Marianne Bailey has witnessed some of the most extraordinary cyberattacks of our lifetimes and offered guidance to the highest levels of government as they scrambled to stop the bleeding. Her service as Deputy National Manager for Homeland Security Systems (NSS) and Senior Cyber Security Executive for the National Security Agency has given her unique insight into the ways in which cyber attacks spread and affect both businesses and businesses. public and private. She is now a Cyber Security Practice Leader for Guidehouse.
Here, he talks to Richard Pallardy for InformationWeek about how companies can strengthen their defenses more effectively, especially in light of the new cyber war going on between Russia and Ukraine, and Ukraine’s allies. He also offers detailed advice on how to renegotiate agreements with third-party providers., ensuring the highest possible level of response to an attack.
How has the security landscape changed in light of the Ukraine crisis? Are there aspects of security that companies should be more concerned about at the present time?
There has been low-level cyber warfare for decades. At the NSA or the Department of Defense, I’ve been in positions where I was able to see a lot of it from a classified perspective. Cyber adversaries are very, very different depending on what they’re after. There are many things that happen that do not come out in the open. Ukraine just made it very visible to a lot more people. He made it very, very clear that if there was going to be some kind of physical conflict like Ukraine, the country that he tries to dominate would use cyber warfare as just another tool. It shouldn’t surprise anyone. But it always seems to be surprising, which really surprises me. Let’s say I have the ability to deal major damage. I can do it from my own country. It’s a pretty low cost of entry and it’s going to have a phenomenal impact. Why am I not going to use it? Cyber is now a weapon of war.
Do you think that direct attacks on Ukraine will spread and affect other areas?
I haven’t seen that, to be honest with you. But I will tell you, we know from previous cyberattacks that there have been many examples where they were not contained. They go global. Look what happened to the NotPetya virus. I was in the Pentagon at the time. It was a Friday night, it was raining cats and dogs. The White House was calling at seven o’clock asking “What do we do?” We were watching it move around the world. The best thing for the United States was that we had about seven hours’ notice. We were able to make sure we had the protections we needed in most cases, and we didn’t have much of an impact here. But, in fact, it affected many companies in Europe. But the intention was never to do that.
One of the other concerns is cyber surveillance. There are many cyber vigilantes in Ukraine – organizations are retaliating against Russia and its social networks. I can see why it’s very, very tempting to do that. But it is also very dangerous. Are you looking at second and third order effects? Let’s say they launch something against Russia and they launch it from the UK. So Russia thinks it’s the UK, not this other crazy bunch, and so they retaliate. You can start things that don’t need to be started and you can scale very quickly.
What kind of inventories should companies carry out to ensure their defenses?
All businesses must have a large inventory of assets. Most companies don’t. They must know all the equipment they own. The larger the company, the more difficult it is to track every computer that is yours, every router that is yours, every piece of equipment that touches your network. They need to know that they bought it for a purpose. And that is supposed to be there. We see this all the time. They don’t know if it’s a piece of equipment they bought or if it’s something that someone bad put there.
They should also have a very robust vulnerability patching regime. Every month, they must look for vulnerabilities in their system and then patch them. They must have very strong multi-factor authentication. It’s not just a username and password anymore. We suck as humans at creating passwords that a machine can’t crack in a second. I used to give this report on basic cyber hygiene. I showed them a photo of a dog placing an order on Amazon. The owner walks in and the dog looks at the owner. And he says, “What? If he didn’t want me to order things, he shouldn’t have used my name as a password.” Because that’s what people do.
They should also have a really strong operations team that is monitoring the security of their network. They must have strong data governance policies and strong data backup. If they don’t have strong data governance policies, they don’t know where their data is. When they get hit by ransomware, they have a really hard time. They don’t have backups. People move to the cloud. They think everything is great. Well now your data is on a server somewhere else. It doesn’t mean it’s safe.
Are there particular frameworks you advise using?
Definitely the frameworks provided by the National Institute of Standards and Technology (NIST). There are other frameworks, but most of them are based on those developed by NIST. So they took this and tweaked it a little bit to something called a cybersecurity framework that needs to go through is the thing, this cybersecurity framework. There is NIST 800-53, which details the security controls you should implement, for example.
The Cloud Security Alliance (CSA) has a Cloud Controls Matrix. And then there is version 8 of the Center for Internet Security (CIS) controls. Most people test their products against them. And there are very specific criteria that they have to meet.
What types of failure points should companies look for in their systems?
One of the things that we see quite often in large companies is that they don’t really look at the cybersecurity of the companies that they are acquiring. They don’t realize that they’ve just opened up their entire network, their entire large company, to vulnerabilities allowed by that company through something like their timesheet processing.
Phishing happens, which is one of the biggest [entry points] for ransomware, because humans click on things they shouldn’t. You receive an email that seems quite real. Now your credit card expires. You’re late. You have a speeding ticket. People click on it and download malicious software on their computer. Empowering people to look for things like that is important.
The other thing we see a lot of is end-of-life hardware. If you are running/using old hardware and software, companies like Microsoft have stopped patching. It will have tons of security vulnerabilities. There is nothing you can do about it because they are not updating it for you. Please dispose of the software at the end of its useful life. Do you think it’s easy to do? Your phone updates automatically all the time. But many companies really can’t afford to change their technology as fast as they need to. They really need to look at their technology. If the vendor no longer patches it, you should get rid of it.
What are some of the best practices to ensure data segregation?
You need a strong data governance process. First of all, you really need to understand what data you have, where it is, and what you use it for. There are a lot of regulations around data nowadays and more regulations fall every day. Financial services companies face huge fines for failing to protect data, for example.
I recommend something called micro-segmentation. You segment the data so that the only people who need access to it have access. It should be on a need-to-know basis: a granular level of access control. My job may be accounting and therefore I should only have access to accounting data. If it’s a healthcare company and I’m doing accounting, why do I need access to patient records? I do not. You just need to label the data. It’s very easy to configure the controls, so I can’t access that.
What to read next:
How to Handle Third-Party Cyber Incident Response
Ukrainian IT professionals tell their stories of bombing and business continuity
Cyber Insurance’s Battle With Cyber Warfare: An IW Special Report