Cyber defense for business: mapping pain areas and securing them

The Defensive Strategist at Nord Security, Adrianus Warmenhowen, points out that having systems in place often is not enough. They may protect your company at an 80% or 90% rate, but good hackers will target your weak points. Therefore, in this interview, he explains how organizations can identify their vulnerabilities and what are the best ways to secure those pain areas.

Tech person by nature

First, could you tell us a bit about your role here at Nord Security?

At Nord Security, I am a Defensive Strategist, meaning I advise on areas that need a strategic focus on the protection of customers.

Could you give us a brief overview of your career path?

I started my journey with the internet and cybersecurity in the middle of the 1980s. And since then, I've had many adventures along the way. I’ve helped in the pioneering years of the internet, where cybersecurity kind of crept into my daily responsibilities, and soon after, hacking became another area of interest for me.

Earlier in my career, I worked with the aviation industry, electric companies on high voltage equipment, satellites, and more.

The growing cyber threat to companies

2021 was a record-breaking year with a 50% increase in corporate cyberattacks. What do you think are the major reasons behind it?

The pandemic in the first place. People had less mental 'back-up' from colleagues while working from home.

In general, the past years felt for me like a watershed moment for criminals in how to conduct cyberattacks with a return on investment: cybercrime got professional.

What are the most common types of cyberattacks that companies are exposed to, and what disruptions can they cause?

In general, companies are most likely to experience either ransomware or (d)DOS attacks. Ransomware because it pays the criminal well, and denial-of-service attacks because people want to be actionable instead of just doing more talking.

However, those cyberattacks that cause no direct disruptions are actually the ones you should worry about. By this, I mean information stealing. It can range from intellectual property to bid books, from vendor assessments to information on where you buy your hardware. That last one is important for supply-chain poisoning.

How do cybercriminals identify which companies or employees will be their next targets? Where and how are they looking for pain points they could exploit?

Well, when a vulnerability comes out that is remotely exploitable, then search engines like Shodan or BinaryEdge can be used to identify potential victims quickly. A good example of such a case is the Kaseya or Solar Winds debacle.

As for ransomware, an organization's digital footprint is one of the ways attackers can target their victims and plan their attacks. For instance, monitoring a company's LinkedIn page can give an insight into the churn and the rate at which people get hired/leave the company. If a company has a high churn rate, there will be many inexperienced and/or disgruntled people. That is the perfect phishing spot or moment to try a CEO fraud.

Sites like Glassdoor are also good for gathering this kind of information. Another valuable source of information can also be announcements of new partnerships or acquisitions.

Identifying pain points and securing them

How can companies best identify their pain points? How should they look for them?

One of the most effective ways is to get someone from the outside looking in. And by that, I mean someone who will be searching not for the solutions to the problems but for vulnerabilities and unprotected areas that your company has.

The truth is that we all rather run through our “happy paths” to do our work and are just glad we can avoid the day-to-day pitfalls of what we are doing. But for the sake of security, we really should take the pain and enumerate as much as possible what could go wrong and why. For that, an outsider can usually help. Just don't get me wrong. I don't mean "hire a pentester and be done with it." The pentester will probably find something, but not all the things that make "you being at risk."

A really good starting point could be to leverage your audits if you have certifications. An auditor is quite meticulous (if you have a good one), and an audit process is pretty transparent to all involved because all shortcomings are discussed during this procedure.

After an audit and the subsequent resolution of any issues found, various specialists can be used to target specific areas. That could be a pentester, pickpocket, or lockpicker (depending on your business type). Finally, if your company discusses a lot of sensitive information, then you might want to set up a spying operation on yourself.

Also, set up a permanent bug bounty program so that well-willing people can report to you if they find anything out of the ordinary.

But above all, start with a "cleaning out the crud" session.

What measures or actions should businesses take to protect themselves from potential cyber threats?

1. Organize and systemize everything you have.

   For your tech, have a form of CMDB (Configuration management database) with ownership (for risk acceptance). For your personnel, have proper onboarding/offboarding procedures. And make transfers like offboarding->onboarding so you can avoid accrual rights. Make sure you spot unhappy employees and unhappy customers - document this (but keep their privacy decent). Even if you are a small business, know your battlefield.

2. Do regular updates and patches.

   For instance, have every odd-week Tuesday be your patch day. Always reserve that time. If nothing is to be patched, use that time to review vendors and check if anything approaches end-of-life and such.

3. Use encryption everywhere.

   A VPN will help make your infrastructure less visible to attackers and protect you during client meetings, lunch discussions, or work-from-anywhere.

4. Use an antivirus.

   Even if it is unused 99.9%, you will be happy for that one single time it blocks ransomware.

5. Use offline rotating backups for your most important data.

   A couple of SSDs should be able to hold a backup of most of your documents and probably even export your database. At the very least, keep a copy of all the contact information of your customers and employees with an offline backup.

6. Use a password manager.

   Secure that password manager with a passphrase (a sentence, maybe from a book you liked, a song, or a poem). The reason for using a password manager is simple, SSO is not available everywhere, and using OAuth gives away a lot of information to your identity provider. And some websites simply need a separate account/log-in.

7. Have regular security meetups with employees to check what is new, what is wrong, and what to do about it.

8. Keep in mind that there is always something to protect. Make a policy that explicitly states: that if there is no budget for securing something, it is automatically a risk accepted by the board.

On what things should organizations focus on when mapping their cyber battlefield and building up their cyber defenses?

1. Knowledge.

   Know what you have, what connects to what and why (do you really need plugins in Slack or Jira, or are they "just" quality of life improvements), who has access to what and why (and, very important - from when to when). What software runs on what, and does it really need to be accessible from the outside world.

   
   

   Really, take the pain and map out what you have now and then adjust your processes so that this knowledge is updated all the time. Do a two-yearly check if everything is as it is documented.

   
   

   Don’t fall into the "productivity fallacy" trap - all arguments there are comparable to removing the safety measures of your car so that you can drive faster. It might seem the right thing when you blast across the highway doing 200, but the crash when you did not turn out to be Max Verstappen will be much more devastating. This goes for cybersecurity all the same: you might feel like the proper business king when you outdo your competition in time-to-market, but when it goes wrong, it is not just you. It is your clients' lives as well that get mangled in the "incident."

2. On processes and audit trails.

   The audit trails are an essential part of the knowledge because they document what is changing in our current state of knowledge.

   
   

   Processes make things predictable and reliable. A process does not have to be an oppressive set of micromanagement instructions but can be as simple as "for each system in our CMDB, do a security check and document it." In fact, the most crucial part of a process is not the steps within it but the interfaces with other processes, input, and output. Whenever there is a handover, it pays to check the CIA triad (Confidentiality, Integrity, Availability) and what the handover means to each of these.

   
   

   Also, to dispel a myth: you can have an open culture and still be very good at keeping things a secret. It should be normalized that you can tell your co-workers, "I can not tell because of confidentiality," because it simply means those co-workers are not instrumental in that specific case. If they were, access would be granted when needed.