The subject in the last several articles has been focused on the requirement for all businesses in the Defense Industrial Base to implement system security, with the framework for system security, the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is dedicated to controlling access, that is, access to the information management system and access to physical information. The framework is also about what happens when there is a loss of access control. The plan addresses response and how does the organization recover. The simple fact is that all systems, no matter the amount of security, are subject to attack and compromise. When addressing the system security plan requirements, it is apparent that the controls are not only focused on protecting the confidentiality of information, they are also addressing the integrity of the information and the availability of the system. In terms of these goals, confidentiality is the protection of information from those that do not have access rights; the integrity of information is the assurance that the information has not been changed. Availability is access to the system; if the system is inaccessible or if the information on the system cannot be accessed, then there is a loss of availability. Of these three, it is the loss of availability that impacts small businesses most often.
The availability failure for any size business will most likely come via an email. In fact, most successful compromises are delivered by email. That is accomplished by someone in the organization accessing malware that is, through any number of means, bundled within the email attachment. The basic thread is that the user downs loads or opens an email attachment, the malware is deployed and then hosted on the computer. It then seeks to control the system; with most systems without defensive controls, this not hard to accomplish. Since this process has been going on for years, most users are less and less likely to open an email from unknown sources. This has then resulted in an increase in the sophistication of attacks. Nevertheless, small businesses, the ones with few defensive controls, are most often the victim of Ransomware attacks. These are attacks against the availability of the system, as a Ransomware attack will encrypt the company data; once the data is encrypted with no ability to decrypt, the data is lost. Often the ransom is paid without a result.
Increasingly the attacks are becoming more complex and sophisticated. At this time of year, the holidays, the attack vectors change to capitalize on the season and the times. With the Christmas holiday approaching, there are attacks in the guise of package delivery notifications; there are attacks based on buying habits. Due to the pandemic with the increase in staff working from home, there are now specific attacks against remote workers. There are attacks offering Covid-19 vaccines and test kits. The successful result in most of these attacks is a Ransomware attack, where the system owner is forced to pay for the decryption of their data. This attack has then resulted in another exploit, which is the victim paying another ransom to prevent the release of confidential information recovered from the system. The result of a successful attack can be an organization paying two ransoms, first to recover the system information, and second to prevent the release of company confidential information. Combating these attacks against system availability and the loss of confidentiality is a combination of tasks.
One of the first steps is following basic cybersecurity and system security best practices; these are outlined in the CMMC framework. These include defense-in-depth, segmented roles and access rights, and air-gapped backups. Consider that an air-gapped backup is most likely the best way to recover from a successful Ransomware attack. Second is training; the better trained an organization is in recognizing and avoiding these attacks, the more likely they are to be avoided.
From the hacker point of view, there is a world of opportunity, as most systems are not very well protected. Their goal is to exploit systems with the least amount of effort; even for criminal organizations, time and effort are money. Your business goal is to make things hard for the lazy hacker. That is by doing simple things, change the default login and passwords on all devices, use long passphrases. Use multifactor authentication to help ensure the identity of users; encrypt your data so that it cannot be exploited. Back up your data, even if it is stored in the Cloud, on to a removable drive, one that is physically disconnected from the system. This reduces the chance that malware is migrated to the device. Ensure the software on systems are current and updated; ensure this is true for your antivirus software. Many of these tasks are set up functions you set them, and much of the work is complete; these are encryption and changing passwords as an example. These are steps you can take without too much effort to reduce your system vulnerabilities.
(619) 368-5246
