Back to basics

One of the key factors when performing a cybersecurity vulnerability risk assessment is understanding what your environment looks like under normal conditions, both from a personal and corporate security perspective.

The basic premise is that with a clear picture of what normal operations looks like, abnormal occurrences become clearer and can be recognized and acted on quickly. This can be challenging at the best of times — even more so when you consider the complex environments that have evolved because of COVID-19.

Organizations have changed their business models, resource allocations, budgets and their physical footprints with so many staff now in full work from home mode. With change being the only constant, getting a true view of what normal looks like is virtually impossible. Faced with this challenge, one of the best strategies both individuals and organizations can follow is to simply get back to basics. Focusing on the basics of cybersecurity and weaving them into the very fabric of day to day operations, can go a long way to improve your security posture and lower your risk of susceptibility to current and emerging cyber threats.

There are a few very good standards out there that can be used as a guideline for developing your own custom cybersecurity best practice. The NIST Framework and ISO 27001 are two of the most common, depending on your industry and requirements for certifications. Some standards are more complex than others and, in some cases, depending on the size and scope of your organization, may take considerable resources to research and properly implement.

Let’s look at three important pillars of cybercrime risk assessment and examine some back to basics ideas within each one.

System susceptibility: There are two points to consider here. The first is the value of your digital assets to a potential attacker, and the second is the vulnerability of the systems that are both housing and protecting those assets.

The general school of thought is that the shorter the path between your digital assets and monetization, the more susceptible those assets may be. There is not much that can be done to change your data but you can reduce your susceptibility by ensuring that all systems are up to date and fully patched at all times.

Vendors will provide software and firmware updates for two reasons: to provide increased functionality and or to provide improved security. More frequently it is for the latter. So apply updates regularly and develop a system to properly test them if needed before moving them to a production environment. I should mention here that data encryption is always a good practice when it comes to the protection of sensitive information and the reduction of system susceptibility. Just be very careful because encrypted data can only be recovered with the right key, or through brute force depending on the type of encryption. It may be a good idea to utilize the services of your internal audit department to be the trusted keeper of these keys.

Remote workers should have data partitions on laptop storage encrypted, to reduce susceptibility if those devices are ever lost or stolen. System susceptibility can also apply to hardware from a change control perspective. There is little point in upgrading hardware without properly decommissioning the old device(s).

Leaving legacy hardware connected to your network can potentially leave a back door to your network that you just don’t want to leave open. Be sure to double-check that any steps you take to reduce your system susceptibility also keep you compliant with any regulatory statutes that may govern how you must run your business.

Threat accessibility: As a former computer network designer, implementer and analyst, I’ve always been intrigued by this pillar. This is where the worlds of information security and physical security meet head on. There’s a reason why “defence in depth” is always a good practice. Pouring all of your resources into five-star information security while your physical infrastructure is ignored is pointless. Doing this right goes beyond locks on your wiring closet doors with controlled access to keys.

From a cybercrime perspective, in the face of a breach, the crime scene can extend to your parking lot with its physical card access control and video surveillance systems.

Just because a data breach is digital in nature, does not mean that the police won’t need the video.

Threat capability: This is perhaps the most challenging pillar because it’s the one you have the least control over. Threat capability speaks to the capability of the cyber adversary, the level of their skill set, and the tools, techniques and resources they may have access to. The level of capability varies from the so-called “script kiddies” up to organized nation state adversaries. When it comes to levelling the playing field of threat capability, knowledge can be your strongest asset.

Continuing education around cybersecurity is very important. Knowing what the latest malware threats are and how to defend against them can go a long way towards helping to maintain the integrity of, and accessibility to, your data. Ransomware remains a serious cyber threat. Learning about the latest variances and how they can impact your data will help you develop designs and best practices for creating reliable and recoverable backups. Good backups remain one of the best ways to help facilitate a quick recovery from ransomware.

Train your staff on phishing scam avoidance. Human beings remain the weakest link in the chain of cybersecurity — it only takes one click or even just opening the wrong email and, in a nanosecond, it’s over.

A great source of current and reliable information is the Canadian Centre for Cyber Security at cyber.gc.ca. Take some time to visit this site for some of the latest intelligence and alerts around cyber threats.

Also, always remember that cybercrime is a crime. As a victim of criminality, you should report the incident to law enforcement to allow for a proper investigation. Contacting law enforcement in the event of a breach represents the only punitive measure in combating cybercrime. Contact your local law enforcement office to have the initial report taken. Cyber investigation resources are available across Canada at the municipal, provincial and federal levels, so get to know your first point of contact and include that information in your back to basics plan.

Kenrick Bagnall is a Detective Constable with the Toronto Police Service Computer Cybercrime Unit (C3) Twitter: @KenrickBagnall.