Cybersecurity

The first step in establishing an effective cybersecurity strategy is to understand the ever-evolving threat landscape. While there are certainly a fair share of "basement hackers" looking to penetrate corporate systems and wreak havoc, the vast majority of threat actors are criminal organizations looking for opportunities to exploit corporate data and systems for a profit.

I have over 20 years of experience in hardening corporate systems against cybersecurity attacks and defending against active threats. Cybersecurity should be part of every employee's daily responsibility as a company's employees are the first line of defense against cybersecurity threats. While I have not served as an official Chief Information Security Officer (CISO), I have served in this role for many years as cybersecurity responsibility typically fell on the Infrastructure, Technical Operations and Technical Services teams that I led. Even when I was part of an organization that had a CISO, I worked hand-in-glove with them to ensure the business was secure. In a typical relationship with a CISO, they would be responsible for policy and reporting to the company's Board of Directors, while I took the lead on securing systems, investigating alerts and leading Incident Management during actual attacks.

Anymore, nearly every system has built-in security controls. System hardening requires a thorough review and understanding of these controls to ensure they are optimized for security.  Another important aspect of system hardening is ensuring all systems (hardware, operating systems, applications, etc. are regularly patched and updated to ensure the latest security fixes and patches are applied. Most systems have documented best practices for system hardening, which should be followed closely. 

While Business Continuity and Disaster Recovery (BCDR) strategy isn't specific to Cybersecurity, Cybersecurity threats should be a significant part of any BCDR strategy and plan. In fact, Cybersecurity attacks are one of the most common reasons for BCDR plans to be activated by organizations today. As with Cybersecurity strategy and planning, I have extensive experience developing, documenting and executing BCDR strategy and plans, for multiple organiations.

Testing

Often, a problem with cybersecurity defense is you don't know what you don't know.  This is where audits prove crucial. In a typical Cybersecurity audit, like a Penetration Test, for example, a 3rd party provider will be contracted with to conduct an audit of the organization's systems. In the example of a Penetration Test, this audit may be run internally, with network access to systems, or externally, and attempt to penetrate via various entry points. Both approaches are invaluable, and both should be run regularly.

Mitigation

Upon completion of a test, or audit, a report will be submitted to IT leadership. This report will include any findings of vulnerabilities and/or risks and will typically include impact rankings. My team and I will then take those reports, adjust the rankings based on our knowledge of the systems and business impacts, then develop mitigation project plans to address any detected vulnerabilities or risks.

Service Organization Control 2, commonly known as SOC 2, is a security framework developed by the American Institute of Certified Public Accountants (AICPA). It specifies how organizations should manage and protect customer data stored in the cloud. At IMA Financial Group, I led the Infrastructure Team through a SOC 2 audit, mitigated any exception findings and secured the company SOC 2 certification.

SOC 2 focuses on five Trust Services Criteria:

• Security: Protection of system resources against unauthorized access.
• Availability: Ensuring systems and services are available as agreed upon.
• Processing Integrity: Ensuring systems achieve their purpose accurately and reliably.
• Confidentiality: Protecting sensitive information from unauthorized access.
• Privacy: Managing personal information in accordance with privacy principles.

Achieving SOC 2 compliance demonstrates a commitment to protecting customer data and can build trust with clients and partners.

As an IT leader for one of my employers, which I cannot name for confidentiality reasons, I led the Incident Management Response team when a major ransomware attack hit the company.

Rapid Response

Prior to the incident, I had been working with my IT Support team to develop a Rapid Response program. In this program, certain security alerts were sent directly to the Help Desk system where a ticket was automatically opened with the priority set to High and immediately assigned to a technician for initial investigation and outreach to the end user, if applicable. In the case of this attack, an important alert was sent to the Rapid Response program where a technician reviewed the ticket, contacted the impacted user, and immediately identified something significant was happening so the technician alerted me directly, which was the prescribed course of action.

Incident Management

As the On Call Incident Manager at the time, this incident was immediately escalated to me. After reviewing the incident notes and details with the technician, I thought the circumstances were suspicious as well and immediately designated it as a Suspected Cybersecurity Incident. I alerted the Cybersecurity Response Team (Infrastructure Team, CISO, IT Support Director) and opened up a Teams meeting for all to join. After reviewing the details with the team, every member had their assignment and jumped into action.

Outcome

Without going too deep into the details, the attack was identified as a sophisticated ransomware attack. Due to the Rapid Response and Incident Management programs I created prior to the attack, the attack was shut down quickly. While the attackers had managed to breach an end user workstation and use that workstation to access some old file servers, no critical systems or data were compromised. While many systems were initially taken offline to provide an extra level of protection, they were restored as soon as we understood the nature and scope of the threat. Overall, the impact to the business was minimal and no ransom was paid. In a Postmortem of the incident, we identified some vulnerabilities that had not been surfaced by any prior audits and worked quickly to mitigate them.

No matter how much work IT does to prevent cybersecurity attacks, the weak link in the chain is still the employee with hands on a keyboard. In the end, consistent and frequent employee education is key. This can be accomplished through regular required training and phishing simulations. However, being coached by someone in IT is only part of the solution. I have found, through the years, that there seem to be repeat offenders when it comes to interacting with phishing attacks and failing phishing simulations. Corporate leadership needs to recognize the significant cybersecurity threats their businesses face and do their part to support IT in its efforts to keep the business safe.