Practice makes perfect. Where have we heard that before? This simple concept is followed in academia, the arts, sports, and I’m sure there are many other facets of life that could be listed which would benefit from more practice.
Where would cyber security rank if a random group of people were asked to “list activities that benefit from practice”?
The chance that “cyber security” might not even be listed should be an eye-opener for some managers and executives. Regular audits of an entity’s cyber security posture are vital as these audits assess the entity’s regulatory compliance, cyber awareness, threat defense, data loss prevention, breach response and business continuity – among other areas.
Ideally, audits should be conducted against a copy of the entity’s actual environment. Particular care and attention should be given to how audits are conducted to minimize or prevent any negative effects to the production environment.
How would your entity perform on a surprise audit? In what areas would your entity shine? In what areas would your entity fall short?
The idea here is that failing during a surprise audit is not failing. It is an opportunity to study the cause of the failure and to develop a solution. The result of any audit should be lessons learned, recommendations for improvement, putting those recommendations into place and follow-up audits or tests to ensure the identified issues were resolved.
Consider the following scenario below and imagine how your entity might rank:
Your company receives a well-crafted phishing email containing malware. The email is from a vendor named “O’Hare’s Printshop” (which is fictitious for this scenario). The problems with the email are:
- The email contains what appears to be a link to an invoice, but in reality the link executes malware instead
- “O’Hare’s Printshop” is not a vendor engaged by your company
- The email header contains no DomainKeys Identified Mail (DKIM) information
- The sender IP address does not match the registered IP range for “O’Hare’s Printshop”
- The sender IP address is for a region that the business has no legitimate communication with;
- The sender IP address is from a region well known for launching cyberattacks and scams; and
- The cyber risk for that region is acknowledged and documented by cyber threat intelligence groups
- The malware is designed to:
- Simply propagate with persistence
- Cause a system restart
- Cause a full screen message to display on the Windows environment, not allowing the user to exit or login
This particular malware is readily identifiable by current signatures by all major antivirus products including all major email filtering/scanning products.
How would your entity – with its current cyber security posture – fare if this scenario was attempted? The hope is that your entity would emerge triumphant at the end of the exercise with nothing to worry about.
In today’s hostile cyber climate, businesses should be proactive with their cyber security posture. However, that is not always the case. A well-crafted phishing email is all it takes to severely damage a business. The damaging effects of the email can impact more than just the business’ bottom line, but also the lives of employees, clients and other businesses that may engage with the affected business.
In RGL Forensics’ experience, practicing the art of cyber security may not ever make the cyber security posture perfect, but the lessons learned and improvements made could leave the business in a much more resilient cyber security posture.
Practice, learn, improve, repeat.