How to DO MORE Webinar: Understanding Cyber Security
Host: Niko Stoenescu
Welcome, everybody, to the second installment of the How to Do More webinar series. We’re glad that you’re able to join us today, and for today’s webinar, we’ll be discussing some simple and effective cybersecurity practices that you can implement at your facilities to help reduce your risk of a cyber attack.
Thank you, everybody, for being here. My name is Niko Stoenescu. I’m a Product Marketing Manager here at Storable, and I am your host, as you know, for the How to Do More webinar series. And as a reminder, the How to Do More webinar series will focus on practical ways that you can respond to the market forces, that my colleague Matt, is discussing in his Do More webinar series. This series will be oriented around concrete things that you can do to increase your revenue, reduce cost, and mitigate risk.
And, of course, in today’s session, we’ll be discussing how to mitigate the risk of a cyber attack at your facility. And we’ll cover some simple and effective security practices that apply to any operation, and these will be great first steps for you in creating a cybersecurity plan, specific to the needs of your individual operation.
So joining me today to discuss the Cyber Security Best Practices is Storable’s Information Security Director, Mark Baldwin. Mark, thank you for joining me.
(Mark) Hey, good morning, or afternoon, depending on your location. And thanks for inviting me to be part of the webinar, Niko. Cybersecurity is a really important topic for all businesses these days, and I’m happy to have the opportunity to discuss it here.
(Niko) Yeah, absolutely it is, and I thought it would be a great topic for us to discuss in this webinar. So I know a lot of people who have joined, are excited to hear about this. Before we get started, though, would you mind just telling us a little, a little bit about your professional history?
(Mark) Yeah, absolutely. So I started my career in information technology back in the mid-1990’s. Early in my career, I was involved in responding to several security incidents in which an attacker was able to break into the internal networks of the organizations where I was employed. And in one case, the attacker actually called me at my desk, pretending to be an employee at another location, in an effort to obtain information. This was my first direct experience with what’s now known as social engineering.
As a result of those experiences though, I became fascinated with cybersecurity and wanted to understand the techniques used by the hacker so that I could build appropriate defenses to stop them. At that time, there really wasn’t a separate discipline for information security, it was just considered part of IT. So, I decided to focus my career on cybersecurity, and make that my area of specialty. Since that time, I’ve worked in many organizations, large and small, building out and managing security programs in order to keep the bad guys out and reduce risks for the organization.
I currently hold a number of cybersecurity certifications, including Certified Information Systems Security Professional, Certified Cloud Security Professional, and Certified Information System Security Manager.
(Niko) All right, so, I’d say that you’re probably pretty qualified to be speaking on the subject matter today, right? That was actually probably a good call for you, back in the day. Pretty forward-thinking to realize the need for cybersecurity back then, and how it would only grow, you know, as time went on, and technology continued to develop, Right?
(Mark) Yeah, absolutely. Absolutely.
(Niko) Just so we’re all on the same page here, then, why don’t we kick things off by you telling us what exactly is cybersecurity?
(Mark) Yeah, so, Cybersecurity, sounds like it could be a difficult concept to comprehend, but at its core, it’s really all about risk management. There’s no such thing as being 100% secure or completely eliminating risk. Instead, the goal of cybersecurity is to mitigate risk to an acceptable level and to make your systems, your networks, and your users a difficult target, such that attackers will look for an easier target elsewhere.
The vast majority of cyber attacks these days, they’re automated, and the most likely attacks, or the most likely targets, are those organizations that haven’t implemented the basic height cybersecurity hygiene measures. And this is why it’s actually extremely important to implement basic cybersecurity controls in your environment.
(Niko) So, you’re saying that even implementing some basic cybersecurity measures can make you a less appealing target for a cyber attack?
(Mark) Yeah, that’s exactly right, and that’s what I plan to go over in our conversation today. I’m going to talk about a list of basic cybersecurity practices that apply to any organization, regardless of the size, and if those are implemented properly, these cybersecurity practices will greatly reduce the risk of your organization becoming a victim of a cyber attack. However, it’s important to keep in mind that, depending on your business and your budget, you may need to do, or choose to do more, especially if your organization is subject to any state, federal, or industry compliance requirements.
(Niko) Okay, so that makes sense. So then, what you have for us today will help operators form a really strong foundation for cyber security practices at their operation. And then from there, they can choose to expand on those practices if they’re obligated to do so legally or if they want to have a more robust security of outfit.
(Mark) Yeah right, that’s exactly right. And then at the end of the discussion today, we’ll share some resources that will help operators implement these security controls in their organizations, that will help shore up their cyber defenses and help take their cyber security practices to the next level.
(Niko) Okay, great, well then, let’s jump right into the content today.
(Mark) Alright. So, there are four primary areas that we’ll be discussing today that small- and medium-sized businesses should focus on, in order to give their organizations the best chance of being protected from a cyber attack. And those four areas include endpoint security, email and web security, user security, and network security.
So let’s start with endpoints. Securing your endpoints such as laptops, desktops, and mobile devices is critical. As many of today’s threats look to take advantage of weaknesses at these endpoints. Increasingly in today’s world where people expect to and need to work from anywhere, staff often work from remote locations. And as a result, the devices used to connect to corporate networks, and applications are often not protected by company-managed firewalls or other network security devices. So frequently we no longer have a strong perimeter to protect our endpoints. So the endpoints themselves really need to be resistant to attacks. There are several controls that are important to have in place to protect your endpoints.
The first of those is Advanced Endpoint Protection Software. So traditional signature-based antivirus software is no longer good enough. There are thousands of new malware variants being created every day by the bad guys to evade antivirus software. And those solutions that rely only on signatures to detect malware, they’re always behind the curve. They can only detect what they know about. So this is why it’s important to utilize next-generation endpoint software. With advanced capability, it’s based on machine learning and artificial intelligence. These next Gen Endpoint Protection solutions don’t rely simply on antivirus signatures to detect malware. They actually utilize real-time analysis of user and system behavior to analyze the executables, which helps them to detect malicious software, including zero-day threats, and they also take immediate action to block, contain, and roll back those threats. Some examples of endpoint protection solutions that you might want to look into include, Microsoft Defender for Endpoints, CrowdStrike Falcon, Since No One, FireEye, and Carbon Black.
So the next thing I want to talk about here is encryption on your endpoints. Enabling full disk encryption on your endpoints will help ensure that, if a device is lost or stolen, that the data stored on that device cannot be accessed by anyone other than the owner of the system. And this is particularly important for laptops, tablets, and phones which are frequently used by staff who work remotely. Most current versions of Android and Apple phones have disk encryption enabled by default. But you can verify this in the device’s settings. Laptops typically need to have full disk encryption enabled by the administrator of the system. Now fortunately both Windows and Mac OS provide disk encryption capability with Bitlocker for Windows and File Vault for Mac OS.
The next thing I would like to talk about is patching. Make sure that your endpoints receive regular security updates for the operating system, and other software installed on the system. The easiest way to achieve this is to configure the devices to automatically install security patches for both the operating system and third-party software. Now Windows and Mac OS can both be configured to install operating system patches automatically by default. And many third-party software products will do this as well, but not all of them do. So it’s important to make sure that security patches are installed regularly for all software. And there are also many configuration management tools out there available that can help you keep your endpoints up to date on security patches.
Next is limited admin access. So when using a computer system for general purposes, make sure that the account does not have administrator privileges. The reason this is important is because in many cases, malware can only operate with the same privileges as the user logged into the system. So using a nonadministrative account will therefore help limit what actions the malware can take, and the amount of damage that it can cause. And in many cases, it may help protect against infection in the first place. So if something needs to be done on an endpoint that requires administrator rights, log in with a different administrative user account to perform those tasks, and then log out when you’re finished, and then log back in with a regular account. Daily use should be performed using accounts that do not have administrator rights.
And then lastly, for endpoints, make sure you have a good hardware and software inventory. It’s important to maintain an accurate inventory of all your endpoints, and the software that’s installed on them. Now, this can be done manually in a spreadsheet, for example, for smaller organizations, that’s really not practical in larger environments. Fortunately, there are many asset management tools out there that will automatically detect the hardware devices in your environment. And it will provide the details of the software that’s installed on them. This is an important control because you really can’t secure systems unless you know what you have deployed out in the field.
So the next of the four primary areas I’m going to discuss is Email and Web Security. So email and web security are two of the primary attack vectors utilized by attackers today. In fact, 90% of cyber attacks either begin with or involve email in some fashion. So it’s really important to make sure your email system detects and blocks malicious emails before they make it into the user’s inbox. Similarly, employ software to block access to malicious websites. There’s a couple of important controls to reduce the risk of using email and surfing the web. And those include first, in choosing a reputable vendor for emails, such as Microsoft or Google. They both do a really good job of detecting and blocking malicious emails, such as phishing, and they invest heavily to stay ahead of those attacks. They also provide the ability to implement additional security controls, like allow lists and blocklists. And if you host your own mail server, like Exchange, be sure to use a third-party email security service from a vendor like Mimecast, or SpamTitan, or Cisco, to block those threats.
And then for web protection, you’re going to want to make sure that you implement software that will prevent users from accessing malicious websites. This can happen innocently as your users are just accessing the web as part of their normal daily activities. And many Endpoint Protection tools, that we discussed earlier, have this capability, but they’re also network-based solutions that will block access to known malicious websites. These tools will allow you to set up content filtering rules, to block access to websites based on their content, if you want, such as blocking access to gambling or dating sites. Some example vendors in this space include Cisco Umbrella, Z-scaler, Web Titan, and Force Point.
All right, the third area we’re going to talk about is User Security. Now, most attacks today focused on the end-user. And the reason being is that it’s just much easier for an attacker to trick a user to click on a malicious link, or perhaps divulge their password through a phishing email, for example, than it is to try and circumvent network and software security controls that companies have in place. Some controls that focus on the end-user that you can employ include: first, security awareness training.
All of your users should be provided with security awareness training that focuses on the latest cybersecurity threats. This is extremely important so that users will be able to recognize and defend against these attacks, like phishing and other social engineering techniques. There are many good online security training platforms available. A few of the better ones that I’m aware of include San’s, Know Before, and Proof Point.
Secondly, is passwords. So passwords are typically the first line of defense against unauthorized access to your systems. So as such, it’s important to make sure a strong password policy, that will make it difficult for attackers to guess or otherwise obtain these credentials, that you have that policy in place. So in general, try to follow these best practices for passwords.
First, do not use shared accounts and passwords. All users should have their own dedicated user account with a unique password. Second, the longer the password, the better. Use a minimum password length of 12 characters, if at all possible. Then encourage your users to use a passphrase, which is made up of several unrelated words, such as fishing tennis bikes. Passphrases like that tend to be easier for the user, remember, but they’re actually much harder for an attack, or to crack, or to guess. Then, use software to prevent users from choosing a password that’s easily guessable, or that may already have been compromised and is actually out there on the dark web.
And, finally, using a password manager will help users to employ strong, unique passwords across all the applications that they use. A password manager saves your passwords in a secure manner, And then, it requires the user to only remember their master password to access those passwords. And the password manager will automatically fill in the passwords on websites that they visit. Two well-known examples of password managers are LastPass and DashLane.
And then, finally, is multi-factor authentication, otherwise known as MFA. MFA requires the user to input two factors for authentication, something such as something you know, for example, your password, and then also something that you have, for example, a code that’s sent to you on your phone.
Re-usable passwords should be supplemented with MFA wherever possible. MFA raises the bar significantly for attackers, and it prevents the most common and basic types of attacks where the attacker obtains a user’s credentials and then uses them for unauthorized access to the system.
Now, the final area that we’re going to talk about, and where you should focus your security efforts, is network security. Since most attacks occur across the network, it’s important to ensure that your network traffic is properly managed, and this includes both wired and wireless networks. A couple of important security controls here include firewalls.
So your firewalls should be installed at all your sites and then configured to deny traffic by default, then only add the rules to allow traffic that is required for your business purposes. And this applies to both your network firewalls and your host-based firewalls installed on your endpoints. Also, be sure to limit inbound and outbound traffic. Many people forget about restricting outbound traffic, but doing so can help prevent hackers, command and control traffic if a system on your network does become compromised.
And then don’t forget about WiFi. Most devices connected to the Internet, connect to the Internet today across wireless networks, and that needs to be secured as well. So be sure to enable WiFi encryption using either WPA two or WPA three, and do not expose the management interface of your WiFi controller to the internet. And as with your endpoints, make sure that you keep your Wifi network devices up to date with the latest software.
And lastly, for network security, is remote access. So given so many people work remotely these days, it’s often necessary to provide your users with the ability to access internal corporate applications or other resources while they’re working outside of the office. And hackers can take advantage of remote access technologies if they’re not properly secured.
So also, it’s always important to require the use of a VPN for staff who are going to access internal resources. This will ensure that traffic is encrypted. And also, be sure to use MFA with your VPN authentication. And finally, keep your remote access systems up to date with the latest vendor patches as well.
So, let’s talk a little bit about incident response, because, unfortunately, no matter how many controls we’ve put in place to prevent an attack, we must still be prepared for the possibility that a successful attack will occur. There’s an old saying in our business that says, it’s not a matter of if, it’s just a matter of when. So it’s important to develop a security incident response plan, so that, in the event your organization does ever suffer a security incident, you’ll have a plan in place to guide your response activities. And this is similar to having an emergency evacuation plan in the event of a fire at your office. Everyone needs to understand what their roles and their responsibilities are, so there’s no guessing as to what to do in the event of a cyber attack. And NIST Special Publication 800-61, provides a step-by-step process for building an effective incident response plan.
So let’s talk a little bit about the resources that I mentioned earlier. Some of the resources, there’s a lot of resources out there to help you implement your cybersecurity controls, and this slide shows you a number of free cybersecurity resources that are geared toward helping small businesses with their security practices and their controls. The first one here is the GCA Cybersecurity Toolkit for Small Business. This is a great resource that helps small businesses implement practical and effective cybersecurity controls.
And secondly is the Center for Internet Security Computer Security Controls frequently just referred to as the CIS CSC. This is a list of 20 controls that if implemented, will greatly increase the security posture of your organization. Now the first four of these 20 controls are often referred to as the critical four, and we actually have already discussed those earlier when we were talking about endpoint security. So I encourage you to review those 20 controls in the CIS CIC.
Next is the NIST Small Business: Cyber Security Corner. It’s a great resource, again, published by the National Institutes of Science and Technology, which is funded by the US Government.
Then there’s also the NIST Cyber Security framework. This is one of the leading cyber security frameworks used by both public and private sector organizations for building their Cyber Security Information Security Program.
And then we have the FTC Cyber Security Guide for Small Businesses. And this guy was developed by the FTC to help SMBs with a list of basic cyber security practices.
And then, lastly, is the FRSecure Incident Management Template. This is a great little template that will help assist you in the creation of an incident response plan for your organization. And, again, that is also freely available.
(Niko) Okay Mark, thank you so much for taking the time to speak with us today about these practical ways that operators can enhance their cyber security practices. I’m going to summarize what we learned today, but before I do that, I’m just going to let you know I’m leaving this slide up here for you to take a quick screenshot. Or if you just want to write down one or two of these URLs here. We will be sharing these resources out with you when we send the follow-up email that contains the link to the recorded webinar, so you will have access to all of these later in a much easier-to-access format. But I wanted to leave this here for you now, just in case you wanted to look into some of this research over the weekend before we get those resources out to you. So, take a quick screenshot, if you’d like. I’ll give you another couple of seconds to do that, and we’ll move on.
Alright, so in summary, what we covered today, we talked about the definition of cyber security, and how it means, simply risk management. We discussed that, even though there’s no way to be 100% secure, there are things that you can do to make yourself a less appealing target of a cyber attack. We also learned about the four primary areas of cyber security that you should focus on. You want to give your operation the best chance of being protected against a cyber attack. Those areas were endpoint security, which is securing your endpoints, such as laptops, desktops, mobile devices. All that is critical, as many of today’s threats look to take advantage of weaknesses at the endpoints.
We talked about email and web security. Email and web browsing, as you remember two of the primary attack vectors utilized by attackers today. It’s also really important to make sure that your email system detects and blocks malicious emails before they make it to the inbox. So also you can employ software to block access to malicious websites to protect you in that way as well.
The third is user security. As you recall, most attackers today focus on the end-user. And the reason being is that it’s easier for an attacker to have a user click on a malicious link, or divulge a password than it is to try and circumvent network and software security controls.
And then finally, network security. Most attacks occur across the network. So it’s important to ensure that network traffic is properly managed, and this includes both wired and wireless networks.
We also spoke about the importance of having an incident response plan in place in the event of a cyber attack to ensure a quick and effective response.
And finally, Mark shared some resources that you can use to enhance your cyber security practices even further.
So Mark, again, thank you for joining us today, for sharing your experience, and for giving us all some practical advice here on how we can protect our operations.
(Mark) Yeah, great. It was great to be here. I really appreciate the opportunity to be a part of the webinar.
(Niko) So we do have a couple of minutes now for questions. See if we have any questions.
Yeah, it looks like, Will there be a replay of this webinar? Yes, this is recorded and it will go up on our blog. And so you’ll be able to go to www.storable.com/resource_type/blog/. We’ll send out a follow-up email for anybody that registered that has the specific information for how to access this.
It looks like another question about accessing the recorded session. Yeah, that will be up on our blog. And there will be a follow-up email for everybody that registered and whether or not you were able to attend here, the live session, we’ll send that information out to you later.
Alright, it looks like, as we were talking, a couple more came in. So, we have a question here: Did you know that you were speaking to a social engineer when you received that phone call, from your, from your story earlier, Mark?
(Mark)So, when I first got the call, this was a large multinational corporation that had offices all over the world, and it was actually, the company was based out of France, I was in the US. And this person had a French accent and was claiming to be in one of our French offices, and at first, no, I didn’t. But it was unusual, first of all, for me to get a call from anybody, from an office in France. So right away, I was, you know, suspicious. But then after talking with him for a couple of minutes, I started asking them questions like, well, who do you work for and what’s your association with them, and so forth. It became pretty clear fairly quickly that he was, you know, not who he said he was. And then eventually he admitted, I said, well, how do I know you’re not the hacker that we’re actually dealing with? And he said, well, actually, I am and emitted it and it sat there and we had a conversation about it and told me about how he’s reading everybody’s email, how much fun he was having. So, yes, It was quite an interesting incident.
(Niko) Yeah, that’s wild.
Alright, we have time for one more quick one. It says Since we use Gmail, should we even worry about malicious emails? I mean, Google, I’m sure, would you do this job for us? Is that right?
(Mark) Well, certainly, there is no technology that is 100% effective, but Google does a very good job of detecting phishing attacks, for example, but it’s still really important to train your users so that, you know, if a phishing email does get through, that they’ll know how to respond to that. And, there are ways within Gmail to report those to Google, so that they can learn that that was a phishing email, for example. And they will actually take advantage and remove those from other people’s mailboxes if they haven’t been interacted with. So, yeah, you definitely still need to be aware. I wouldn’t say just don’t worry about it, but having a vendor like Google, using them for email definitely helps you out a lot.
(Niko) Great. All right, we do have just a handful of more questions. We’re not gonna have time to get to them, but I will send all of these over to Mark and he will be able to get you guys an answer. And I’ll get that to you ASAP.
So before I let you all go, I just wanted to remind you, don’t forget to join Matt Beal on October 8th, for the next installment of our Do More webinar series.
So, Matt will be facilitating our first of many operator Roundtable discussions. In this case, there’ll be about how they responded to the supply crunch back in 2015, and what lessons they’ll be applying to prepare for the upcoming supply crunch that we anticipate is just around the corner. So, we’re excited for you to join us here, the best practices from both people, and process, and technology perspective, so stay tuned for the registration email for that.
That concludes today’s webinar, so if you have any questions that come up throughout the week, please don’t hesitate to reach us at [email protected].
For those of you that joined late, or would like to rewatch today’s presentation, again, as a reminder, the recording will be live on our blog on Monday. And we will send out a follow-up email to let you know that that’s there. So, for all of you out there, stay healthy and safe, and we will see you in three weeks for our next webinar. Thanks for attending, and have a great day!