Feature by Mr. J. Tate, Chief Intelligence Officer, bits&digits.
Peerlyst.com, published June 2017.
#DearCIO, before you buy Cyber Security Insurance and Ransomware Immunity Protection, you should really read this. Don’t cry, because your “GoldenEye” didn’t protect you from ransomware.
Stay Calm, this is what Security Theater is about.
This may have been one of the most widespread attacks known to exist. (At least that we are aware of.) But, these few tidbits should help you move forward past the chaos. Every headline in the news is talking about the issue, the effect, while perpetuating a state of fear.
Usually when this happens, not unlike other catastrophic events, “psychology of the masses” tends to run toward “Next Generation” solutions. The fictitious, “Buy my Risk Aversion” days are not new and not by any means going to end anytime soon. Hopefully, you read this in its entirety to understand why rushing into your board room with a solution containing, or including the purchase of a Ransomware Immunity Technology along with cashing down on Cyber Security Insurance is possibly be the worst advice for your organization.
1. Read the #facts. NYTIMEs reported, “…more than 12,500 machines running older versions of Microsoft Windows.” This statement illuminates the importance of one thing: #PatchManagement. I’m sure at the weekly board meetings, you have the opportunity to express many points like: why the satellite office in XYZ hasn’t received the PC refresh, none of the Windows PCs have not been able to be updated due to a lack of a #WSUS server at the location, in tandem with a poor communication link from the HQ. This is the real Coup De Grace of your organization. #NoFear. Express and illuminate in the most articulate way possible, “Legacy” Systems in your organization is only the beginning of a bigger problem.
The below photo was captured today at 12:46PM EST from a custom Shodan query showing machines specifically susceptible to the SAME EXACT WannaCry and GoldenEye code. #PeopleDontListen
2. Everyone of the Fortune 250 Companies hit by this attack falls under a Regulatory Compliance mandate call for #Vulnerability & Patch Management in one way or another. (GLBA, HIPAA, SOX, FINRA, FFIEC, FTC, FERPA, COPPA, SEC, etc…) Some call for Patch Management. Some use the term Change Management. Some of them use ambiguous terms that really only an IT or IT Law professional would be able to decipher.
Trust me, I have read them all from the NIST to FFIEC all the way down to GLBA. Unfortunately, the people who typically actually READ the Regulatory Compliance Statues for an organization are the Compliance Officers or are under the Legal Counsel organization silo. I say, “Unfortunate,” because it’s very rare in my experience that the regulations are effectively interpreted. Not to mention, properly distilled into an effective and enforceable Information Security Organization Policy.
The Security Exchange Commission recently had a review of its own FISMA (Federal Information Security Management Act) compliance with some very astonishing results. The #SEC s adherence to FISMA applies to all organizations that fall under the SEC, like Registered Investment Advisors. #Hint
What is more unfortunate is the risk you expose your organization to by not following these mandates. It’s more systemic than you can imagine (see #3 Cyber Security Insurance HAHA) #TakeNote
1. GLBA:
To meet GLBA compliance, financial institutions are required to perform scans of your entire network for vulnerabilities, and performing patch management …..
2. FFIEC:
“Management should establish procedures to stay abreast of patches, to test them in a segregated environment, and to install them when appropriate.”
3. HIPAA: The below statement from Director of Health and Human Services says it all.
“Director Jocelyn Samuels stated, “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis … this includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
3. Cyber Security Insurance – In the last few months, just about every client and every attendee at one of my presentations brings up Cyber Security insurance as if to qualify a solution to NOT applying the due diligence to maintain a Information Security Policy covering Patch and Vulnerability Management. (Feel free to show me a policy proving me wrong.) I have yet to see a policy that does not have verbiage like the following:
Actual Cyber Security Insurance Policy
Do you see the wonderful wordplay in Section D?
“Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal to or superior to those disclosed in the proposal[.]}”
Read your “Covered Cause of Loss” clauses with a fine toothed comb before considering your organizations Cyber Risk “Covered” by buying Cyber Security Insurance. First and foremost, if you are not achieving the minimum security requirements mandated by Federal and State law, a vast majority of Cyber Security Insurance policies will not cover your “Lack of Due Diligence.”
These are the facts and the reality of the situation. Attempting to escape, hide, ignore, or be frugal in your Cyber Security protection plan is easily one of the biggest mistakes you can make. Furthermore, the solution to protecting your organization is not as costly as you may think.
There is a famous book that says something to the effect of:
“Lean Not on your own understanding.”
When you are in doubt, ask. Bring in the help you need. Though it’s understood the sea of Cyber Security charlatans are very vast, #truth never comes in ambiguous and expensive terms. It’s the simple things that break the back of any organization in the cyber protection arena.
So what now…..
Some organizations are small enough to deploy simple and cost effective measures to not only comply but achieve an above average compliance and information security posture. But they don’t. Some out of ignorance, some because they have been bitten by the IT Hustle bug before and just do not want to throw money in a hole again. It’s a problem; I agree.
Solutions:
Establish an Information Security Policy. Hint: Search (X=Regulatory Compliance Mandate + Inforamtion Seucrity Policy). For example, if you are an Insurance Provider you may fall under GLBA. Google “GLBA Information Security Requirements,” and something like this may just pop up.
This is what we call a beginning. Below is an example of an Information Security Policy for Georgia Tech. Why recreate the wheel? Review it, have your advisors and legal counsel make the custom changes needed to tailor it to your environment, and… You have Begun.
2. Simply keep your machines up to date. If you’re a small outfit, simply ensure you and your office mate have automatic updates turned on. (Windows, OSX, Ubuntu. It doesn’t matter.)
3. Invest in AntiVirus, no need to skimp on this. There are too many out there for me to provide a list, but understand, the solution should be as robust as possible.
4. Invest in VPN Technology. We make our own to stay completely off “grid.” But, there are simple and relatively low cost solutions for small outfits, like NORDVPN or IPVaish. These will allow you to install the application on up to 5 devices and are platform agnostic. OSX,Windows, IOS, Linux etc.
5. As you shop for consultants, actually SHOP! Don’t just chose a IT or IT Security solution provider because their add keeps popping up on your LinkedIn screen. Actually shop. Ask peers and check them out fully before blowing your wallet on subpar solutions. When you do sign that contract, make sure the “Statement of Work” is articulated in such that you both understand what is expected.
6. Lock Your ISH!!!!! Beside the 99 problems that come along with not placing a password on your machine, it’s simply too easy to apply a password to your machine, your phone, your office to just lock it up.
7. Backups and Ghosting (Imaging). Depending on the size of your organization, a backup and ghosting solution should on your agenda. Ghost solutions, like Norton Ghost, may not be for you based on your IT budget. But I can assure you it’s one of the best solutions to stay ahead of the risks of a machine outage. One machine gets “ransomed,” so what? Deploy another image and restore from backup.
You can even deploy a free “Ghosting Solution” of your own, but I will not go into those details here. Seek and Ye Shall Find, right?
#WhatFear?
J.Tate Signing out. I have actual work to do. 🙂 Hope this helps, and if you have any questions feel free to hit me here or where ever you can find me.
