It has recently been reported that the House subcommittee approved a $334 million funding bump for CISA, the Cybersecurity and Infrastructure Security Agency. The funding will be allocated into various categories, including cybersecurity, infrastructure security, emergency communications and risk management, among others. I can’t think of a better way to spend $334 million dollars.
According to the article in FedScoop, AttackIQ finds security programs generally operate at about 30% to 50% effectiveness against known cyber tactics, techniques and procedures. That’s why it’s more important now more than ever to focus in on your cybersecurity policies and programs.
We recommend five things leaders in the SLED space could/should do now to harden their security posture.
1. Assess your IT environment and communicate your position to your team. To gain full understanding and visibility of your IT environment, take inventory of all your systems, assets, and data, where they are located, and what’s on them. You must understand your environment completely because many times it’s a previously unknown asset that can turn out to be the thing that comes back and gets you in the end.
2. Prioritize a hierarchy for your systems and data based on value and risk. Start by prioritizing assets based on high value commensurate with high risk. This is an important exercise in determining a hierarchy of assets based on the value to the organization, costs, and associated risks. Because a particular asset has a high value to you does not necessarily mean there’s a higher risk associated with it.
3. Address high-risk vulnerabilities in systems, assets, and data first. Where there are vulnerabilities, threats and attacks will follow. You need to prioritize vulnerabilities by either mitigating the vulnerabilities with some sort of control or eliminating the vulnerability through patching.
4. Assess and be selective with privileged accounts. You need to understand your privileged accounts ― who has them and who needs them. For example, do all end users have privileged accounts on the laptops and computers they use? Do they need access to these accounts to do their job? Understanding critical business needs and removing unnecessary privileges is important.
One security measure that can potentially stop an attacker from moving through an environment is multifactor-authentication (MFA). MFA is a layered approach to securing applications, data, and assets by requiring a user to present multiple credentials to verify a user’s identification for login to a system. MFA increases security because in most cases if one credential becomes compromised, unauthorized users will not meet the second authentication requirement and be unable to access the targeted space, device, network, or database.
Also, assessing privileges by reviewing your organization’s Active Directory will help to understand any risks that should be managed proactively. Combining user privileges and leveraging MFA, with identifying scenarios where you can limit access to high-risk, high-value data with controls around it, can help prevent attackers from infiltrating your environment or slow them down enough to catch them before an incident occurs.
5. Have a cyber incident response plan (IRP). You need to have a plan for how you will respond in case a threat turns into a breach and then can cause damage. What are you going to do as an organization when you identify an attacker moving laterally inside your IT environment and trying to encrypt files or devices? What steps are you going to take?
The plan will help you limit the damage after a breach. For example, we recommend developing well-practiced playbooks to follow for cyberattacks, including ransomware. These plans should be practiced and updated to keep pace with the evolving issues and complexities of cybersecurity. CISA provides guidelines for operational procedures for planning and conducting cybersecurity vulnerability and incident response activity.
To wrap up, one thing you should carefully consider first when assessing what to do with new funding is “do I need a shiny new set of blinking lights?”; probably not. You could roll up our 5 suggestions into a couple ideas on how to spend effectively: gain visibility, conduct disciplined cyber inventory and hygiene, and be prepared.