Cyber Security: Build a Better Onion

CyberIt was Thursday, 3:55 p.m. John Jones just remembered it was his night to make dinner. With just a few minutes to burn before his next meeting, followed by the rush hour slog and his son’s soccer practice, there was not much time to get a plan together. Jones quickly typed the name of his favorite cooking site into his laptop’s browser. Within seconds he found an e-book he could peruse while waiting for his son. He downloaded the cookbook and rushed off to his next meeting.

That night, while the aroma of baked lasagna wafted through Jones’ house, a virus seeped into his company’s network, having hitched a ride in the cookbook file on its way to infecting computers and shutting down critical infrastructure.

While the story is almost entirely fictitious, the scenario is all too real. “We have yet to find a company that had a protocol in place to stop something as trivial as downloading a recipe,” says Scott Montgomery, security practice manager at Grand Rapids-based Open Systems Technologies. “(In this case) the popular antivirus software did not detect (and/or block) the infected file.”

With a seemingly infinite array of targets and pathways into those targets, experts say it is impossible to eliminate all cyber security risks. Instead, companies need to build up their defensive layers, says Phil Bertolini, chief information officer at Oakland County. Something like an onion, hackers may be able to peel away some of the layers, but if too much effort is involved, they will often move on to an easier target.

The most critical defensive layer, say experts, is having a staff of well-trained users. In the story above, the company ended up being the easier target, not because the antivirus software did not catch the virus but because the employee downloaded the cookbook.

Scott Montgomery of OST says there may be an incorrect assumption that the average company’s IT department is prepared to handle a security issue.
Scott Montgomery of OST says there may be an incorrect assumption that the average company’s IT department is prepared to handle a security issue.

The trouble with trust
People have a “tendency to trust,” and hackers use that misguided trust to their advantage, says John Hey, chief operating officer of Trivalent Group in Grand Rapids. While people assume that their favorite cooking website would never provide a bad link or an infected file, legitimate websites may not even know they are serving files that carry malicious code.

And then there’s the scenario of a bank asking for a customer’s account number, with some people assuming the request is legitimate. But hackers routinely impersonate trusted businesses to gain access to money or protected information. “Attackers have become aware that it is often easier to exploit users at the browser and email level, rather than compromising servers,” reports Cisco in its 2015 Annual Security Report.

Whether via so-called “phishing” emails, rogue links, or weak passwords, for every user, hackers have multiple access points into a company’s system. And those access points can be exploited many times over across many different online interactions: social networking, purchasing, emailing, web browsing. For every 10 phishing emails, seven may be obviously rogue, but the other three can “trip you up,” says Hey.

Weak passwords create peep holes through which hackers can access bits of data. Consider how much of a person is revealed through their email conversations—who are they talking to and about what. Combine those bits of data with what is already available through social networking sites, the Internet generally, and the data that can be purchased on the dark web, and a hacker could easily impersonate a legitimate company, someone the user knows, or even the user.

The price tag for trust
The costs of a security breach include diminished reputation, customer turnover, recruitment of new customers, regulatory fees, identity insurance for clients, lost business, downtime, and, possibly, the business itself.

In dollars, those costs average out to $6.5 million for an organization that has been breached, reports the Ponemon Institute in its 2015 Cost of Data Breach Study: United States. The study analyzed the costs incurred by 62 U.S. companies who had experienced a security breach in which protected data had been taken. On average, 29,070 records were breached in each organization at an average cost of $217 per record.

For some companies, the thought of millions of dollars and tens of thousands of client records may seem too large to be relatable. Yet, every organization has data or revenue that can be exploited. “Last year, 60 percent of all targeted attacks struck small- and medium-sized organizations,” according to Symantec’s 2015 Internet Security Threat Report. “These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This puts not only the businesses, but also their business partners, at higher risk.”

If hit by a cyber attack, downtime is the inevitable result. Even a single day of unscheduled downtime threatens the longevity of a company, says Hey. Several years ago, a local manufacturer was hit with a virus that took out two-thirds of its computers, recalls Hey. To get the company back up and running as quickly as possible, Trivalent had 15 people on site, going from computer to computer to isolate the virus and clean the machines in a process that took two days. Without that level of response, the company could have been down for a week, says Hey. And while the outcome was good (the company is still in business and has actually grown), had the outage been longer, the story could have ended badly.

John Hey, chief operating officer of Trivalent Group, says even a single day’s impact from a security breach can affect the longevity of a company.
John Hey, chief operating officer of Trivalent Group, says even a single day’s impact from a security breach can affect the longevity of a company.

Cyber security is a business issue, not an IT issue
Even if a company recognizes that cyber security is a concern, it may be assuming that it is an IT issue. IT certainly has a significant role to play in terms of the technology aspects of cyber security. However, cyber security is an enterprise-wide risk management issue, according to a report from ISACA, formerly known as the Information Systems Audit and Control Association.

In the report, Cybersecurity: What the Board of Directors Needs to Ask, ISACA says setting the tone for the organization is one of the key responsibilities of board members and executives alike.

Even while making cyber security a company-wide priority, there may yet be an assumption that the IT staff is qualified to assess cyber security weaknesses and respond to attacks. Often, neither is true. “Most organizations are just going to have a basic IT staff,” says OST’s Montgomery. “They may be highly educated, highly experienced people, but, again, the function of IT is usually around maintaining an existing environment.”

Beyond the question of skills, allowing existing IT staff to assess a company’s cyber security presents a conflict of interest, Montgomery asserts. Typically, it is the board of directors or executive level that should be requesting the service. “An IT staff really doesn’t feel the need for me to come in and assess their security. That’s like somebody calling their baby ugly. They don’t get a good benefit out of that. There is a vested interest in the executive team knowing what the risk is.”

Professional help
Professional cyber security experts can be expensive. By some estimates, more than one million cyber security professionals are needed to fill the skills gap that exists in the field and those that have the right skills can demand high salaries. Alternatively, consulting groups, like OST and Trivalent, provide assessment and emergency response services related to cyber security and other IT needs.

When considering how much to spend on cyber security, there are different approaches. J. Wolfgang Goerlich, director of security strategy at CBI, suggests that a company budget 0.2 percent of its annual revenue on cyber security. In addition, he recommends one full-time cyber pro for every 1,000 employees. However, Montgomery says his firm, OST, does not make recommendations on staffing. And Cisco’s security report states that a large number of cyber security staff is not necessarily an indicator of a better security posture.

Waiting until after an attack to seek professional help may not be the best approach, for obvious reasons.

“If you don’t know who to call, you can’t just look it up at the last minute,” warns Montgomery who says he is sometimes booked out two to three months at a stretch. At OST, if they are not already conducting regular assessments on an organization, providing 24/7 emergency assistance isn’t always possible. Indeed, it would be difficult to effectively respond to a breach without knowing the pre-existing security conditions of the organization, says Montgomery.

Whether hiring outside help or going it alone, a company that knows its own cyber security posture will be better able to respond to threats. There are many resources available to help companies manage their cyber security concerns, but so much information can be overwhelming, especially when a company lacks in-house expertise.

A “Small Business, Big Threat” assessment, a free service launched by the Small Business Development Center (SBDC) of Michigan last November, includes 31 online questions covering topics like breaches, passwords, mobile security, and physical security, in language that is understandable to a non-technical audience.

Through stories of small business owners, users are provided with examples of how cyber security issues can play out in the real world. The site then generates a score and recommends next steps.

CySAFE for Business is another free assessment, one that was originally developed by Oakland County government for use by public service agencies.

Having been downloaded by more than 400 public agencies in all 50 states, Oakland County then realized that many businesses do not know how to begin assessing their own security and tweaked their government assessment to create one for business.

CySAFE for Business is a far more technical assessment than that of the SBDC, and it takes an entirely different assessment approach. Using three cyber security frameworks (20CC, NIST, and ISO) as its models, it provides 33 key controls. Using a scale of 0 – 5, the user ranks a company’s compliance on each control. Based on the answers, the assessment generates a prioritized list of controls to be addressed. As the company addresses each issue, it can update the chart and see its accomplishments graphed.

J. Wolfgang Goerhlich, director of security strategy at CBI, suggests a company set aside 0.2 percent of its annual revenue on cyber security.
J. Wolfgang Goerhlich, director of security strategy at CBI, suggests a company set aside 0.2 percent of its annual revenue on cyber security.

Experts agree that for an organization to be secure, its users must be an integral part of the solution. If they are to be the strongest layer of the metaphorical onion, then they cannot be an afterthought. In its security report, Cisco lists five principles for staying secure, three of which focus on human behavior.

Indeed, the second of the five principles warns against making security so complicated that users will either attempt to get around it or be utterly frustrated by it. In short, the security framework must fit the way the company does business. If not, the company will be at greater risk.

Companies are advised to create security policies and parameters that are “transparent and informative” as well as understandable to users. In other words, don’t throw up the proverbial brick wall without explaining why the road is blocked.

Another key: viewing security as a “people problem.”

Security staff need to train users so they can make good decisions and feel empowered to seek timely assistance when they think something is wrong,” says one of the principles laid out by Cisco.

At Oakland County, the first round of annual cyber security training has just been completed, says Bertolini, referring to a series of short videos, each followed by a quiz. For the second round of training, he and his team will use “gamification,” the concept of applying game mechanics and game design techniques to engage and motivate people to achieve their goals.

In this case, users will earn points as they learn best practices. By changing the vehicle of the training, from videos to games, the material keeps employees engaged.

While quizzing users after training will help determine what has been learned or where the training needs to be improved, Bertolini’s team also goes a step further, “phishing” staff by planting rogue links and files where users might be tempted to click. While he would not divulge the results of those phishing expeditions, he did say that his organization did “better than most.” And, perhaps that is enough confirmation that they have built a better onion…than most.