CEOs everywhere are suddenly in the hot seat over the increasing instability of the nation’s critical infrastructure—from cyberattacks on hospitals and meatpacking plants to water supply systems and gas pipelines. Ransomware attacks, which now strike every eight minutes in the U.S., are crippling police departments, NBA basketball, and ferries to Martha’s Vineyard.
With the cyber crisis in mind, the Senate Committee on Homeland Security and Governmental Affairs recently called Colonial Pipeline CEO Joseph Blount to explain the massive security breach that shut down the nation’s largest fuel line. Colonial has admitted the breach was the result of a single compromised password used on a virtual private network (VPN) that lacked multifactor authentication.
“As we do our work to investigate what happened at Colonial Pipeline, we must not make the mistake of taking a siloed approach to addressing cybersecurity vulnerabilities in critical infrastructure,” said Rep. Bennie G. Thompson (D-Miss.), who heads the House Committee on Homeland Security, which took up its own investigation in June.
To help executives navigate these perilous times, the editors of Endpoint have taken a deep breath and assembled the top advice from our experts over the past year of covering the security landscape. In this article, we summarize the most useful advice for the current moment.
Take passwords and multifactor authentication seriously
It’s important to create a strong password using a unique, easy-to-remember phrase of eight to 12 characters, and to stick to it rather than forcing employees to make small tweaks to a weaker password.
After that, the best strategy is to employ multifactor authentication (MFA) using a smartphone or authentication app. A core element of effective cyber hygiene, MFA requires a user to verify his or her identity using more than one method, say, a password and voice recognition, or a password and a possession like a phone, which can receive a notification from an app when the user attempts to log in to a computer network.
“The reality is that passwords are still here,” says Kelvin Coleman, executive director of the National Cyber Security Alliance (NCSA). “What I tell consumers and businesses is they have to create robust passwords, enable MFA, and run the security updates and patches. You don’t have to be a technical wizard to do this.”
Step away from the VPN
Virtual private networks create more complexity rather than less. Employees complain they spend too much time logging in to a corporate network and suffering through slower internet speeds once they connect. Help-desk employees have to field calls from these frustrated employees as they keep VPNs maintained and configured correctly. And when companies increased VPN capacity tenfold during the pandemic, the deluge of simultaneous users degraded performance even more. Add to this the fact that VPNs can be terribly insecure: Once cybercriminals gain direct access to a company’s network, they can access everything on that network, including sensitive company information.
Anton Chuvakin, head of security solution strategy at Google Cloud, doesn’t like VPNs. “They break,” he says. “They break a lot. And at the worst times.” Instead, Chuvakin recommends cloud-based “zero-trust” systems that treat every device that tries to log on as a potential threat. Users must prove their identity in multiple ways each time they log in to any of the systems, applications, and websites of an enterprise.
Block lateral movement
With the SolarWinds supply chain hack, cybercriminals used malware to steal and forge digital credentials that enabled them to hopscotch from endpoint to endpoint as they gained access to an estimated 18,000 entities that had downloaded the infected security software. The cost to fix this massive breach was an estimated
The key to stopping such attacks is to make so-called “lateral movement” as difficult as possible for an attacker. That means practicing good endpoint hygiene. Effective practices start with solid management of assets, configurations, and patches. Companies must also carefully manage identities, knowing at all times who has the credentials to access applications and systems on their network and giving users the lowest level of access to resources they absolutely need to do their jobs.
Fight tool sprawl
“Tool sprawl” involves the unfettered proliferation of authorized and unauthorized applications across a company. Piling tool upon tool can open a potentially devastating backdoor for hackers. Many unsanctioned tools get haphazardly installed without IT’s knowing. They remain forgotten, unpatched, and vulnerable—until a hacker finds and uses them to breach a company’s network.
Bradley Schaufenbuel, chief information security officer at Paychex, a provider of payroll services for small businesses, says tool sprawl has become a major concern for security teams. His team finds new vulnerabilities from rogue software every day. “Unless the tools are sanctioned and inventoried, security teams are often unaware of their existence,” says Schaufenbuel. “And a security team cannot secure what it does not know exists.” He recommends giving users an amnesty period to register tools so they can be continually hardened and updated, and if that doesn’t work, aggressively blocking or removing unsanctioned tools from company systems.
Practice incident response
Enterprises must shift from playing defense to going on the offensive to actively prepare for a successful attack and limit the damage. Security teams must know exactly what they will do when a security breach happens—and regularly practice their response. They should constantly be on the lookout for signs that hackers or malicious software have compromised their systems. That requires intrusion and anomaly detection systems that quickly spot unusual activity, as well as the automation of indicators of compromise (IoC) to reduce the potential for human error. An endpoint detection and response platform can quickly pull together all the information that security teams need.
From there, executives must prioritize the response. The savviest will have already identified their mission-critical business processes and the technology that keeps them running. That helps teams decide which incidents deserve a high-level response.
Sadly these days, incidents often do.