Lock the Doors! Understanding and Securing Your Systems - WST

Government agencies continue to warn of potential cyberattacks targeting US entities related to the ongoing conflict in Ukraine. Just this week, President Biden and the Cybersecurity & Infrastructure Security Agency (CISA) warned (https://www.cisa.gov/news-events/news/statement-cisa-director-easterly-potential-russian-cyberattacks-against-united) of increasing indications that Russia is considering conducting cyberattacks against US targets. While the timing and likelihood of these threats is always subject to change, one thing is certain; if you have not already taken a good hard look at your own cybersecurity, then there is no time like the present.

The first step of taking a good overall look at your cyber-defenses, is to understand what you have to defend. Modern networks rarely have a clear perimeter. Sensitive data can be anywhere from internal servers, to mobile laptops, or hosted by cloud vendors. It is vital to identify where your information lives. Once this is done, you can go about evaluating how it is protected.

After inventorying where your “crown jewels” are stored, the next step is to look at how it is accessed. Identify VPNs, remote access gateways, cloud portals, and other ways your users (and anyone else) may use to access the information. This collection of access methods becomes your new “perimeter”, marking where the outside world can access your data.

Finally, look carefully at what is needed to remotely access sensitive info. EVERY way used to access non-public information should be protected by as strong an authentication method as possible (this means Multi-Factor Authentication (MFA). If you have sensitive info anywhere not protected by MFA, this should be rectified as soon as humanly possible.

Some additional things to consider:

• Email should always be included in your data inventory as a critical item. Email almost always contains sensitive information, and is tied into other systems for password recovery, etc. As such, it is a prime target.
• When it comes to MFA, not all methods are created equal. SMS or email codes should not be considered secure enough for sensitive information. Use hard or soft token-based codes or push notifications via an authenticator app.
• Push notifications can be problematic. We have seen many instances where users blindly accepted a push notification to allow an attacker to log on. Make sure you train users to report unsolicited push notifications.
• Microsoft 365 in combination with the Microsoft Authenticator app, can now use an enhanced notification process, which helps mitigate the risk of a user accepting a logon they did not initiate. See https://techcommunity.microsoft.com/t5/microsoft-entra-blog/new-microsoft-authenticator-security-features-are-now-available/ba-p/2464386 for more info.
• Anywhere you have data that cannot be properly protected by strong authentication (I.e., MFA) you should strongly consider discontinuing the use of that service, or at a minimum, carefully monitor access to identify potential abuse. Restricting access via source IP may be another option, depending on the use case.

Editor’s Note:
10-D will be attending the ABA Risk Management Virtual Conference March 29-31. Please join us for one of our Table Talks during the Open Marketplace sessions!

• Selecting the Right Testing Methodology – What kind of risks are you trying to identify?
  Tuesday, March 29 at 11:15AM EST.
• Top IT Audit Findings
  Wednesday, March 30th at 1:45PM EST.
• Model Risk Management
  Thursday, March 31st, at 11:00AM EST

Authored by: Jeremy Johnson OSCP, CISSP