Demystify Cyber Project: business

Thank you to AusCERT's Laura Jiew and Sean McIntyre for writing a guest post for the Demystify Cyber project. Cybercrime fighting is truly a team sport, and I am thrilled to have this contribution from AusCERT for the blog. The team at AusCERT have always been extremely supportive of me both professionally and with my personal projects. and volunteer work, and they are passionae about supporting the community and Nation to stand strong against cybercrime. I recommend their blog for up to date cybersecutity information, you can get to it from this link: https://www.auscert.org.au/resources/blogs/.

............

Ninety nine problems but a vuln ain't one

If you’re having cyber problems, I feel bad for your SOC

I got ninety nine problems but a vuln ain't one, hit us!

Okay, cheesy (revised) lyrics aside, I caught up with my colleague Sean McIntyre - Information Security Analyst at AusCERT - to discuss our shared thoughts on the common misconception that cyber criminals are “hooded / masked baddies” and we outlined some ways in which AusCERT, as a not-for-profit security group can help our members and the general public avoid the common pitfalls of falling victim to a cybercrime and/or incident.

Sean, it isn’t unusual for our collective cultural community to think of cyber security in terms of tired cliches and common tropes. In your opinion, what can we do to help people understand that a cyber criminal and victim could look like anyone, including you and me.

I think it’s really important to talk to folks - family, friends, neighbours even - about how cyber crime isn’t discriminatory, that it can happen to anyone. I feel it’s great that the media draws attention to cyber related incidents, it helps bring the topic to the mainframe. People relate to examples like Nine Network or domain.com.au. However, I do think we can do better at the grassroots-level. We should start talking about it with kids in schools etc., avoid making “cyber” a scary topic. I think organisations like eSafety do some good work in this space ^[1].

You’ve been working at AusCERT for close to 18 months now, in your opinion and observations, what cyber security challenges are the most common in terms of our membership audience?

Personally, my top 3 observed challenges are as follows:

Staying on top of the countless advisories, vulnerabilities and CVEs that come through daily. Identify all of your infrastructure; systems, operating systems, patch levels, appliances, applications. This may sound elementary, but sometimes the concept of going back to the basics is a great starting point. Actually, Jess Dodson, one of our keynotes and speakers at the AusCERT2021 conference does a great job of this through her personal website, definitely worth checking out! ^[2]. Members, once you’ve done this audit, make sure you subscribe to the appropriate AusCERT security bulletins through our member portal function.
Identifying Business Email Compromise (BEC) attempts from what can be extremely confusing email headers and what to do from there. BECs are such a common scam - so much so that the ACCC had recently reported that payment redirection scams, also known as business email compromise (BEC) scams, resulted in $128 million of losses in the year 2020 ^[3]. Members, the AusCERT team is always happy to assist with the analysis of phishing email attempts and headers and will contact and assist affected member organisations where a BEC has occurred. Don’t forget that public agencies such as Scamwatch can also assist ^[4].
Domain impersonation or squatting and brand protection. This one is a particularly challenging one, as AusCERT would love to help members who find themselves in such cases - however our success in getting websites taken down relies on malicious activity such as phishing or malware delivery being present. In cases where a brand is being impersonated, registrars and website hosts will request that the owner of the trademark contacts them directly. Abuse contacts can generally be found in the ‘whois’ info of a domain. Members can always reach out to our team for assistance and we are happy to walk through the necessary steps with them.

We sat down and did one of these sessions at the end of last year, when you and I presented a case study on the AusCERT Incident Management service ^[5]. Can you reiterate the key take-aways for our readers again?

Of course! For those who haven’t had a read of that piece we did together, definitely check it out on the AusCERT website ^[5].

If you’re an AusCERT member, definitely utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au for any cyber related incidents.

Where possible, implement the “Essential 8” as outlined by the ACSC ^[6]. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

Thanks so much for the chat Sean!

.............................

AusCERT is a Cyber Emergency Response Team (CERT) based in Australia. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy and posture.

..........................

Resources:
[1] https://www.esafety.gov.au/kids
[2] https://girl-germs.com/?p=2324

[3] https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams
[4] https://www.scamwatch.gov.au/types-of-scams

[5] https://www.auscert.org.au/blog/2020-11-06-case-study-incident-management
[6] https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained

Thank you to Ross Marston, founder of Business Intelligence Security, for writing the below article about cybersecurity for businesses.

.........

I’m lucky enough to get to talk to a lot of different business leaders, and I get it. It’s daunting for many. Particularly SME/SMBs . Most businesses are aware that cyber security has the potential to massively damage their business. The evidence is in the news daily. And you think to yourself, “well if they got hit, what hope do we have?”. Well, I’m here to reassure you, and offer you a lot of hope. Below is a path to cyber resilience. It’s not a silver bullet, because they don’t exist. It’s a solid plan. You may need some assistance with some or all of it, but that’s okay. The main step is that you take charge and address this risk in your business.

“I’m here to reassure you, there is a lot of hope…”

Many business leaders simply assume their I.T. department or provider has cyber covered. They don’t! And there’s many good reasons why they don’t. Not the least of which is, cyber isn’t an I.T. problem. It’s simply a business risk that the risk managers (business leaders) need to address.

It is within ANY business’ reach to be Cyber resilient. 100% secure is impossible. So, we aim for resilience. Having a Cyber Resilient business is the name of the game.

It’s the like saying, “I’m 100% sure I won’t get sick”. Ridiculous! But being resilient to disease is very achievable. Resilience is simply the ability to bounce back readily from adversity or challenge. To be resilient you need to be prepared.

“it is within ANY business’ reach to be Cyber resilient”

Let’s look at our health analogy for a moment. Many things affect your health, from genetics right through to your immediate environment. The main thing you can do to positively impact your health is to prepare in advance. Something like the following…

• Think about your most likely health threats. Let’s just look at Flu for example.

• If it’s flu season, plenty of hand washing, and avoiding direct contact with sufferers plus a few immune boosting supplements or foods will help.

• At all times, boost the immune system by eating healthy, avoid too much booze, and stay fit, plenty of sleep, plenty of positive mental health time, etc.

• If you still do get sick, rest up, plenty of fluids, take it easy, don’t spread it.

• Get back on track as soon as possible.

Basically, have a plan. If you have no plan, then you are just at the mercy of whatever comes along.

It’s the same for business, no plan is not a good idea. Your business needs a plan for everything it does. No business owner starts without a plan, and just lets whatever comes along, happen to them. They plan, and they measure how their plan is going.

Cyber is the same. Many factors affect your business’ cyber resilience. So, you need a plan. It’s simply another business risk you need to plan for. It’s certainly not an IT problem. It’s a business risk, and it needs to be managed by risk managers. Business leaders in other words.

Where to Start

So, let’s assume for a moment that you don’t know where to start with becoming Cyber Resilient. Well fortunately many have been there before you. One source we are going to leverage now, for our basic plan, is the U.S. National Institute of Standards and Technology. Or N.I.S.T. as they’re known. They produce all sorts of cool stuff from standard weights (the standard Kilogram for example) through to Cyber Security Frameworks (CSF).

What I like about the NIST CSF is its simplicity and scalability. It can easily scale from small start-up to international enterprise behemoth, and government. It consists of 5 simple steps that your business needs to flesh out according to its requirements. It looks like this…

We all know that Action Changes Things, so let’s break that down into action points…

Cyber Security Plan action list

1. Identify what is important to your business. What is most critical?

a. These are your Information Assets.
b. You need to know what’s most important, as it is no point in finding that out once it’s gone. (Reminds me of that Joni Mitchell song, Big Yellow Taxi. “You don’t know what you’ve got ‘til it’s gone.” Take stock before hand. That way you know what to protect.
c. You also need to prioritise your assets. Which ones are MOST important and critical? Rate them! (There’re standardised ways to do this easily)

2. Have a plan to protect those critical assets.

a. These are your controls.
b. Depending on the asset, this may be something simple like a policy or something technical like Multi Factor Authentication. Or any combination of other types of controls as well.
c. One thing is for sure, you need layers of protection. Not just one, so you you’ll likely use multiple controls
d. Start at the most critical Assets identified in step 1, and protect them first, then move down the list.

3. Have a way to monitor and Detect to ensure your plan is working.

a. You wouldn’t have a financial plan and not look at your P&L to make sure it’s working. The same way you need ways to monitor that your controls are working.
b. You also need to know that things aren’t slipping through the cracks.
c. If you aren’t measuring, you have no idea if it’s working. If you have no idea if your plans are working, why make plans?
d. Pro Tip: Discovering you’re the victim of Ransomware and your entire business is shut down is NOT monitoring! That’s disaster.

4. If you detect an incident despite your best efforts, how will you respond?

a. No plan is foolproof. Hence, you need to know what you’re going to do, when you discover your plan isn’t foolproof, and you detect an event that shouldn’t be happening.
b. One thing I can guarantee, after responding to many cyber incidents. In the midst of an incident is NOT the time to be figuring out what to do. Make a plan first!
c. Know who will be in the response team, what the communications channels are, who needs communicating with, what will be said, who’s making the decisions. There’s a bunch of things to go in here, and again, there’s many who have trod this path before you. Don’t re-invent the wheel.

5. Once we’ve responded how will we Recover, to get back to where we were with the least fuss, and be stronger than we were before?

a. We detected and incident and enacted our plan The incident is now resolved. How do we get back to where we were in the shortest possible time frame?
b. Not only back to where we were, but better. Stronger! What did we learn about how our plans above can be improved? Let’s fix the plan.

And there my friends, is a Simple Cyber Resilience plan.

Sure, it needs fleshing out and customising for your business. But it’s a framework ANY business can work with. You may need help with some or all of it, but you need to be in charge. And let’s face it, there’s a whole lot of people in the cyber security industry only too happy to assist.

If you do need to demonstrate compliance to a cyber standard, then maybe the ASD ISM PSPF, DISP, Right Fit for Risk, or ISO/IEC27001 are more appropriate. Or maybe you need something simple and prescriptive like the ASD Essential 8. It’s a good starting point, but lacks any policy framework, which I think is essential.

But if you just need to start, do the above. It works. I have implemented it many times and it serves its design purpose, to help make your business more Cyber Resilient.

Stay Safe!

Ross Marston CISSP

Business Intelligence Security

Demystify Cyber Project

Guest Post - Laura Jiew and Sean McIntyre from AusCERT - I got 99 problems but a vuln ain’t one

Guest Post - Ross Marston - #Business cyber demystified

Where to Start

SUBSCRIBE to the Women in Security Magazine ------>

Read the AusCERT blog --->