most important things you can do now, relatively easy to implement, technically, in my opinion, a lot of it’s just a communication exercise internally, and the value is is so significant.

Steven Maresca 13:40
I’d say fully half of the incidents we run would not have occurred,

Matt Fusaro 13:45
Right.

Steven Maresca 13:45
If two-factor, multi-factor authentication would have been in place.

Matt Fusaro 13:48
Or at least, you know, second stage type thing. So after they first get in their systems that they gain access to, they should have just had multi-factor.

Jason Pufahl 13:56
Right, prevent all of it.

Matt Fusaro 13:58
Yeah.

Jason Pufahl 13:59
So sort of staying in that credential protection space, you know, password management is certainly a baseline requirement, or maybe password and enroll management to some degree, right, like understanding what users you have configured for your systems, what capabilities those people have, and do you actually have sufficiently long passwords such that people can’t simply guess them or maybe programmatically guess them, but you know, you can make those passwords less accessible.

Steven Maresca 14:28
Right. Defend the credentials, the keys to your environment.

Jason Pufahl 14:33
That’s an elegant way, that’s a lot better than what I just said.

Steven Maresca 14:35
Well, the truth is that we have a legacy of, let’s say, misinformed credential management, misinformed password management, changing passwords every 30 days. Let’s be honest, I’m confident everyone that listens has heard of such a practice and participated, participating in it, or forced to perform it, and the behaviors that you know are associated with that are formulate passwords that do not increase security, they just promote bad behavior. So if you have anything that resembles that, you know, in organizational environment, it might be worth revisiting. The guidance that used to motivate that type of practice has been rescinded by standards bodies internationally. And the approach these days is longer passwords that are easier to remember that are more complicated.

Jason Pufahl 15:22
Right. So I think there’s two more specific things that we wanted to discuss. And I don’t you know, interesting, I don’t know that we actually mentioned this in our first recording, but the need for robust backups that are stored offline and available in the event of an attack. And this can be, again, this doesn’t have to be complicated, going back, Matt, to what you had said around it, maybe some things you only do once a year. Clearly you want more routine backups than annually, but it’s better to have an annual backup, Than no backup at all, right? And I don’t know how many, just friends I’ve had, who’ve lost data from compromised laptops, where if they just had a year old backup, sure there’d be a gap, it’d be unfortunate, but it’s better than everything. From a business standpoint, there’s obviously more robust ways to do it.

Matt Fusaro 15:56
Something. Yeah, I mean, short story here that I actually was involved in a incident once, if you will, where a backup system physically failed on a school and the recovery process of that, because they had nothing off-site, no redundant backup system or anything like that, right, so they just had this one storage, right, the result was a group of about 5 to 10 people for a month straight copying and literally scanning documents into a file share for that school. What a waste of time.

Jason Pufahl 16:51
And talk about demoralizing, demotivating, and all of that.

Matt Fusaro 16:55
Yep, total loss of confidence in IT.

Jason Pufahl 16:57
Right. As you, well, in a way, probably somewhat justified. Like, there’s no excuse for that.

Matt Fusaro 17:04
Right.

Steven Maresca 17:05
I’d even, you know, go back to something you said a moment ago. Annual backups may be sufficient for some organizations, it’s about, you know, deciding what makes sense from a business process standpoint. How much pain are you willing to tolerate? If you’re an accounting company, or accounting CPA who has an LLC, but you’re one guy, you do taxes once a year, maybe that’s enough for your clientele.

Jason Pufahl 17:27
It could be.

Steven Maresca 17:28
But use an appropriate level of backup for your business cycles. How much would it hurt if you lose something that’s a week old? If it’s a lot, you should backup once a week? You know, just be thoughtful about the backup and make sure you have multiple copies. That’s it.

Jason Pufahl 17:42
And honestly, that discussion, right, what you just said, you know, thinking about what the impact would be if you actually lost a system or data or something like that, right, you just did a business impact analysis. These don’t have to be really complicated engagements with an external provider to think through what bad things might happen if this event occurred, right?

Steven Maresca 18:04
The ultimate title for this episode should be security common sense.

Jason Pufahl 18:09
Truly, actually, but maybe that’s not to be alternate. Maybe we could just call it that. I think finally, I’ll lead straight with an acronym. And I’ll let one of you guys define it, right, which is everybody now, is this, you know, insurance providers and pushing the idea of EDR. Right, who wants to tackle EDR?

Matt Fusaro 18:28
Sure, I will lead our practice. So EDR, Endpoint Detection and Response, you could think of it as the new antivirus, right. Essentially gathering lots of data from an endpoint, so that if something does happen, yeah, lots of information can go back on a timeline to refer to, it typically also involves some type of threat detection so that you can stop what’s going on, so protection and detection at the same time. So quite honestly, I don’t know. I don’t know personally, if I would add this to a fundamental list. We love seeing it, it’s great. We know insurance companies are really requiring it now. But it can be tough for some businesses to do anything with what an EDR can produce, right? You typically need someone that knows what they’re doing to look at an EDR and say, oh, okay, there’s the problem, here’s how it happened.

Jason Pufahl 18:28
Right.

Steven Maresca 18:28
What I would say in response to that is that well, I would agree with you. Even a small business with no staff that’s minding the shop, so to speak in terms of IT and EDR would still be benefited by that type of platform in an after the fact offer scenario. If an incident occurs, at least there would be some modicum of data to go on. Traditional antivirus just doesn’t cut it. I described that to our customers is like a 30% to 40% success rate. That’s realistic. You don’t want old school antivirus, which is like the conductor on a train checking a ticket, and that’s it, they’re done. EDR to contrast to that is equivalent to someone monitoring all the time and making sure that behavior even within the, you know, the train car, so to speak, that’s already had people admitted, continues to be safe. And it’s worthwhile.

Jason Pufahl 20:23
Yeah, so the reason that I hesitated putting it on the list is I feel like everything that we’ve discussed can largely be done for free, right, I don’t know that EDR can.

Matt Fusaro 20:32
Yeah, I guess that’s kind of why I gravitate towards the, I don’t know if it really should be on the list or not. I completely agree with Steve. Yes, it’s great for after action or something like that. But yeah, the price point for an EDR is tough for a lot of people. You’re not talking about a couple bucks most of the time.

Jason Pufahl 20:52
Right. Yeah, they’re reasonably low, but the quality is better. And certainly we’re seeing a significant industry move in this direction, right, there’s a lot of EDR vendors out there, it’d be a lot of really competent and capable products, pushes by insurance carriers and some other regulatory requirements. But I do struggle, because it’s not like every business is going to be able to afford to get into it. AV is accessible to everybody and in spite of it being maybe not as effective.

Steven Maresca 21:19
So, you know, on that note, re-evaluate what antivirus you have in place.

Matt Fusaro 21:24
Right.

Jason Pufahl 21:24
Yup.

Steven Maresca 21:24
There are potentially better solutions out there, and you know, if it was something that was put into place a decade ago, it’s probably time.

Jason Pufahl 21:31
For sure. So I’m gonna run down the list really quickly, before we wrap up. And, you know, we certainly talked about patching and vulnerability management. Basically, totally free, a lot of this stuff is actually built right into your operating system, so the systems you run. Discuss, have conversations around security threats, right, security awareness training internally. It can be made complicated, it can be really easy if you just have some basic conversations, focus a little bit on phishing, make sure folks understand data privacy requirements for sure. Talk about credential management, password management, look at multi-factor, two-factor, right, there’s a variety ways to describe that. Really, I think two-factor has become such a standard now that we want people to utilize that. Obviously, backup your data, I think the idea of having a business impact analysis, even if it’s a discussion around the conference room table with the people who know something about the business, do that and take steps accordingly. And then look at AV or EDR, right. EDR being the gold standard, if you can potentially afford it. Any parting thoughts at all?

Matt Fusaro 22:44
I think if you’re just getting your security plan started, this is a nice little template, hit these few things as best you can. And it’s a pretty big bang for not so much buck.

Steven Maresca 22:57
And stick a calendar note to reveal exactly the same thing next year.

Jason Pufahl 23:02
Right. Don’t make it more complicated than it has to be. So with that, as always, thanks for joining us today. You know, we’d love to hear feedback. Maybe there’s somebody who thinks that we’ve missed the fundamental or wants to argue a little bit more whether EDR should be on there. If so, contact us at Vancord on LinkedIn or Vancord security at Twitter and we can continue the conversation. And as always, thanks for joining us today. We hope you got some value out of this.

23:27
Stay vigilant, stay resilient. This has been CyberSound.