Cybersecurity Spelled Out

Introduction

Well, good morning, everyone, and welcome to our monthly webinar on practical cybersecurity.

As always, if you’ve got any questions, please feel free to type them into the Q&A chat box and we’ll be happy to address those at the end of our webinar.

But this morning we have just a really interesting webinar as we’re going to talk about what we’ve titled “Cybersecurity Spelled Out”. Now, if you’re like me, you read everything there is about cybersecurity and you find out that it sounds really complicated. And you wonder just what do I do? Where do I begin trying to make my business more cybersecure?

Well, the good thing is that the Center for Internet Security® has a document entitled The Critical Security Controls® that we’re going to review briefly this morning. And the purpose of this document is to help folks like you and I know exactly where we’re supposed to begin, so we can understand what we need to do to think about making our businesses more cyber secure. And in today’s world, it’s more important than ever to think about making our businesses cyber secure.

Recent Ransomware Data

For example, I was looking at some of the recent data yesterday with regards to risk for a small to medium business and one set of metrics indicates that a small to medium business has, during any given year, about a 20% chance of being targeted by ransomware. Some of the data seems to indicate it’s more like 25%, perhaps a little bit higher than that. And if you’re in certain industries that are frequently targeted, like healthcare, then these numbers, about the chance of being targeted by ransomware, simply go up.

So the point is, no matter what kind of a business you have, the chance of being targeted by ransomware is definitely there, and it’s definitely a risk that we have to face. But to top that off, even though 20% have a chance of being targeted by ransomware, that same study indicated that 10% to 15% of SMBs fall victim to ransomware infections yearly.

Now, that’s not 10% to 15% of the 20%. That’s 10 to 15% of the total. So that indicates that if you are the target of a ransomware attack, that you’ve got something better than a 50% chance of falling victim to ransomware during any given year. And if you’ve ever faced that, or if you’ve ever been in an organization that has, you know that that is a really scary thing, because a business falls victim to ransomware, can find that all of their resources are lost, that they can’t use their networks…all sorts of things happen.

In fact, data seems to show in a report from 2022 by CyberCatch that approximately 75% of SMBs could not survive a ransomware attack longer than a week due to data loss and downtime. And the unfortunate news is that the bad guys know this and so the longer this drags on, the more they realize you will become more urgent in your in your dealings with them to try to get this resolved.

Ransomware Is Not A Victimless Crime

And if you’ve seen any of the ransomware attacks that have hit different healthcare industries over the recent years, you know that ransomware is not a victimless crime. We had a friend who was in of hospital in the region here recently when a ransomware attack hit that hospital network and it definitely affected the quality of care. The nurses and everybody did the best they could, but they didn’t have access to the computer systems, couldn’t use their EMR, couldn’t do all sorts of things to get records back, and lab results and all that. So it definitely affected the quality of care.

So if you’re a business of whatever size and ransomware is indeed a risk, along with all the other cyber risk that you face, how can you go about protecting your business so that you provide that firewall if you will, that bull work to keep from getting hit by ransomware.

That’s where Critical Security Controls® come in.

The Critical Security Controls®

The Critical Security Controls® are a framework provided by CISecurity.org or Center for Internet Security. And over the years as these controls have been out there and as different people have used them, they become more and more accepted across the community. As we stop and look at what the Critical Security Controls® have become, we find that they are, indeed, a set of simplified best practices that, as they have been revised over the years, have become more up to date, have been developed so that they cover more areas, and have developed into that framework that gives you something to begin with, so you know where to start establishing cybersecurity for your organization.

As we look at the Critical Security Controls®, they’re not just something that one person developed. Rather, they are a consensus document, the result of input from many different security practitioners all around the world. And because they get the input from many different security practitioners, they have the benefit of many minds behind them to help calculate and figure out what can be done.

Interestingly enough, the Critical Security Controls® map to many different frameworks, so if you, for example, are under PCI, or you’ve got HIPAA, or you’re under some kind of other frameworks that are there, the Critical Security Controls® can map to those. It’s not like we use this or this. Rather, if we use the Critical Security Controls®, we find it fulfills the requirements of so many other standards that are out there.

Reasonable Cybersecurity Standard

But perhaps one of the most important things is that the Critical Security Controls® help you meet the cyber insurance requirements so that you know that you’ve got insurance that will go ahead and cover. But in addition, help meeting cybersecurity requirements, it helps you meet the reasonable cybersecurity standard.

Now, what is this?

Well, many times in litigation or in other state laws or some federal laws, rather than specifying what needs to be done, there’s something called reasonable cybersecurity that’s used as a standard, and you can use that standard.

What does that mean?

We’re not going to look at today, but CISecurity has created a document on what reasonable cybersecurity means. And that’s the result of a review of laws and litigation case studies from many different from all the states, as well as the federal level. And the point they’ve come up with is that implementing the Critical Security Controls® helps you meet that reasonable cybersecurity. 

So if you get into a place where you’re being brought to litigation because of some kind of security breach, the Critical Security Controls® will help you meet that standard and show that you have been taking reasonable cyber security standards.

Summarizing the Critical Security Controls®

So I guess we might summarize what the Critical Security Controls® are by simply saying it this way: Critical Security Controls® have been shown to work. They are a great standard. They are understandable. They are something that we can all wrap our heads around to know what’s taking place. And so as we look at the Critical Security Controls® and look at cybersecurity standards, we can implement these and know that we’ve got some good stuff here to work with.

What Are the Critical Security Controls®?

So, as I stopped and talked about the Critical Security Controls®, what exactly are these Critical Security Controls®? There’s actually a total of 18 of these Controls®. We’re just going to hit the high points of each of the 18 right now. And then as we hit the high points we’ll come back towards the end and talk about how to go about implementing.

But each of these high points of these 18 Controls® have a number of sub Controls® underneath them. And these sub Controls® then help define how broadly you are implementing the main idea or the main level of control.

Control® #1

The 1st Control® is that we have an inventory and control of enterprise assets. Basically, it asks the question, “Do you know what is on your network and is everything that you find on your network what you expect to have there?” There’s a number of sub Controls® under that, and we’ll talk about how those are implemented later on when we get to implementation groups. But the first thing is do you know what you have now?

This is a bigger deal than we think of. Many times we think about stuff that is on our network and limit to laptops or servers or things like this, but this includes everything from firewalls and switches down to light bulbs, or building control systems, or camera systems, or Internet controlled thermostats, or SCADA devices. Anything that’s on the network would fall under this Control®.

Control® #2

The 2nd Control® deals with the inventory and control of software. Once we know the kind of stuff that we have running, as far as hardware, then do we know what our software stuff is? And this is good–this is important because it helps us catch things that are on our network that maybe shouldn’t be, or that maybe have slid past and are old stuff–lets us find out what’s there.

Control® #3

Then we get into the idea of data protection. How are we handling the data that we have within our control? Do we have encryption? Do we have it segregated? Do we have backups behind it? Are we using some kind of DLP type of mechanism to help control it? So 3rd Control® deals with data protection for our network.

Control® #4

4th Control® comes down and deals with secure configuration of our assets and our software. So many times what we find is the temptation is to go by whatever this is that meets the business need, which it does, and then we turn around and put this item into play within our organization, but we forget that it has to be securely configured. Secure configuration deals with our assets, our software, all sorts of things around it.

Control® #5

5th Control® deals with the subject of account management. Do we know who has accounts into our network? Who has actual access into it, and do we know that these people that have access are accounts that should have access? When people quit or when people are moved to a different work area, do we change their accounts or disable their accounts accordingly? What do we do about that?

What we find is that far too many times there are often old accounts hanging around. Many times they’ve been there for years. And it’s not all unusual to find these old accounts for someone who no longer works for the company are still active and still can be used. That’s a problem right there.

Control® #6

The 6th Control® that we get into is access control management. This is going to be related to the one up above. We’ve seen places where in order to make things easy, everybody was basically given uncontrolled access to everything. So, it didn’t matter what level you were in the company or whether you needed access to it, everyone was given access to everything, and there’s absolutely no doubt that makes it easy. But it also makes it scary because if everyone has access to everything, that means the lowest level person in your organization, if their account is compromised, suddenly that puts your whole enterprise at risk, because your whole system can be accessed by this person, this one individual.

That’s the 1st 6 Controls®. Moving on to the next Controls® that are involved.

Control® #7

The 7th Control® deals with continuous vulnerability management. Now every one of us would love it if we didn’t have to put patches on our system, but we do. It’s a fact of life. Software has issues. Software has vulnerabilities. And so as as long as there are vulnerabilities within our network we have to develop some kind of vulnerability management program in order to see what’s going on and see that everything is working.

Control® #8

Likewise, for Control® #8, we need to have audit log management. For example, someone logs in over an open Wi-Fi connection. You’re not aware of it. Where is that going to be recorded at? That’s going to be recorded in your logs. And so managing your logs for access and control, and be sure people have only the access that they need, is an important item, and for a number of frameworks of regulatory frameworks is actually a necessary item to go ahead and do.

Control® #9

Besides audit log management, #9 deals with e-mail and browser protections. At this stage, e-mail is the is the most common way in which people get into your network. And so by having e-mail protections as well as browser protections, you’re helping to manage the most common way that people get into your network and destroy your stuff.

If you want to talk about that more, I’d love to talk to you about it, but that’s probably one of the absolute most important things for you to learn and understand from this whole thing.

Control® #10

Then, as we talk about e-mail and web browser protections, we can talk about, Control® #10, malware defenses. What we’re talking about here is what kind of protections you have on your endpoints. Endpoints can be a lot of things. We think of laptops and desktop computers as your primary endpoints, but we’ve also got all of our servers that are there, whether they’re physical or virtual. And then we’ve got to think about cell phones as well as tablets, and then if we have any kind of other devices like thermostats or light bulbs or network building systems or camera systems–those all count too.

So, the question is, how are we going to protect against malware and these kinds of things? And guys, don’t forget all of these things do need to be defended. The largest bot Nets that have been recorded up to this point have come from infected IP cameras that people have scattered up around buildings. And so they do need defended.

Control® #11

The next Control®, as we move past malware defenses moves down to the idea of data recovery. If your network is struck by ransomware, if your network is hit by some kind of a malware crew that exfiltrates everything and then leaves a note, if your network is hit by data loss because a server failed, any of these things can happen. Are you able to recover your data? And not only are you able to recover your data, but are you able to protect your data while your backups are there?

A lot of the malware, for example, one of the first things it does is goes to delete all your backups so that you’re not able to do recovery. Or if you’ve got backups, we’ve seen many times people think they have backups, they go to recover and discover that the backups they thought they had are not usable for recovery. So protection #11 out of our 18 protections deals with data protection and data recovery.

Control® #12

Protection #12 deals with our network infrastructure management. Do we know what makes up our network? And do we have provisions so that not just anybody can go plug in anything they want and spin up their own Wi-Fi, their own whatever it is. Do we have any kinds of Controls® on our management?

The last set of 6 Controls® for the CIS Critical Security Controls® deals with a number of things with regards to security and network monitoring.

Control® #13

Item #13, network monitoring and defense. We talk about endpoints and that’s important, but on the broader level of the network, what are we doing to protect it? That’s going to be an important thing to do.

Control® #14

People often forget also #14 that your first line of defense against any kind of malware are your users. Do they know what to click on and what not to click on? Do they know to look things that don’t act the way they expected, and then to go ahead and report that to you. What do they know? And so security awareness and security skills training is one of the most basic things and, probably your cyber insurance asks that you do this among other things.

Control® #15

Item #15 deals with service provider management. We all want to think that we can trust our vendors, but unfortunately a number of attacks have come out through vendors that were themselves compromised and therefore used to turn around and compromise your network.

We go into places and we see where a vendor is given 24/7 uncontrolled access into the customer’s network. And while that makes it easy for the vendor to go ahead and fix things, that makes it easy for the vendor to go ahead and take care of whatever their issues are. Yet in reality, that kind of 24/7 access to their network causes real problems and presents real risk to them.

Control® #16

Item number 16 deals with application software security. Okay. This gets a little complicated.

This comes back to the idea that everybody in the world, myself included, loves free right. We all do. And so the temptation is because there is so much free stuff out there to think that we will just use all of this free stuff and we’ll be in great shape.

When we talk about using free stuff, we’re not just talking about us going out and downloading something and putting whatever free program we find. But there’s also what’s called libraries, which are basically packages of software that many of your commercial products will include. So if you’re a bad guy and you want to compromise a whole bunch of stuff, one of the ways that people do that is to get into one of these free packages, compromise the way that that free package is built, and as it gets copied into all this other vendor stuff—bingo–You suddenly have got access to hundreds, if not thousands of networks that all downloaded your stuff.

And when I say free stuff, that may be stuff that is free for and the vendor doesn’t pay for it, but the vendor may even charge you. Or it may also be stuff that the vendors developed, but the vendors stuff themselves is compromised. Whatever the situation is watching out and guarding your applications is important.

Problem is, if you’re like me, many of us don’t have any way to understand what is in our application software to know if there is a problem. And so that’s where things like our endpoint security become really important. If you want to talk about this, we can talk later about it. But there are ways to go ahead and manage that.

Control® #17

#17 is incident response management. So this gets a little bit tricky here.

Let’s suppose that your network is compromised and all of your stuff is stolen and while we think we don’t have anything, more than likely you do have stuff that is valuable and puts your network under some kind of jurisdiction. If all that stuff is stolen and you have to recover your network, or you have to recover your data, or you have to recover from ransomware, that’s called incident response.

That’s how you do it and how you manage it. And how you do it depends on the legal requirements you may have in your business, what your cyber insurance requires, and maybe any kind of industry specific requirements for your situation.

So incident response management is item #17.

Control® #18

The last of the 18 Critical Security Controls® deals with a subject called penetration testing. Now, there are all sorts of levels of penetration testing and you can get stuff called penetration test that comes down and they’ll call it basically really expensive to stuff up that runs 10s of thousands and even hundreds of thousands of dollars. The level of penetration tests that you do basically depends upon what requirements your industry may have, but it also depends on what you’re looking for, to tell you the truth.

So for example, I know the situation where there was a business compromised by ransomware, not too long ago. And a penetration test would have caught this particular avenue, for this particular businesses situation. So penetration tests, basically they’re looking for and asking the question, “What can someone on the outside do to get into my stuff?” And while on the surface, we hope they don’t find anything yet, in reality they’re one of the most cost effective ways we have for finding this stuff that we may not even be aware of is going on.

Okay.

What’s Next?

So we’re given a high level view of the 18 Critical Security Controls®. Question comes down, if I want to come and implement these 18 security Controls®, where do I go and what do I do? Well, you recall in the earlier slides we talked about where to go find the Critical Security Controls®, and they’re free for you to free for you to download.

So if you’ve got the Critical Security Controls®, you’ll find that each of the Critical Security Controls® has subpoints and these subpoints are categorized by the basic, the medium, and the high level. These are called Implementation Groups 1, 2 and 3.

Begin With The Basics

So if you’re just beginning with the Critical Security Controls®, first recommendation is that you begin with the basic stuff–Implementation Group 1. And that basic stuff is gonna go a long ways to bring you up into a cybersecure state just because of that. Implementation Group 1 is where I go ahead and start. And as I continue working through this, I would go look for the quick win.

It is really common as we look at networks to find networks where there is something that can be done immediately that gives a pretty big bang for the buck. I would look at those things that give a pretty good bang for the buck and what I can do to go ahead and begin with that stuff.

Don’t Do Everything At Once

One issue we find is that when people download something like the Controls®, they then will turn around and try to do everything at once. Don’t try to do that. There’s a lot of time in the day and there’s plenty of time to bring this on, but don’t try to do too much at once. You’re more interested in getting things implemented consistently and well, than in trying to do everything in a sloppy manner and do it all at once.

Track Regular Progress

Then as you’re implementing your Critical Security Controls®, you can track regular progress so that you know how far through Implementation Group 1 we’re getting. Whether or not we’ve got something added in today that we didn’t have a month ago. And so you can track the progress and use that to report up to your management, or whomever, as you come through with it with this.

Get Outside Assistance

And then the last thing I would encourage you to do is to get outside assistance if needed. Sometimes that assistance can come in the form of online forms, as there is a world of stuff written out there and a lot of stuff can be done that way. Sometimes the assistance will come in the form of someone like us or other people from our team who can help you understand what is meant and what needs to be done. Whatever it is, don’t be afraid to ask for help and to get help, because the goal is to use the Critical Security Controls® and to become more adept and more secure with your particular enterprise.

Questions?

Now I know we have covered a lot all the way around. If you’ve got questions, let me encourage you to go ahead and type those into the Q&A as we’ll be happy to answer those.

YouTube Viewers

If you’re listening to this on YouTube later, you’ll see our e-mail. Feel free to go ahead and drop an e-mail to one of the contacts that you find there. Likewise, if you’re watching us on YouTube, feel free to get a copy of the handout at the URL that is listed there.

Live Attendees

If you’re on the webinar live, you’ll be getting a link to the live replay and a copy of that handout will come out later.

Still Have A Question?

Well, I don’t see any questions this morning from it, so that’s great, but if you think about this, if questions come up, feel free to give us a shout. Any of our team would be happy to help you as you begin your journey through the Critical Security Controls® and as you begin your work to make your network more secure.

All right. Thanks.

We’ll look forward to hearing from you.