In recent months, cybersecurity-related issues have emerged through disclosures of high profile security breaches – and especially ransomware.
While these tracks are not new, there are two major changes. Increasingly, criminal syndicates, some with direct or tacit government support, are attacking core economic infrastructure rather than restricting their targets to financial or administrative systems. And they don’t just encrypt data or lock devices – they are increasingly stealing the data and holding it as a ransom for fear of being released.
The US company Colonial Pipeline had to close, which led to gasoline hoarding. Despite paying the $ 5 million ransom to Darkside, operations were severely curtailed for a week, costing the company millions more in lost revenue – not to mention reputational damage. While the FBI announced in June that it had recovered most of the ransom paid, the reputational damage to Colonial Pipeline has been sizeable.
The German chemical distribution group Brenntag also paid a Russian criminal syndicate a ransom of $ 4.4 million.
Shortly thereafter, the Syndicate announced that its servers had been seized by Russian authorities – a move that was seen as evidence that the patience of Western governments had finally run out and the Russians had been forced to respond.
That was some consolation to the Irish health system, which was recently attacked by another criminal syndicate.
Australia did not escape. Media giant Nine was restricted in May due to a ransomware attack without ransomware. And most recently, JBS Australia, the local branch of the giant global meat processing company, was also in the crosshairs.
And while ransomware is currently making the front pages of the business press, it is of course just one form of cyberattack companies can be exposed to if they fail to manage digital identities or implement the principles of Zero Trust to mitigate the damage once intruders enter penetrate the corporate boundaries.
For Australia’s business leaders, cybersecurity has become a top priority.
Thomas Fikentscher, Regional Director ANZ, CyberArk: “There are now so many incidents in this area and it is getting worse and worse. And if you look at our adversaries, they range from government-sponsored malicious actors to very organized criminal syndicates. “
He also points to the role of hacktivists with an ideological drive to disrupt certain organizations.
And those who want to cause harm have effectively built commercial infrastructure. “There is currently a market for cyber security as a service where DIY malware and ransomware can be easily obtained as a service.”
So how can companies assess their exposure and responsiveness, and what actions should they take?
Many organizations turn to the US National Institute of Standards and Technology (NIST) for guidance on developing a cybersecurity position. The NIST framework consists of five functions: Identify, Protect, Detect, Respond and Recover. Each function is broken down into the various business processes that an organization must perform within the functions.
It is a tiered system with four tiers that roughly correspond to the alignment of an organization with the goals of the framework. However, NIST emphasizes that the levels are not intended to be a measure of maturity. Rather, they indicate how closely a company’s goals align with the goals of the framework.
Closer to home, the Australian Prudential Regulation Authority (APRA) publishes its own guidelines that are mandatory for organizations in and around the financial services industry. Even if you’re not a bank or insurance company, the poetically named Cross-Industry Prudential Standard # 234 (also known as CPS 234) provides a useful checklist to follow.
CPS 234 requires that organizations within the remit of APRA:
- Clearly define the information security-related roles and responsibilities of the board of directors, senior management, governing bodies and individuals;
- Maintain an information security capacity commensurate with the size and severity of the threats to its information assets and enable the continued solid operation of the company;
- implements controls to protect its information resources, which correspond to the criticality and sensitivity of these information resources, and carries out systematic tests and safeguards with regard to the effectiveness of these controls; and
- Notify APRA of material information security incidents.
For non-APRA organizations looking for detailed guidance on building a cybersecurity position, the Australian Signals Directorate’s Australian Cyber Security Center provides its Essential Eight Cyber Security Model as a framework.
The model is designed to help businesses minimize incidents caused by various cyber threats. The ASD recommends that organizations aim to achieve maturity level 3 (i.e., they are fully aligned with the intent of the strategy) for any mitigation strategy.
Level 3 alignment with each of the Essential Eights means:
- Application control – implemented on all workstations and servers to limit execution of executable files, software libraries, scripts, and installers to an approved set. The latest recommended block rules from Microsoft are implemented to prevent application control bypasses.
- Patch Applications – Security vulnerabilities in applications and drivers classified as extreme risk are patched, updated, or fixed within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers, or users. An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, successfully applied, and remain in place. Unsupported applications are updated or replaced with versions supported by the provider.
- Configure Microsoft Office Macros Settings – Macros are only allowed to run on documents from trusted locations where write access is restricted to people whose job it is to review and approve macros. Macros in documents from the Internet are blocked. Macro security settings cannot be changed by users.
- User Application Hardening – Web browsers are configured to block or disable support for Flash content, web advertising, and Java from the Internet. Microsoft Office is configured to disable support for Flash content and prevent the activation of object linking and embedding packages.
- Restrict administrator rights – privileged access to systems, applications and data repositories is validated the first time it is requested and revalidated annually or more frequently. It should be limited to what the staff needs to carry out their tasks. Technical security controls are used to prevent privileged users from reading e-mail, surfing the Internet and accessing files via online services.
- Patch Operating Systems – Security vulnerabilities in operating systems and firmware that are classified as extreme risk are patched, updated, or mitigated by vendors, independent third parties, system managers, or users within 48 hours of the security vulnerabilities being identified. An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, successfully applied, and remain in place. Unsupported operating systems for workstations, servers and ICT devices will be updated or replaced by versions supported by the provider.
- Multi-factor authentication – should be used to authenticate all users of remote access solutions and all privileged users and all other trust relationships. It should be used to authenticate all users when accessing critical data repositories. Multi-factor authentication uses at least two of the following authentication factors: passwords, universal security keys of the second factor, physical one-time password tokens, biometrics, or smart cards.
- Daily backups – important information, software and configuration settings are backed up at least daily. Backups are stored offline or online, but cannot be rewritten or deleted, for three months or more. The complete restoration of backups is tested at least once during the initial implementation and every time there is a fundamental change to the IT infrastructure. Partial restoration from backups is tested quarterly or more frequently.
According to Fikentscher, risk managers and boards of directors should consult with their chief information security officers and CIOs on the progress of this model, particularly with a focus on identity management. Identity is like the gatekeeper on the outside wall of your organization’s fortress – it controls who can enter and what they do inside.
Maintaining complete transparency about identities is both critical and complex. Every entity that you allow to use your systems – be it a user or a device such as a printer – needs an identity with certain permissions. If these identities are compromised and an identity is given more privileges than it should have, it creates a target for attack.
CyberArk Privileged Access Security Solution provides comprehensive protection, accountability and intelligence for all accounts, from the least privileged to the most privileged.
“This enables your cybersecurity executives to address eight of the top risk mitigation strategies, including five of the Essential Eight identified by the ASD. We also provide lifecycle management, secure privileged access to critical systems, and automate the controls required for privileged access management to better protect the business.
“Managing, tracking, and auditing identities is critical for businesses to ward off internal and external threats and prevent the loss of sensitive information.”
To learn more about how CyberArk can help you strengthen your cybersecurity position, download Essential Eight from the Australian Signals Directorate.