With a HIVE alert mind, we can focus on important security areas. We can ask the right questions to guide and discover ways to reduce our risk footprint and protect against lurking threats. Read on...
With the increasing news on real data breach and leakage incidents, we have to start thinking how to stay ahead or if not, close to the cybercriminal in this rat race. We are now lagging behind and showing fatigue catching up. During one of my sharing sessions with the users, they asked me one question - To stay ahead of the bad guys, how can one even know when we are the weakest link and do not even know where and when they are going to strike in the first place. This inspired me to write this article.
State of vulnerability
We need to first better understand what we mean when we say we are the weakest link. Next, we can then see how to break that paradigm, face the challenge and overcome them as an individual and a collective community.
- Human is careless, and cybercriminal is opportunistic and loved it.
- Internet connects to almost any IT device.
- A computer that gets online, and faces continuous cyber attacks.
- Attacks get more sophisticated and stealthy.
- They reach out to anyone and any device no matter where you are online.
What I suggest to adopt a HIVE alert model. Break it into manageable pieces. Focus as an individual and plan for change.
- Take Care of the Hygiene factor. Have a clear mind of the cyber regime affecting you.
- Know the existence of different Individuals (threat factor). Each has a unique agenda that may affect you.
- Stay Vigilant on potential threats that will lead you to incur unnecessary damage cost.
- Know the Environment. There are many risk factors that affect your work productivity.
The figure summarises the HIVE approach which will be elaborated in subsequent sections.
(1) Take care of HYGIENE factors
To identify key Hygiene issues and requirements and to protect our environment that we are constantly connected to.
- Policy compliance - What are the appropriate management policies and processes in place to direct the team and company overall approach to cybersecurity? Do you know the Governance team exists in the company? They are overseeing the policy and standard as well as have an advisory on security testing requirements that probably you are involved in as a way to verify the IT asset controls remain effective and adequate.
- IT Asset Protection - What is the classification of the asset? Is there an inventory centrally kept, checked and reviewed regularly? Do assets come with a usage policy which you sign off on an asset issued to you? Check when is the next asset audit - there should be. Be prepared and track all your assets and do not misplace or lend them to others for use. Talk to the IT team who oversee the inventory. Look out for their request portal and email contact.
- Information confidentiality - What sensitive information, do you hold, create, use and exchange with others? Do you know where they are stored - centrally or locally? Is there proper risk assessment conducted to help assess the impact if the data is tampered due to a compromised machine? This has to deal with classification level and commensurate with the right level of protection. Talk to the security team on risk management aspects.
- Personal Security - What is the line of responsibility and accountability to named individuals for the security of sensitive information and key operational services? Who is granted access to the sensitive information and are they security cleared and have they acknowledged the policy and preservation of secrecy requirements? Did you notice your computer banner before you logged in - that is the company statement to warn you about any mishandling of information and misusing assets - read and understand them.
- Access Control - What is the minimal access to sensitive information or operational service necessary for your role or job? Access is removed when individuals leave their job. Company intellectual property is not unnecessarily revealed to others. Regular review is needed to ensure appropriate access is maintained. HR and IT teams are the folks to talk to.
- Vendor Management - Do you understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain? Are there standard contractual bindings to be met by 3rd party service providers? Make sure baseline guidance in such a contract template is developed with use from a list of a partner or accredited supplier whose background has been examined. Watch out for the subcontractor as they are the weakest link of the supply chain.
(2) Know the INDIVIDUAL well
To better know the various threat factors lurking in the dark and target victims for a monetary reward which can be derived from their identity, information, and machine.
- Use the threat RISK TABLET to map and identify them. It helps to understand their profiles, common techniques and tactics used - that helps if you do get "contacted" by them.
(3) Stay VIGILANCE on Threats
To increase awareness of the top cyber threats and emerging ones so that you can better respond if you face them live in action. Below highlights top threats that you should pay more attention to.
DETECT & RESPOND
Phishing Attempt - Commonly in the form of an email which entices one to visit some compromised website or execute an attachment so that malware can use your machine as a beachhead to onboard more malware.
- Beware also of things such as fake phone callers, SMS scams, and spoofed social site accounts sending out fake information.
In response, always STOP, THINK before you ACT. Do not click on any suspicious links (hover over it first) or open any unknown attachments or reveal your personal data if in doubt.
Ransomware - Read more in this article.The gist is this is a bad malware and stops you from using your machine till you pay a nominal ransom. There are more terrible things that it can do to you so read on more.
In response, do NOT pay the ransom as this supports those cybercriminals by letting them get away "crime-free". Report the incident and seek help. But in such cases, be thankful for your hard work and diligent efforts which pay off in having kept (separate off your machine) your back up data and keeping them up to date.
Insider Abuse - It is not just the contractors. You should also not neglect the internal staff who may just out of frustration or blinded by greed make a wrong move - compromising the integrity of the company IT system and siphoning off sensitive information to sell off to a competitor or other threat factor.
- There needs to be a central monitoring team. Clear definition of symptoms help to surface the anomalous activity. Collect the logs and audit traces. Digital services are attractive targets so make sure transaction exchanges are monitored.
In response, segregate roles and give restricted access based on assigned roles. This under the lead of the IT Operations and security team as they are likely to have some central system and access matrix and other capabilities running to record the activity of vendors.
- Adapt a risk measured approach to clearly separate our duties.
- Define the permissions in specific to the resource accessed - go for the least privileged principle and a need to know basis.
- Whistleblowing through a trusted channel. Support insider programmes if existing.
(4) Know the ENVIRONMENT
To strike a balance win-win in staying in the fast pace cyber world, tapping on the multiple online digital services and getting ourselves always connected throughout mobile devices, we need to also exercise the hygiene factors and let them be part of you.
- Manage devices which have access to sensitive information so that it complies with the policy requirement to have configured in a hardened (locked) state.
- Run only necessary software and use accounts assigned for doing your work and even Internet surfing. Do not use personal accounts or email for official work and vice versa.
- Always keep your software and operating systems up to date, have them patched regularly to the latest working versions - it is not always the latest that can fit all but make sure each patch undergoes thorough QC testing before using them in production.
- Encrypt all data through the various means - at rest, in transit and in use. Do not expect physical protection to safeguard the information as we (and devices) are and can be connected in some way.
- Do not neglect the peripherals and make sure they are encrypted too. These include mobile devices and portable storage media. Be ready to wipe the mobile device remotely if they are declared lost too, even though they are encrypted.
Importantly, in the event there are anomalous signs or suspicions that you are being hacked, you need to report the event or incident immediately. Know well the incident response contacts. Be ready to facilitate them if they come onsite for investigation. Do not get stressed over a mistake if any as they are here to help you and to share as much information to help enclosure of the case.
On a larger picture, incident response and management plan should be tested regularly to ensure all parties, including selected stakeholders, understand their roles and responsibilities as part of the plan. Post findings and incident lessons are very useful pointers so do not neglect and shelf the report away. Use them to further improve the existing plan, test the control and verify the processes to prevent recurrence of similar incidents.
We are constantly inundated with a flood of information. Noise distracts us. We will also make mistakes and our oversight causes unnecessary inconveniences to the organization. Putting on the HIVE mindset serves to kick-start what the key areas are to keep one constantly on the watch and look out for risk areas.
Going back to the initial question in the start, I can only say we will never be able to know all or be a jack of all trades. But so long as we pay attention and be diligent in upholding a high level of hygiene, we are in fact reducing our exposure to the threats.
We can and should continue to build and contribute to developing a safer and more secure digital ecosystem.