Unsophisticated & Sophisticated Attackers: What Do They Want From You?

You do not need a team of experts to do a detailed risk assessment to understand the basic inherent risks of being connected to the Internet. The most common example of an ‘unsophisticated attack’ would be the use of a “botnet,” an automated computer program, that constantly scans the internet for potential vulnerabilities that can exploited. Once a vulnerability has been identified these botnets have the ability to exploit your vulnerability or send it to a criminal hacker for further review. These criminal hackers are interested in exploiting the identified vulnerability with the intent of monetary gain. Until recently, there was
not a great way for the criminal hackers to monetize attacks on the electric grid. However, with the advent of ransomware, that all changed overnight. One of the most common ways to fall victim to a ransomware attack is insecure remote access controls, specifically allowing Remote Desktop Protocol (RDP) access from the Internet.

Corporate Espionage & Nation-State Threats: What Do They Want From You?

The next two threats on the spectrum are often more difficult to predict and prepare for because of the unpredictability and nefariousness of the attacks. As an industry, we typically focused on fortifying our facilities’ outside perimeters (keeping bad things out) but have not paid enough attention to what people and things have access inside our four walls (or firewalls). This traditional perimeter approach to cybersecurity has made facilities susceptible to insider threats or espionage. The industry is now starting to encourage a Zero Trust approach to cybersecurity, which means that organizations are implementing a more granular and active approach to managing users inside the bounds of their facilities.

The final threat on the spectrum is arguably the most feared and publicized: Nation-State Threats (or terrorist attacks). This threat is the most difficult to mitigate and has the most dire implications since the objective of nation state threats is to cause disruption to our nation’s critical infrastructure. However, before an organization can begin protecting against the nation state risk, it must master the fundamentals of cybersecurity hygiene.

Understanding Your Primary Objectives for Implementing Cybersecurity Controls

We understand that cybersecurity is not typically a primary objective or priority for many companies and often can be seen as a “speedbump” that will negatively affect the organization’s productivity and operations. Unfortunately, many cybersecurity and IT professionals can often advise organizations to jump to very technical solutions, which consequently can be very dangerous and risky for a multitude of reasons. First of all, this approach tends to keep cybersecurity at a purely technical (or in the weeds) discussion rather than an evolving area of business risk that the organization needs to collectively manage and mitigate. These quick leaps to technical solutions can also cause organizations to invest in technology and resources that are not helping the organization effectively or efficiently meet their primary business objectives. Our best advice to clients that are currently navigating the dilemma of choosing appropriate solutions without impacting business objectives is to assess and manage their organization’s cybersecurity inherent and residual risk in the same way you would manage other business risks. Once you have identified your organization’s specific risks, you can choose to ‘transfer’ this risk by using insurance coverage to mitigate exposure/liability, choose to ‘mitigate’ your risk by implementing security controls, or choose to roll the dice and accept that risk and do nothing. Unfortunately, there is not a one-size-fits-all solution for cybersecurity which makes the exercise of understanding your organization’s inherent and residual risks extremely vital to any cybersecurity program. This approach along with the mastery of the fundamental critical controls listed below will help ensure that your organization keeps your facilities secure without negatively impacting operations.

Top 20 Fundamental Cybersecurity Controls

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols and Services
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises

GridSME understands that navigating this huge “sea” of solutions can be intimidating any organization. To support our clients and the industry, the GridSME team offers services that range from basic advisory services on choosing the right path for your situation to turn-key managed cybersecurity services. If you would like to learn more about any of our services or schedule a call to talk to one of our experts, you can visit us at www.gridsme.com.