Todd Larson is the Chief Information Officer at Sentinel Benefits and Financial Group. What are the IT vulnerabilities that keep him up at night?
Larson shared his biggest cybersecurity concerns at an Oct. 22 workshop session at the 2017 ASPPA Annual Conference: intentional hacking of files; unintentional release of files; and email phishing to steal information.
Larson outlined how a typical phishing scheme is executed. To begin with, he noted, “commercial software contains weaknesses and imperfections. Hackers discover them and find ways to exploit them, and share information about those vulnerabilities.” He gave an example of an actual phishing incident:
- Phishing and “zero day” attack. A handful of users are targeted by two phishing attacks; one user opens the “payload” file.
- Backdoor. The user’s machine is accessed remotely by a tool called “Poison Ivy.”
- Lateral movement. The attacker elevates access to key user, service and admin accounts and specific systems.
- Data gathering. Data is acquired from target servers and staged for exfiltration.
- Exfiltration. Data is exfiltrated via encrypted files over ftp to external, compromised machines at a hosting provider.
The 9-Step Approach
Essentially, cybersecurity is a defensive concept – Larson refers to it as “a lifestyle choice.” He outlined a nine-step approach.
1. User Education and Awareness. Produce user security policies covering acceptable and secure use of the organization’s systems. Establish a staff training program. Maintain user awareness of cyber risks.
2. Home and Mobile Working. Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline build to all devices. Protect data both in transit and at rest.
3. Secure Configuration. Apply security patches and ensure that secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices.
4. Removable Media Controls. Create a policy to control all access to removable media, such as thumb drives. Limit media types and usage. Scan all media for malware before importing to the corporate system.
5. Managing User Privileges. Establish account management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.
6. Incident Management. Establish an incident management response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.
7. Monitoring. Establish a monitoring strategy and produce supporting policies. Continously monitor all systems and networks. Analyze logs for unusual activity that could indicate an attack.
8. Malware Protection. Produce relevant policy and establish anti-malware defenses that are applicable and relevant to business areas. Scan for malware across the organization.
9. Network Security. Protect your networks against external and internal attacks. Manage the network perimeter. Filter out unauthorized access and malicious content. Monitor and test security controls.
The Basic Elements
Larson listed the basic tests, IT/operational policies and procedures that cybersecurity auditors look for:
- Situational transaction testing and measuring
- Authentication testing
- Automated penetration testing
- Physical security and clean-desk testing
- Reviewing the “spread-marts” of data, i.e., those orphaned files and spreadsheets created long ago and now neglected
Larson recommended procuring widely available tools designed to monitor these important basics.