June 14th, 2022
Author: Chris Clements, Vice President of Solutions Architecture
It is no secret to anyone in the cybersecurity industry that IT security leaders often have a completely different understanding of risk from those organizations they are seeking to protect.
Practitioners and those working in the industry have heard the earthshakingly large numbers, such as that cybercrime will be worth $10.5 trillion by 2025, according to a report by Cybersecurity Ventures. Security is no longer a sidelined concern for organizations, individuals or nation-states — it is essential.
Every organization is structured differently; where some might have a chief information security officer (CISO) with a direct line of communication to the board and an accessible budget, not all will. Sometimes security will fall under legal, planning or operations, meaning an industry insider with the valuable knowledge to implement a successful defensive security program may be missing.
Therefore, it’s important that cybersecurity practitioners have a ‘cheat sheet’ of available questions to help them to understand the scope of the challenge at an organization. This will place them in the best position to deal with it. This article will walk through some of those questions.
What is the cyber protection strategy if existing security tools are bypassed?
This is a useful way to ask multiple questions at once. Most organizations who suffer a security incident had cybersecurity solutions like endpoint detection and response (EDR) and antivirus platforms in place and got breached anyway. Additionally, it also probes further into what other solutions the organization currently deploys, providing a fairly holistic view of their security posture.
The ‘password gotcha’ questions
Passwords are still widely used, widely abused and widely fail to protect the organizations in question. However, not all password use is created equal. Depending on an organization’s policy, the cybersecurity practitioner may be in a stronger (or weaker) position to ensure that passwords don’t become a security risk. For example:
- Does the password policy enforce a minimum length of more than 8 characters?
- Does it require mixed characters to be used for complexity?
- Does it require changing every 90 days?
- Does it allow easy to guess passwords like “Spring2022!”?
- How many users have “Spring2022!”, “Company2022!”, or similar as their password right now?
These make it easier to understand the environment and begin the process of helping the client. The ‘Spring2022!’ example shows them that simply changing their passwords every 90 days while allowing easy to guess passwords could still leave them vulnerable. This starts the process of improving security posture before the team are even finished with their initial assessment.
The technical end of the spectrum
To return to a point outlined earlier, it’s important to understand not only the state of the network, but the organization’s cybersecurity competency. One way to ensure that the necessary knowledge is in place is to begin the relationship on a more technical footing. This will help to measure the security awareness of the organization at large, as well as the personnel who will help tailor the necessary first moves. Some of these questions could include:
- The most dangerous things that can be done on a computer are email and web browsing. Do IT administrators have separate, unprivileged accounts for everyday use, or do they perform these dangerous actions with their highly privileged accounts exposing the organization to significant risk if they click the wrong thing?
- Many large-scale data breaches occur simply because their cloud environments are mistakenly left open to the entire internet due to a mistake or inexperience. Where is the cloud data and who has access to it?
- Has a penetration test successfully compromised the network? If so, who detected it first? Was the penetration testing team the first to report it?
- Attackers can pivot from initial access to compromising other systems in minutes. What is the team’s average response times to security alerts?
- Are there audit processes in place to detect if an IT admin is reading their email?
- There is likely an alert or account lockout policy for detecting a brute force against a single account, but is it possible to detect an attacker trying the password “Spring2022!” once across a hundred different accounts?
- Is it possible to detect an attacker performing a brute force attack against a local system account with administrator privileges?
- Is there a local administrator account with the same password reused on multiple systems?
A failure to answer these questions appropriately might mean an organization has their work cut out for them. Cybersecurity is now an existential threat. Even if baby steps need to be taken toward an appropriate security posture, those actions still need to be taken.
First published at Security Magazine