Let Me Count The Ways

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

How do I love thee? Let me count the ways.

I love thee to the depth and breadth and height

My soul can reach, when feeling out of sight

For the ends of being and ideal grace.

Elizabeth Barrett Browning – 1806-1861

This poem came to mind when I was thinking about how many threats a business can face these days. For now we won’t include things like a pandemic (at least not directly) and just concentrate on things related to security. If you were to count up the ways that your business could be harmed from a security issue, how many could you come up with? If you can’t get past 20, you are more likely to be hurt by what you don’t know, because the list is very long. Here are 20 off the top of my head.

 

Phishing Vishing Smishing Spear phishing Whaling
Malware Ransomware Data exfiltration 0-day attacks Weak passwords
No/few policies No response plan Poor backups Insider threats BYOD
Supply chain attacks Password reuse Family use of business assets Data breaches of other companies Password reuse

 

Poor patching “Security is expensive” “We are too small to be a target” IoT devices – poor/no security No MFA

 

Let’s update that poem with some modern-day doggerel

How can I phish thee? Let me count the ways.

“I need you to buy some gift cards”

“Invoice attached”

“Your email account is over quota”

“Your email failed to reach the intended recipient”

“Please send your payments for the Jones project to this new account number”

“You have been chosen for inclusion in the 2021 CEO register”

How can I vish you? Let me count the ways

“Your Amazon account has been charged $399. To dispute this call …”

“Your Windows license has expired. Your computer will stop working unless…”

“You are being audited by the IRS. To get more details call…”

 You Control (Much Of) Your Own Destiny

I know, it doesn’t rhyme. The point is the attack surface for any business is huge, regardless of business size. Ransomware and data exfiltration get most of the headlines today, but it almost always starts with someone being phished. How much damage can be done depends much on how prepared we are.

Let’s take driving as an example. You can be a very careful driver. You have even taken a defensive driving course. You maintain your car properly. You never drive under the influence, and you have not had an accident in the 20 years you have been driving. One day while you’re driving, the (unknown to you) manufacturer’s defect in the lower trailing arm of your car fails. This causes an accident destroying your car. You, as a careful driver, had your seat belt fastened and thus escape injury. The airbags deployed properly, also preventing serious injury.

Let’s translate that to your business. You have a firewall, anti-virus software, a patch schedule, a spam filter, and a fairly well-trained IT staff. Unknown to you, your firewall has a vulnerability that is being exploited. The bad guys get on your network (trailing arm fails), and now what? What do you have in place to mitigate the crash? Backups? This cartoon is from several years ago but has taken on much more significance in the face of the ransomware scourge.

Very few people run a network without taking backups. How often do they get tested? At a previous job, I was called to headquarters to do a restore of some files from a backup. The tapes were changed every night and the ‘assumption’ was that there was a year’s worth of backups available. No one had checked/tested the backups. All the tapes were blank. The backup job had been failing every day.

Data Backups Should Be Tested and Easily Recoverable

These days the bad guys take advantage of poor backup policies by encrypting or destroying any backups they find. Unfortunately, some businesses find out that even if the backups haven’t been destroyed, they are corrupt for some reason. This would be akin to the seatbelt and airbags failing in a crash. The safety equipment was there, but ineffectual. Many companies pay the ransom because they cannot restore from backups and thus have no choice. This is preventable. Offsite storage of backups can be done effectively. A reaction plan is a necessity. If you don’t have a plan in place, if you are not testing your backups, if you are not storing them offsite, seek professional help. The last thing you want to do is find out you have good backups that will take 6 months to restore over the wire. A tested DR plan can be a life saver.

Don’t put yourself in a position where you have to “Let me count the ways we failed”