Happy Friday
This week's 2-day event hosted by University of Hawaii and Cyber Hawaii could not have come at a better time. Some BIG hacks have been hitting the news lately including theBus, CDK, and a Maui Health Center ransomwared by Russian hackers.
If you didn't have a chance to attend, no worries! I took good notes. Here are some of my top takeaways based on the presentations from Homeland Security, FBI, Secret Service and CISA.
Prevention is the name of the game
Once a bad actor is inside your network, your email, your cloud environment, your website it's waaay hard to prevent them from establishing additional footholds, taking your data and selling it on the Darkweb, impersonating your company to clients to demand money, or just encrypting everything you have and demanding a ransom for access to it (like they did to CDK).
Top tips for prevention:
1) Segment your networks. There are bulkheads in a ship for a reason - if water breaches the hull, they divides the ship's interior into watertight compartments to keep it from sinking.
So that you don't Titanic your business, do the same with your IT infrastructure. Critical servers and infrastructure in one network, separate from production, sales, finance, phones, printers and other smart internet connected devices like projectors, smart boards or security cameras. Putting them on separate subnets is not enough - they should be vlan'd and use explicit rules to police traffic between them. Yes, this takes some planning but it's not terribly expensive and can save you from having a really bad day.
2) Proper cyber hygiene. Having good cyber hygiene is like brushing your teeth - it's a recurring activity, not "one and done." That means installing, updating and monitoring the security software such as an EDR (fancy antivirus), SIEM/SOC solution (live security monitoring) on workstations, laptops, servers and yes, mobile devices.
And of course, the big potato - patch management. Patching is SO important. Manufacturers fix critical vulnerabilities and release them often. But your systems will remain vulnerable unless there's a systematic and structured way of installing and staying on top of updates. CISA has a great resource called the Known Exploited Vulnerabilities Catalog or, KEV for short that updates daily with exploits that have actually been found in the wild. Recommend checking it out here.
3) Education. Informing and educating the public is one of the FBI's top priorities as it makes a huge dent cybercrime. CISA has some free cybersecurity training and exercises for DIY IT departments. But again, when it comes to education and cyber hygiene, it should be a structured and ongoing process. An annual lunch'n learn with staff will not help improve your company's security posture. If you need help tailoring an employee security awareness training program for your organization, feel free to reach out. We can help.
The bad guys are smart, organized and share information. To stay ahead of them, we should too!
If there are any good resources out there you've found that can help keep the community safe, feel free to send them over. We might feature them in an upcoming newsletter!
Stay safe out there.
-A
PS. In case you missed last week's news segment on theBus hack, here's the link.
New Friday Funnies
Q: What did the fish say when he bumped into a wall?
A: "Dam."