As a cybersecurity leader in your organization, there are technical and strategic lessons you can learn from overwhelmingly unfortunate security failures. As seen in the cybersecurity incidents presented below, correcting or improving technical issues is important. However, by diving deeper into these devastating events, you can learn ways to develop more effective cybersecurity strategies to protect your organization’s most critical data.
There are five important lessons that you can glean from the cyberattacks presented below:
- Lesson 1: Effectively Mitigate Your Risks When Using Cloud Solutions
- Lesson 2: Invest in IoT Safeguards
- Lesson 3: Re-Examine Your Password Policy
- Lesson 4: All Software Updates are Important
- Lesson 5: Employee Compliance is a Critical Element of Cybersecurity
Lesson 1: Effectively Mitigate Your Risks When Using Cloud Solutions
The exploitation of a Capital One cloud database by a single individual in mid-March of 2019 triggered discussions about an increasing target for cyberattacks: the cloud. Capital One’s infiltrated database was protected by a firewall, but the cybercriminal, an ex-Amazon Web Service (AWS) employee, discovered a vulnerability in its configuration. The perpetrator bragged openly about her exploits online and was eventually reported and caught. Unfortunately, her illegal activity was undetected for nearly four months—an amount of time in which she was able to obtain access to more than 100 million U.S. and Canada customer accounts.
Lesson to Learn: The growing reliance on cloud solutions that enable organizations to streamline their technology and provide better service to their customers hasn’t gone unnoticed by cybercriminals. According to a report by device-to-cloud cybersecurity company McAfee, cybersecurity threats on cloud services has increased 630%. Despite this staggering statistic, the number of organizations using cloud services continues to grow.
In a 2015 keynote speech, Capital One’s chief information officer (CIO), Rob Alexander, announced the company’s expanding use of cloud services that included the deployment of critical services to the cloud. In his speech, the CIO acknowledged the importance of a security framework that was implemented to protect their sensitive financial data. Four years later, the company experienced one of the most notable cyber attacks of 2019.
Of course, the underlying cause of the Capital One data breach was a technical flaw that neither the AWS nor Capital One cybersecurity team detected, but there is more that you can learn from the incident to help you mitigate the risks associated with using cloud solutions:
- Instead of moving large amounts of critical data to the cloud, a better strategy is to make the move less dramatic with detailed security checks at each deployment.
- Obtain buy-in from the executive team to invest in extra protection to protect your most sensitive data that you choose to deploy to the cloud.
- Educate your cybersecurity team about cloud security and ensure they have the tools and technologies they need to prevent, detect, and respond to cloud-specific security issues. This is in addition to any cybersecurity tasks that your cloud services partner has specified they will perform.
Lesson 2: Invest in IoT Safeguards
The Dark Nexus botnet was first discovered in late 2019 and has continued to evolve and spawn into 40 iterations that have wreaked havoc around the globe. The botnet was initially developed to unleash both malware and a distributed denial-of-service (DDoS) attack on IoT devices such as video recorders and routers.
Lesson to Learn: Like cloud solutions, Internet of Things (IoT) enables organizations to quickly improve day-to-day processes and create better value for their customers. IoT focuses on the connections to the Internet between devices, the individuals that use those devices, and the server where the data that people want to access using those devices is stored. As your IoT deployments grow, so do your pathways of potential risk. As seen with the Dark Nexus botnet, large numbers of connected access points are attractive targets for cybercriminals.
The technical focus on preventing an attack on your IoT could be adding encryption and authentication technologies such as Zero Trust. Implementing these types of technologies can impact the benefits that IoT offers and are often cost-prohibitive. Another tricky area of protecting IoT devices is that the data that is transmitted across them may be protected personal data.
A strategy for safeguarding IoT should include the following:
- As the cybersecurity leader in your organization, determine the best strategy for managing the risks associated with your organization’s IoT. Depending on the nature of your organization’s business, you may have to confer with compliance and regulatory agencies to establish an effective plan.
- IoT means a variety of devices with likely unknown security measures. According to “The CEO’s Guide to Securing the Internet of Things” developed by AT&T, conducting a risk assessment of all IoT deployments and then establishing a security baseline is a more effective approach than implementing a blanket level of security.
- Statistics provided by the technology research firm Comparitech indicate that the critical technical methods of solving issues with default passwords (the most common tactic cybercriminals use to attack IoT) require a focus on authentication, access control, and encryption. When you request buy-in from your organization’s decisionmakers, make sure you include funding for these three technical areas.
Lesson 3: Re-Examine Your Password Policy
In 2012, Dropbox announced that an employee’s password was obtained and used to gain access to email addresses of 60 million user accounts. Fast forward to 2016 when the online cloud storage company reveals that more user accounts (100 million is the estimate) and additional personal information was obtained during the 2012 data breach. The source of the breach was determined to be that a Dropbox employee’s password was part of a LinkedIn data breach and was reused to access a Dropbox corporate account.
Lesson to Learn: The good news about the Dropbox data breach is that the credentials stolen by the cybercriminals were hashed with advanced algorithms and since being dumped on the dark web haven’t appeared to be cracked. However, the incident rings the bell about the long-standing issue of policing passwords. Despite the large number of public incidents involving stolen passwords, people continue to have what appears to be a low disregard for considering their security implications, as reported in an article by CNN.
The National Cyber Security Centre (NCSC) offers valuable advice for devising an effective password management strategy:
- Consider implementing technical solutions that limit the reliance on passwords, especially for access to critical data.
- Broaden your password protection measures to include an extra level of protection. Multi-factor authentication (MFA) and single sign-on systems are two examples.
- Train all employees about the importance of password security and hammer the lessons into them constantly so they understand the importance and consequences of their actions.
Lesson 4: All Software Updates are Important
Atlanta-based credit reporting agency Equifax made history in 2017 when the personal data of 143 million Americans in 51 of its databases was accessed by cybercriminals. As with the Capital One cyberattack, the attackers were able to remain undetected for about four months. It is also similar in that human error was the source of the attack. In this case, that human error was neglecting to patch a known security issue.
Lesson to Learn: Software is a dynamic technology, constantly being improved and repaired via updates to enhance the user’s experience. It’s safe to say that organizations are aware of the importance of software updates. Then why would a company the size of Equifax neglect to fix a known issue? When you discuss the importance of software updates with your cybersecurity team, they probably roll their eyes while they nod their heads in agreement. In addition to being a mundane task, patching software can break existing systems, which can cause downtime.
The following are three ways you can improve your software update processes:
- Perform a risk analysis to determine the software patches that are required and the critical nature of the patches. Your cybersecurity team should work from the top of the list downward, starting with the most critical update first.
- Incorporate an audit task to your cybersecurity processes (a mix of automated and manual steps) to check the status of all your software updates. This has the added benefit of giving the team an idea of the most common software that is outdated and those for which the provider is no longer providing updates.
- Prevention is key in cybersecurity, so keeping an eye out for known vulnerabilities is important. The National Institute of Standards and Technology (NIST) provides several data feeds of vulnerabilities that your cybersecurity team can access and monitor for any issues related to software and/or systems that your organization uses.
Lesson 5: Employee Compliance is a Critical Element of Cybersecurity
In July 2019, Mimecast posted details of a phishing attack on their blog. The cloud-based email management company described the attacker’s method as using a SHTML file attachment that employees clicked and were subsequently taken to a malicious website that requested their login credentials.
Lesson to Learn: There’s a common saying in cybersecurity circles that people are the weakest link in a cybersecurity strategy. While human nature has played a significant part in cyberattacks, this should be viewed an opportunity instead of a weakness.
Too often, cybersecurity is viewed by employees as something that is maintained for them. While it is true that your team has responsibilities to keep the organization’s personal information and technologies safe, every single person in the organization plays an important role. Until every single employee in your organization understands that and performs in a manner that proves they do, your cybersecurity strategy will continue to have a serious flaw.
The following are three actions you can take to adopt a culture of employee cybersecurity compliance:
- Roll out a cybersecurity plan to the organization that highlights employee compliance.
- Training every single employee about security is a given. However, this should be more than a quick session that employees are able to gloss over and check a box that they completed it. The training should be engaging and have a long-term effect on employees.
- Measure the effectiveness of your employee security compliance training by keeping track of security incidents committed by employees. Over time you will be able to determine areas of improvement to address in your training.
As a cybersecurity professional, it is safe to state that your responsibility to lead your organization’s fight against cyberattacks is only going to become tougher as cybercriminals become more and more sophisticated in their approaches. The organizational costs associated with security failures can be devastating, so establishing an effective plan is critical. Attempting to limit your defense to a technical strategy is not enough. You must also develop strategic policies and plans that are based on valuable insight and experience. For many cybersecurity leaders, the responsibility is overwhelming. BACS consultants know how to assess, develop, and implement robust IT security solutions that address the technical and strategic needs of organizations.