Category Archives: Bryce Austin

What to Do When an Employee Becomes a Cybercriminal

By Bryce Austin

The FBI caught David Yen Lee at his home before he could depart for the airport where his flight was waiting. The hard drives the FBI sought were in his possession. On those drives were the trade secrets of a very well-known USA-based paint company, and David had purchased a one-way ticket to Shanghai, China where he intended to illegally hand over those trade secrets to Nippon Paint. He served over a year in prison for his crime.

Today’s cybercriminals come at your company from many angles. Their motivations are often more practical than many law-abiding citizens would expect:

  • They want money, and you have information they can monetize.
  • They can use data to manipulate business or personal situations in their favor.
  • If your company dominates an industry or owns critical trade secrets, others wish to take that power away from you and use it for their own advantage. Cybercrime is one way to accomplish that goal.

Motives such as these changes the way cybercriminals operate. They are organized. They share information amongst each other. They are often well-funded. These things make them more dangerous. In the example above, David Yen Lee is an internal cybercriminal. He is one of your employees.

This is a difficult topic. While it’s true that internal employees are responsible for a large number of cybersecurity breaches, it’s also true that most of these are unintentional. They are a result of good people doing something they shouldn’t, either out of ignorance or because a cybercriminal tricked them into doing it (if you saw the movie Catch Me if You Can this is Frank Abagnale’s social-engineering behavior). Statistics on the exact percentage of “insider” cyber breaches that are deliberate vs. inadvertent vary widely, but the opinion can be held that the vast majority of insider threats are not malicious. No matter which statistic you believe, everyone agrees that many insider threats would have been prevented if the insider had understood how his or her behavior allowed a breach to occur. It’s easy to see why a good cybersecurity awareness training program is so important to the success of your company.

With that being said, there is a risk of an employee with malicious intent to breach your sensitive data. Whether it be to share sensitive details to a competitor, profit from your data, or a disgruntled employee looking to carry out revenge against your company. If your company falls victim of a malicious-intentioned employee, finding out what happened is even more difficult because they often have high level system privileges that allow them to erase their tracks.

If your company is one of the unlucky ones where an insider deliberately caused a security breach, then you are automatically in the highest risk category of those susceptible to cybercrime. The keys to mitigate this risk are simple:Your employees are your most valuable asset, but can also be your greatest liability. Click To Tweet

Educate Your Employees

  • Establish a strong mandatory and frequent cybersecurity awareness training program for your employees that clearly lays out the policy for cybersecurity and the consequences of violating the policy.
  • Don’t allow employees to take home devices that contain sensitive files due to the risk of the device being stolen or sensitive data being transmitted over insecure networks at their home or other locations.
  • Instruct your employees to never share their passwords.

Know your People

  • Perform background checks on your employees to assist in identifying those that may take deliberate actions that would harm your company.
  • Know which people have access to the most sensitive data.

Guard your most sensitive data

  • Limit your employees’ ability to obtain access (intentional or unintentional) to sensitive information via a least-privileged approach to your data.
  • Identify your most sensitive and valuable data. Then assign that data the highest safeguarding and most persistent monitoring.
  • Remove “local administrator privileges” from your users to their company-provided laptops or desktops. A “local administrator” is someone who can do anything he or she chooses to with a computer, such as install programs, delete files, change sensitive security settings, and so on.
  • Turning on “egress filtering” on your network and limiting the use of USB “thumb drives” will make it harder for anyone to make copies of it and move them outside of your organization.

Ensure that you have forensics available to you

  • Tracking down an internal cybercriminal requires logging of network activity, especially for any access to sensitive information.
  • Any logs need to be stored in an area that is limited to the fewest number of employees as possible.

In short, your employees are your most valuable asset, but can also be your greatest liability. They need to be trained on best practices to keep your data safe, and they also need to understand that you have forensic systems in place that will likely catch them if they attempt to access data they should not. A “trust but verify” approach regarding employee access to your critical intellectual property is an important part of your company’s cybersecurity program.

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over ten years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.

 

What is My Playbook if I Have a Cybersecurity Incident?

By Bryce Austin

“I have been investigating a large number of failed logins on your server. Due to the volume of failed attempts, it does appear that the attempts are coming from an outside source. My company recommends that you reach out to a Security Firm to have your network investigated for a possible breach.”

He couldn’t believe what he was reading. A local cybersecurity professional was forwarded the email above from his new client’s outsourced computer management company. The owner of the business was concerned, and for good reason. They had only brought him onboard as their part-time cybersecurity advisor the month before, and the vendor that manages their network had kicked this ball squarely into his court. He had to figure out what to do—fast.

The priorities were simple:

  • Alert his client’s executive team about the situation.
  • Determine if this is or is not a real hacking attempt.
  • If it is a real hacking attempt, determine how it is occurring.
  • Assess if the hack was successful in any way. Was any damage done? Was any data accessed?
  • If the hack was unsuccessful, terminate the hacker’s access immediately.
  • If the hack was successful, start making calls to his client’s CEO, their cybersecurity insurance carrier, a third-party company that specializes in breach remediation, and my client’s attorney.
  • Follow-up with root-cause analysis and recommend preventive measures.

It took over ten hours to determine the extent of the issue. Cybercriminals had breached a single server, and a malicious program was running on that server. It was trying various dictionary words as passwords against common “administrator” level accounts. He breathed a tiny sigh of relief to see that it had only started several hours earlier and appeared to be moving ahead at full steam, which meant that the bad guys had most likely not yet been successful at cracking an administrator-level password.

The cybercriminals gained access into that server via a combination of a phishing email and a bad firewall configuration. Thankfully, forensics found no evidence of further intrusion.

His blood pressure began to return to a more reasonable level.

The example above is real, and while it represents the best possible outcome of a cybersecurity incident, it was used here to make a number of points. This client didn’t have a playbook on what to do when a cybersecurity incident is suspected, so they had to make it up as they went. Doing so took extra time and might have led them to miss obvious steps.

  • The company did not have documents outlining how to bring operations back online if the hack had been successful, nor did they have procedures to follow if it was determined that any sensitive data had been stolen.
  • Their IT services vendor wasn’t well trained in how to get to the bottom of the technical issues quickly, which lengthened the incident by hours.
  • The client didn’t have a list of whom to call if a cybersecurity incident was suspected, which made the phone number to their cybersecurity advisor the only number they thought to use. What if he was unavailable when this took place?

In a nutshell, they didn’t have their act together, and it showed.

After an incident occurs, your company will be judged on the following criteria:

  • Before the incident, did your company take all actions to prevent the incident that one would expect of a prudent organization?
  • Did your company respond to the incident using procedures that one would expect of a prudent organization?
  • Are there any ways that the media could portray your actions around steps 1 and 2 to make your company appear to be culpable or incompetent? If true, expect that they will. It attracts more readers to their publication.An incident response playbook needs several key elements to be effective. Click To Tweet

A robust playbook that includes the CEO, Chief Legal Counsel, and all other senior leaders will do immeasurable good in your ability to respond to an incident.

An incident response playbook needs several key elements to be effective. It must:

  • Identify who in your organization has the authority to declare a cybersecurity incident. Who can initiate the playbook?
  • Spell out how much money that person can authorize to be spent to have an incident investigated or remediated.
  • Have a list of the types of scenarios that it is designed to cover. Examples include the loss of sensitive data, a ransomware attack, the loss of a critical system, natural disasters, law enforcement contacting your organization about a warrant or subpoena, and the loss of the use of one or more of your sites due to a natural disaster or because of other issues (such as a crime taking place in the building and the police barring your employees from entering the premises).
  • Have a call tree that includes which people or groups to call when an incident takes place.
  • Define the people or groups responsible for making the decision on when to bring in law enforcement.
  • List the people authorized to speak to the media about a cybersecurity incident, and what those who are not authorized to speak to the media should say if they are approached by a reporter.
  • List all of your critical systems, the location of the data in those critical systems, and the location of the backups of the data for those systems.
  • Outline your general incident-response process. While every scenario is different, this process normally follows these steps: preparation, detection/analysis, containment, eradication, recovery, incident closure/root-cause analysis, and preventative measures.
  • Be reviewed on a frequent basis. These plans get stale quickly, and need to be reviewed whenever a significant change in your organization takes place.

If the above points are reviewed as a group, an interesting trend emerges. Most of them are non-technical. The majority are operational and financial in nature. That is a critical misstep in many incident response plans. If your technology team manages your incident response plan, they are making business and financial decisions that should be made by CEOs and COOs and CFOs and legal counsel.

Above all, your incident response plan needs to be tested. Unless you have rehearsed an incident response procedure, you’re only able to guess if it will work. This is too important to be left to guesses.

The takeaway messages from this article are easy to list:

  • Your company needs an incident response playbook.
  • The incident response playbook should be owned by a non-technical member of your executive team.
  • Your company needs to periodically test your incident response capabilities.
  • Your company needs to update the playbook from lessons learned as a result of tests, whenever significant changes occur to the operational or technical aspects of the company, or when merger/acquisition activity occurs.

Questions to explore this topic further with your company’s leaders:

  • How do we test our incident response playbook?
  • How often do we test it?
  • What did we learn from our last test?

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over ten years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.

What Do My Employees Need To Know About Cybersecurity?

By Bryce Austin

http://www.bryceaustin.comIf you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your entire cybersecurity profile. Your employees have business-need access to a lot of important data, and their ability to protect that data—or to inadvertently let it walk out the door of your organization—is strong.

Lack of education was at the heart of a number of incidents of a major security breach. You have probably heard about the new HR employee that got an email from the president of the organization asking for all the W2 information on every employee, so that person sent them exactly as instructed. The employee did not recognize the fact that the email came from a hacker impersonating the CEO, and a major security breach took place. Your employees need to be educated on cybersecurity best practices. Click To Tweet

Entire business models are based on this kind of fraud. Let’s pretend that I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first ten for free (and those ten are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still free, though.

No big deal, right? Wrong. In this scenario, I own this website and I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password. I will then extract any valuable information I can from those sites, sell the information for a profit, possibly ransom your own data from you to make even more money, and then move on to the next victim.

Need some numbers to illustrate why educating your employees about cybersecurity practices is important?

  • Per IDG’s 2016 Global State of Information Survey, 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
  • According to the Ponemon Institute, 60 percent of employees use the exact same password for everything they access. Meanwhile, 63 percent of confirmed data breaches leverage a weak, default or stolen password.

So where can your company start? Start with a training program. Your employees need to be educated on cybersecurity best practices.   One of the issues that any cybersecurity awareness training program should address:

Implement real password policies:

There’s no easy way to say this, so I’m just going to say it: Passwords stink. They are no fun to create, no fun to remember, and no fun to type in. That being said, passwords are still the most common authentication method today. It is imperative to implement a password policy requiring complex passwords that can’t easily be guessed, and end-user training to go along with it. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is also mandatory.

Many users use the same passwords for every online system they need a password for. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your business’s VPN. It is imperative that your cybersecurity awareness training program encourage your team members to use different passwords for different sites, and especially for any system that your company uses.

Most companies have some sort of safety guidelines that their employees must follow or be aware of and cybersecurity should be no different.  There are a number of companies that specialize in this type of training, and they may or may not be a good fit for your company culture. Picking the right type of training is critical; having a good cultural fit is more important than the actual content. Be sure to do proper due diligence to ensure that the training content offered by the company or companies you are considering is a good fit for the culture of your company.

The important message here is that you already know you must train your employees on certain things in order to have them perform their job functions. Cybersecurity is one of those things. If you are uncertain as to how to structure a cybersecurity training program, find an advisor that can help you.

Questions to explore this topic further with your company’s leaders:

  • When was the last time you were trained on cybersecurity? What did you take away from it?
  • Do your team members who have access to sensitive data get additional training above and beyond those who do not?

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over 10 years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.

How Valuable a Target is My Company to Cybercriminals?

By  Bryce Austin

Cybersecurity breaches are frequent, frustrating and becoming more massive with each new headline. The worst data breach in healthcare history was the Anthem breach of February 2015. More than 78.8 million records were stolen by a foreign government that does not have strong diplomatic relations with the USA. Those records included the names, birth dates, Social Security numbers, and home addresses of the individuals that ever did business with Anthem—or even applied for a policy. The more recent Equifax breach has dwarfed that number, with 145.5 million people impacted.

Some companies know they are in the crosshairs of the best cybercriminals in the world.

  • Do you have a database of HIPAA data that would be valuable on the black market?
  • Do you process over one million credit card transactions per year?
  • Are you in the payroll or money-transfer business?
  • Are you developing a technology that foreign governments would be interested in?
  • Are you in a business that a hacktivist group or Nation State may find ethically questionable?

If you can answer yes to any of the above questions, congratulations, you are in the highest-risk group. Most companies are not in the highest-risk category. The remaining companies fall into three large groups, including those that have:

  • A significant regulatory environment to operate within (healthcare, banking, insurance, etc.).
  • Data that others could monetize (trade secrets, credit card numbers, Personally Identifiable Information (PII), data on publicly traded companies that has not yet been made public, etc.).
  • Data that is important and necessary for the company to operate.

Before the proliferation of ransomware, the third category would not have been included. Many in the cybersecurity field used to lambast salespeople selling cybersecurity tools that said, “Everyone is a target.” The problem is that cyber criminals have figured out an important new angle to their business model: companies that don’t have information that is valuable on the black market still have information that’s valuable to the company itself. The bad guys are finding a way into a company, encrypting as much data as possible, and then extorting money from you to get your own data back.

In today’s world, everyone is a target. From hospitals that need their Enterprise Resource Planning (ERP) system to treat patients, to accounting firms needing tax engine software to process their clients’ tax returns, every company wants to prevent business disruptions. Ransomware attacks are designed to disrupt your company’s ability to do business until you pay up.

That begs a common question, “How can I assess my actual cybersecurity risk?” The truth is that you can’t. This is similar to assessing your risk of contracting a certain disease or of having a tornado damage your home. These things happen infrequently, and as such, it’s impossible to say that a given company will experience a cybersecurity incident of X dollars in total damage every Y years. A better plan of attack is the following:Regardless of size, reach, and financial level, your company is a target for cybercrime. Click To Tweet

  1. Accept that your company is a target of cybercriminals that would hope to profit from your success, either by stealing your valuable information, or by encrypting your valuable information and ransoming it back to you.
  2. Assess your relative risk. The areas to take into account include company size, your industry, the number of countries you do business in (especially those known to support government-sponsored hacking), and the strength of your cybersecurity defenses.
  3. Assess your own risk tolerance, assess the potential damage to your company that a hacker could inflict, and assess what cybersecurity countermeasures you currently have employed. If you employ strong countermeasures, your risk will be far lower than many of your competitors, even if putting an actual number on it is challenging.

One of the best ways to quantify your cybersecurity risk is to get quotes for cybersecurity insurance. For example, if your building’s fire insurance policy costs 10,000 dollars per year for 1 million dollars  in coverage, then the insurance company thinks you will have a large claim on that policy less than once every 100 years. Otherwise they would lose money selling you the policy. In fact, they are probably guessing that you will have a large fire once every 500 years so that they make a good profit on the policy. If it costs 250,000 dollars for the same coverage, your risk of having a fire is much higher than that. The cost of a cybersecurity insurance policy will help you determine the relative risk of a cyber incident in comparison to another type of business incident, such as a building issue (fire/flood), an operational issue (the loss of a key executive in your company), or a liability issue of some sort.

It’s imperative to realize that regardless of size, reach, and financial level, your company is a target for cybercrime. All that really matters is if a criminal feels there is a good return to be had on their investment of time and money. If your defenses are poor, then their effort level is low. If you have strong defenses, then the return must be high for the adversary to expend significant effort to breach your systems. Many attacks are non-specific. They search for a particular vulnerability across many companies and report back success. If you are found to be vulnerable, you will probably be attacked. Criminals will try to monetize their efforts in many ways. Your data is valuable to you, and they can monetize this via ransomware.

Thankfully, ransomware and the cyber criminals who use it can be stopped. They are looking for easy targets. All companies are susceptible, but with the right cybersecurity defenses, such as multi-factor authentication, a strong antivirus package, and a solid data backup routine, cybercriminals will deem your company too much effort to hack. This is your opportunity to make cybersecurity a competitive advantage for your company!

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over ten years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.