Expect the Unexpected

Written By Jonathan Kilpatrick

While I was sitting in the CIO seat, I would be asked regularly about the latest cyber-attack.  “Does thinking about the WannaCry virus keep you awake at night?” or “How do you sleep knowing the SolarWinds hack was successful?”  My response was always the same.  I sleep fine thinking about those events.  What keeps me awake is thinking about an event that I haven't heard about -- yet. 

Every CISO or CIO has had that thought – What is on my systems that I don’t know about yet?  SolarWinds is a perfect example.  The breach was in the public arena and firmly integrated into systems around the world for up to 9 months before it was detected.  Nine months before a patch was disseminated.  What keeps me awake at night?  The breach that I don’t know about yet. 

Cyber-attacks come in every shape and size.  Some are destructive, some gather information, some have no impact on operations, but every attack is a threat.  Preparing for the threat is essential to operating during and after a successful malicious attack. 

Regardless of the nature of the attack, good cyber hygiene is critical to detecting, responding and recovering from any attack.  Simple measures like: 

  • Implementing Multifactor Authentication 

  • Staying current on patches and updates 

  • Train staff to recognize phishing attempts 

  • Verify admin accounts are not shared 

  • Verify account passwords are changed periodically 

  • Audit admin accounts for usage 

These measures will protect organizations from a large percentage of cyber-attacks.  However, further steps are necessary to recover in the event of a successful attack.  These measures are more difficult to implement but far more important if your organization is the target of a successful attack.  Every organization should have a disaster plan that addresses cyber-attacks.  How will your organization respond if an, as of yet unknown, vulnerability is exploited?  A Disaster recovery plan should be in place to drive your response and recovery.  A Continuity of Operations Plan (COOP) should be in place to relocate for continued operations if necessary.  Staff should be well rehearsed in responding to a cyber-attack because you have practiced and exercised your response plan. 

To uncover and attempt to find any exploitation of unknown vulnerabilities, every member of your staff should be on the lookout for anomalous activity.  To borrow a phrase – If you see something say something.  Look for activity such as: 

  • Unwarranted network traffic 

  • Unexpected data leaving your network 

  • Unusual email traffic (example: a person sending a high volume of emails at night) 

Proactively, organizations can achieve a better threat assessment by hunting for intrusions.  

  • Creating a “honey pot” server on the network that no one has access to and monitors for any activity to gain entry to the server.    

  • Monitor log data for any activity that is outside normal ranges 

Unknown vulnerabilities are exploited every day.  The vulnerability that you are not aware of, might be known to any number of hackers.  The threat of exploitation of zero-day vulnerabilities is what kept me awake at night.  What allowed me to sleep is knowing that the proper plans and procedures were in place in the event we needed them.   

Jonathan Kilpatrick
Next

Cyber in a Hurricane