cybersecurity

How many times have you heard that the biggest weakness in every IT environment is the humans? This point is relentlessly driven home time and again at cybersecurity conferences. At first glance, it seems IT people are pro computers and anti humans, but the relationship is not that simple. This first article of the Pineapple Security Layer Cake Series discusses the many layers of the security cake that address the risks, threats and vulnerabilities associated with humans and email inboxes.

To start, let’s talk about the cake plate. A plate provides a foundation and showcases the many layers of a cake. In this example, a quick understanding of security fundamentals will help make it easier to serve and understand the many layers of the security cake. When looking at security related to humans and email, risks that come to mind are loss of data (data breach) or loss of access to the computer (ransomware); the threat or attack, is the malicious link or attachment used by the bad actor, but the vulnerability is the human’s actions. The vulnerability is someone clicking on a malicious link or attachment in an email, responding to a phishing email, or using weak passwords. These three factors, risk, threat and vulnerability, are used to identify mitigations techniques.  

In the teaser, I promised to start with the sweet and juicy technology icing, but I am putting down one layer of cake so we have something to put the icing on. The training cake layer…. To proactively mitigate the risks, one approach is to decrease vulnerabilities. One of the vulnerabilities associated with email is the itchy clicking finger. In order to limit this vulnerability, industry standard is to train all users to recognize and be on the lookout for emails that may be malicious and to not click on the links in these emails. This includes emails from your mother-in-law with attachments of cats and beautiful landscapes. The good news is the training is working. To measure the success of the training, fake phishing emails are sent to see if users will click on the links. Not only are the bad guys tricking users, but organizations are actively trying to trick users too. Users are left in fear of clicking any link they are not completely certain is legitimate.  In 2012 people click on nearly a quarter of every malicious attachment and link. Today, people are only clicking on 3% of malicious attachments. This tremendous decrease a shows training is effective. Why is training so important? The Verizon 2019 Data Breach Investigation Report notes that Malware was involved in about one third of breaches, and email tops the deliver method of malware at over 90%

In addition to training, it is important to create an atmosphere where employees feel comfortable to self identify if they think they have been duped. When employees identify situations they feel may put your network at risk, an organization is likely to identify and intruder sooner. The sooner an intruder is identified and contained, the lower the cost of the incident or breach. The 2018 mean time to identify (MTTI) an intruder averaged 197 days. (IBM Ponemon 2018 Data Breach Study)

Cybersecurity teams have accepted the fact that the best we humans can do is not enough. We need to use computers to help mitigate the risks to our computers. “Defense in depth” or “Layers and layers and layers of protection (...cake)”, are the security mottos. This cake would reach the sky if we discussed all of the layers and the article would be terribly long. Let’s move forward knowing we are highlighting some of the important layers to give you an idea of the delicious complexity of the flavors of the pineapple security cake. In addition to the training discussed above, here are additional tools and methods for proactively preventing malware on your network through the email attack vector. 

Like tangy yet creamy icing, Sandboxing is irresistibly tantalizing technology. Sandboxing is at the front lines of battle keeping inboxes safe. Sandboxing saves us from the “accidental” click on a malicious file in our email inbox. When a user clicks on an attachment or link, a virtual environment is set up and the file or attachment is opened in that virtual environment. The way the file acts is evaluated using artificial intelligence. For example, if a file is opened and it begins to request access to restricted areas or request for elevated privileges, these may be indicators of a malicious file. If a file is determined to be malicious, the environment is crumpled up like a sheet of paper and thrown away. It is as if the user never clicked on the link. The user gets a message noting that the file appears to be malicious and it is not going to be opened. A virtual “putting the toothpaste back in the tube” if you will.  If the file does not appear to be malicious, the user is able to open it as normal. The most exciting part of this tool is that it goes beyond looking at the file signature to compare it with known malicious files. It potentially will allow us to prevent new and unknown (Zero day) attacks. The tool itself reacts to malicious programs only after they are on the network. However, because it uses the sandboxing technology and can stop or restrict an attack, it acts as a proactive or preventive measure. In this way sandboxing is not directly limiting the vulnerability like training the users described above, but is mitigating the risk by addressing the threat itself. Sandboxing is not a silver bullet. Like other tools sandboxing has weaknesses. However, those weaknesses don’t prevent it from being a useful risk mitigation tool.  

Filtering is a little less sophisticated than sandboxing, but nevertheless a very effective countermeasure. Filters are like the trusted butter cream icing of technology. Filters can be applied for spam, malware, viruses, urls, IPs, sender addresses, etc.. Filters can also occur in many places. They fit well between many of the layers of the security cake. To give you an idea, these are some ways to implement filters, a stand alone appliance, a firewall, a router or within your email service providers network. Filters compare URLs, IP addresses, sender addresses, file signatures, etc  from incoming emails to a database of known malicious records. If the incoming data matches a record in the database, the email is blocked or quarantined. In addition to file signatures, urls or address filtering, email can be filtered based on code analysis. Filtering is part of the defense against Malware and phishing emails, but it is important to note that it is not used only with email. Filtering is not as exciting as Sandboxing, but it is an important and effective layer in the prevention of malware.  And like sandboxing filtering  is mitigating the risk by addressing the threat itself.

One last bit of icing before we move on to the layers of cake. Anti-Malware - Anti-Virus - EndPoint protection software are a are a must have and worth mentioning here. This software employs signature based detection as well as sandboxing methods to keep endpoints safe from malicious software - the very same ones that come from email attachments or links to unsafe sites. Many EndPoint protection softwares also include a “roll back” feature for ransomware attacks. This feature will allow you to recover your files and computer back to a point in time prior to the attack. Many of these technologies can be purchased separately or together as part of an intrusion protection system.

Now we are getting to the bottom, well, top of the cake, depending on how you look at the stacking of the layers. Well-written policies that are properly enforced add yet another layer of protection to the email security stack. Alone, the above-mentioned technologies will reduce the exposure to the threat of ransomware or a data breach. Fundamentally, however, businesses should also have supporting policies.

Security Awareness Policies are often used to support phishing test and user email training. 

Acceptable Use Policies can limit the use of organizational assets to organizational purposes and may prevent users from opening personal emails. and pictures of cats or beautiful landscapes sent by their mother-in-law. The idea is to limit the number of potentially harmful attachments.

Mobile Device Policies may also include some measures to limit mobile device use which is noted as a top factor in the per capita cost of data breaches.(IBM Ponemon 2018 Data Breach Study)

Network Segregation/Access Control Policies are another example of a proactive policy that broadly applies to the entire network but can significantly reduce the impact of a user downloading malicious files. 

Zero Expectations of Privacy Policies are essential to establish company rights and make users aware of an entities intention to monitor and examine employees’ email and use of organization devices.     

Finally, and perhaps most important, is an Incident Response Policy and Business Continuity Management (BCM) Plan. With regards to a data breach, the average cost is reduced by $18 per record with BCM planning. (IBM Ponemon 2018 Data Breach Study)

Just like training the employees not to click on links in their email inboxes, educating and creating awareness around organizational policies, processes, best practices and guidelines is a key administrative task to keep network safe. Each organization must determine what policies, processes, best practices and guidelines are appropriate for their business and employees. This may be driven by company standards, competition, or industry or governmental regulations. 

Sweet pineapple icing, the layers continue… In addition to the work of securing networks internally, proactively monitoring and ensuring business partners and vendors are taking appropriate security measures is part of securing organizational assets. Third party or vendor involvement ranks the highest, at over $13.00 per record, as an impacting factor to the cost of a data breach. (IBM Ponemon 2018 Data Breach Study) As businesses become more connected and networks migrate to the cloud, organizations are increasingly reliant on third parties and vendors to protect their own networks to ensure network and data safety. Let’s take your email security service provider as an example. WHAT?!?!?! It’s cake inception!!! A cake inside a cake. Your email security service provider has access to all of the business’ emails and their attachments. What information does your email security vendor store? How long do they retain the information? How do they keep their network safe? How a vendor manages security related to email, training, malware or general security can be reviewed; however, business partners may not turn over all of their internal security documentation.  Different industries have different standards, as do different states and countries. The matter is made even more complex by the current trend to update regulations to accomodate the need for data privacy. To touch quickly on this topic, confirm a business partner is taking information and network security seriously by asking them if they have security certification. As an example, businesses can get a certification of compliance with the International Standards Organization (ISO) standard 27001. The standard contains best practices for information security management systems. Here are a few controls that pertain to training and Malware from the 27001 standard: 

A.5 security controls     A.6 implementation of controls

A.7.2.2. training control A.12.2.1 malware control  

A.18 continued security controls     A.15 controls regarding information security in supplier

               and vendor relationships.   

As promised, we have finally reached the regulation doily at the bottom of the cake.

Privacy regulations are frequently drivers of security.  In the U.S. we don’t have overarching federal data privacy protection legislation. We have many smaller federal, sector, and state-specific legislation regarding data security/privacy. I am not going to list each state. However, Massachusetts, New York and California are more progressive with their legislation.  Additionally, here are a few of the sector specific and Federal regulations.

1.  The Gramm Leach Bliley Act (GLBA)

2.  The Fair Credit Reporting Act (FCRA)

3.  The Telephone Consumer Protection Act (TCPA)

4.  The Family Educational Rights and Privacy Act (FERPA)

5.  The Health Information Portability and Accountability Act (HIPPA)

Sample from HIPPA 

§ 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

These regulations along with business drivers like trade secrets, brand image, and continuity for business applications are essential parts of the risk mitigation equation. These rules/regulations can provide exemption clauses or minimum requirements which help identify areas of focus or tools that minimize exposure or limit loss. Take, for example, number 4 in the HIPPA excerpt above.  Incorporating the step to evaluate the implementation of policy in the regulation is an effort to minimize exposure. Processes and tools are only as good as their implementation. If processes are not followed and tools don’t use appropriate settings, their risk mitigation values decrease. Ensuring compliance with policies and processes is key in all security programs and in this case is required by a regulation. (Yes, I know I didn’t mention GDPR specifically. It too has large implications on implementation of email security tools.)

Summary - The place I start in this upside down cake. 

Each layer of the cake is a delicious treat all on it’s own. Especially in larger environments, the security cake is often eaten one layer at a time because the work to secure information across a network or networks is siloed. It is important to look at the whole cake to see all of the layers working together. Here comes the upside-down part. Start by understanding what “IT” is that needs to be protected. Look to the regulations and business assets to understand what “IT” is.  “The things” that need to be done to protect “IT” can then be identified. Look again to the regulations and work with policy and governance to determine what “the things” are. We can do “the things” and take steps to make sure “the things” are done. Here we look to technology, training and compliance to do “the things” and ensure “the things” are done. In the case of email inboxes, most everyone has an inbox and everyone who has an inbox needs to be aware and take steps to ensure the risks of malware, ransomware or phishing are mitigated. Be that as it may, it is not the case with all tools and regulations. Discussions around tools and processes that are needed or not needed in specific circumstances will be highlighted as they arise throughout the series.

Layer 1: (Identification of Assets & Risks)  We have the regulators and business attorneys to help us understand what we are protecting AKA “IT”, why we need to protect “IT” and minimum steps to protect “IT”. AKA the doily.

Layer 2: (Security & Business Strategy) We have the policy, process and governance teams wisely advising “the things” we need to do to protect “IT”.

Layer 3: (Technology & End Users) We have the people who are doing “the things” and implementing “the things” with training and technology.

Layer 4: (Audit & Accountability) We have the compliance teams working internally and externally to ensure we do “the things”.

The items from this article are by no means a comprehensive list of what is needed to protect against threats in your inbox. This article provides you with a little taste of some of the important layers of the security cake to show how it all works together. With the global average cost of data breaches at $148 per record, (IBM Ponemon 2018 Data Breach Study) Cyber insurance may be a good option to help mitigate the costs of an incident. As cyber insurance companies evaluate your premiums or determine if a business is an appropriate risk, questionnaires will ask which of the above mentioned steps have been taken with regards to securing a network from Malware or threats delivered through email. 

KS Information Services works with businesses to help them ensure they have the right technical and administrative controls in place to align with industry and regulatory standards in ways that make sense for their business. It is easy to think your small business is not a target because so many of the headlines are of mega breaches, but 43% of incidents reported involved small businesses. (Verizon 2019 Data Breach Investigation Report)