Friday 30 September 2016

Responding to the Boardroom (Cyber), SOS

Stuart Peck, Cyber Security Strategist, ZeroDayLab

When 90% of all successful cyber attacks begin with just one (double) click and with an average company's network being hit every 4 seconds with malware, according to a recent report release by Checkpoint,  the risk to the business is continuously heightened.

The challenge facing executives is not only the threat of a cyber attack at work but also at home with threats such as Ransomware, identity theft, personal and professional reputation damage attacks, Doxing and Phishing, all having a direct impact on business and personal affairs.

The problem is compounded with the amount of publicly (and privately) available dumps (passwords and usernames), in social media accounts.  Take the Last.FM dump released recently (21.09.2016) which also included my very own details; or the very high profile Yahoo mega-breach which included over 500 million affected users.  An issue that can be mitigated by never using the same password for different accounts and enabling 2FA (Two-Factor Authentication) for every account; but how many users or execs follow the same routine? The reality will come as little surprise - very few.

These details are an easy route for hackers to breach an organisation, especially at board level, as passwords may not be rotated as often and work emails are sometimes used for personal accounts, such as social media.

Figure 1. Recent notification of public dump of accounts. 

Technology won't fix the problem.

"Amateurs hack systems, professionals hack people." 
Bruce Schneier.

Whilst there has been a vast improvement in technology to prevent and detect malicious activity, it is never guaranteed to catch everything, especially social engineering.  Attacks such as Whaling (otherwise known as the CEO scam) have seen a huge rise in the last 24 months and are estimated to cost businesses $3.1 billion globally with over 22,000 victims - according to recent figures released by global law enforcement agencies. 

So, when technology (inevitably), fails, the executives are not necessarily left defenceless against attack but the odds are definitely stacked in favour of the attacker who uses guile and technical skill to outfox the average executive IT user. 

Answering the Boardroom (Cyber), SOS

Executives, in general, are more informed than ever that cyber security is a real problem.  The challenge is not understanding how attackers look to exploit the 'human firewall' and how this directly impacts their personal and business assets... until it is too late. 

The strategy for answering the Boardroom (Cyber) SOS is made up of the following activities:

1) Situation Threat Awareness - through continous education and briefings. 

"Information is not knowledge.  The only source of knowledge is experience."
Albert Einstein

Prevent is key to defeating cyber attacks and arming your executives through awareness of the techniques used by the adversary; with practical advice on how best to protect themselves from the most-used and effective methods deployed by cyber criminals.

Improving executives ability to detect social engineering and spear phishing attempts through adapting behaviours in the use of email and web browsing, can reduce exposure to the most common forms of attack by up to 70%.

Training that is engaging and interactive ensures adoption of the message and helps cement behavioural changes. 

2) Executive Cyber Threat Monitoring

Understanding the threats facing key board members is key to developing the appropriate defensive strategy.  By consuming threat intelligence services to monitor sources such as hacker forums, doxbins, darknet sites and social media, you can pre-empt any attacks that specifically relate to key individuals, or the board as a whole. 

This information should then be fed into the Situational Threat Awareness sessions, providing additional context and relevance. 

3) Simulated attacks and incident scenario testing

And finally, conducting simulated attacks such as phishing is very commonplace, but how many organisations run cyber incident response scenario workshops with their executives?

Testing the executives' ability to navigate a highly complicated breach, alongside the Incident Response function of an organisation, will help improve awareness of the impact of a cyber breach not only to individuals but also to the business as a whole. 

By combining Situational Threat Awareness, Threat Monitoring and Simulated Incident Scenarios with your executives, you are not only answering the Boardroom (Cyber) SOS but actively arming your execs so that they can better defend themselves when technology fails. 

No comments:

Post a Comment