Taking on Cyber Defense in Information Security

Dominic Spucches

Southern New Hampshire University

CYB 250: Cyber Defense

James Beneke

June 16^th, 2022

            There are many emerging trends when becoming familiar with the information security, such as personnel and human factors, data protection, and system protection trends. It is because of these trends, that our future as security analysts to ensure that we stay up to date and aware of the forever changing landscape and evolution of information technology. As we stay mindful of these changes, we can implement and curate ideas from the constant change of information technology in our environment. These changes known as trends could include increased security for personnel with MFA, or using offsite data locations for backups, and including state of the art IDS/IPS technology that uses artificial intelligence to protect our systems.

            In the crucible of information security there is one factor that will constantly maintain its appearance, and that is the personnel and human factor within an organization. With the personnel and human factor prevalent in any organization it is imperative that we address the security concerns that coincide with this threat actor. Those concerns can be addressed with security awareness training and other means such ad adverse action that revolve around negligence to government law and organizational policies. An emerging trend that addresses the personnel and human factor with an organization is Multi-Factor Authentication or MFA. MFA has been an emerging product since the 1990’s which lay claim by AT&T, to whom have been the original curator, was granted a patent in 1995 (2019). There has been scattered arguments from 1998 that state Kim Dotcom invented the original Multi-Factor Authentication design (2017, February 21).

            After the invention of MFA, whether it was by Kim Dotcom or AT&T, it was revolutionized endpoint security. MFA provides an extra layer of security on top of your usual login username and a password that consists of the name of your pet and its birthday. Adding this second requires an interactive system between your device and the application you’re connecting to. The most common way interact is when we opt to receive a text message for recovery or use an application such as Google Authenticator. For us to use this authentication method, the application we are trying to access must have the ability to use MFA, if so then you can opt to use it. An Authenticator can require you to scan a QR code on the application, linking your credentials with the authenticator. When you decide to login to that application, whether its your bank account or social media, the web application will ask for a six-digit numeric code that your authenticator platform will display for you. This six-digit numeric code is randomized every 30 seconds, generating a new number for enhanced security. Because authentication is so secure, the Director of Identity Security at Microsoft Alex Weinert stated that “your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA” (2019, October 8). That .1% credibility was tested during the nation state attack against SolarWinds where an employee’s phone was cloned allowing the attacker to exploit their MFA application. Regarding that comment, rest assured knowing that it would have to take a nation state to be targeting your device and not a script kiddie down the road.

            As data breaches and the need for information security increased, it increased the acquisition of MFA within organizations. This is a response to the target audience for threat actors, the average employee of an organization. According to Verizon’s Data Breach Investigations Report (DBIR) 82% of those data breaches have a human aspect (Verizon, 2022). As a key stakeholder within an organization, implementation of security policies that require MFA for their end users is imperative to the organizations success. In a 2019 article, approximately 57% businesses around the world have MFA implementation (2019, October 8). This is a 12% gain over the stats from last year, the year of 2018 according to LastPass, based on 47,000 different data profiles from multiple organizations. As technology continues to evolve, the human factor will always be a point of exploitation. Having this knowledge supports implementation of MFA for end users while they’re accessing an application or operational assets such as a server or a backup device.

            Implementation of MFA on a backup device has started to become more prevalent due to the growth of Ransomware attacks and their reputation. Data protection in its essence has been an additional layer against Ransomware attacks due to its crippling architecture. Ransomware will affect an entire network infrastructure deeming it inaccessible, encrypting all the data it can find, even shadow copies of data (2021, March 2). Not only does Ransomware encrypt your data, but it can also cause the data to become corrupted even after the ransom note is paid. For this reason, and data security in general, a good rule of thumb for protection against Ransomware is ensuring data-at-rest is backed up in several location at that your data is protected.

            Data-at-rest is data that has reached a destination and is not being accessed or used, this is typically data on a file share, server, end points, backups and any other operational asset that stores data (2021, October 29). It is beyond critical that we as security analysts and professionals ensure that data-at-rest is protected at all costs, especially with a risk of a Ransomware attack. A simple and yet relatively common solution is the implementation of a Disaster Recovery Plan. A Disaster Recovery Plan allows an organization to incorporate how to data will be backed up as well as how data will be recovered if an incident arises. Whether its intellectual property or personally identifiable information, it is important to ensure this data is recoverable. Intellectual property is any data that is deemed an asset that could impact the reputation and business of an organization. Intellectual property also includes any data deemed confidential that could be a threat to national security. Personally identifiable information or PII can consist of given name and surnames, social security number, street address, and date-of-birth.

            Ensuring that an organization has a foolproof Data Recovery Plan is essential for an organization’s success. For an organization to ensure their data is backed-up appropriately requires the implementation of a backup policy that coincides with the 3-2-1 rule (2022, May 5). You will have three copies of your data, on two different types of media while having one copy of that data at an offsite location. By implementing the 3-2-1 backup rule you protect your environment from multiple threats that include environmental such as mother nature, insider threats, and Ransomware. Mother nature can cause floods, tornados, or fire, that can really impact organizational assets causing operational data to not be accessible. If the data is stored in the cloud or at a location in a different city or state, then that data can be recovered, and operational responsibilities can continue. Data protection such as backups can also protect against insider-threats which does not include malicious actors. With human error being the leading cause of almost 90% of data breaches, we understand why it’s important to consider insider threats as potential loss (2021, April 11). An insider threat can include the little old lady that issues paychecks that accidently deletes last month’s pay roll. This can easily be recovered with modern backup solutions such as Veeam that can restore data almost instantaneously, even full virtual machines can be recovered and operational within minutes.

            Including a Disaster Recovery Plan allows an organization to ensure their data is protected and provides two essential benefits, reducing downtime of the organization and operational assets and reducing cost and man hours required for data recovery. A suitable DRP can save downtime costs from $10,000 per hour up to $5 million per hour according to Datto (2021, April 11). Considering how costly it is to not implement a foundational DRP can be eye opening to any stakeholder, especially a CEO and CFO. Data loss can impact revenue by not only leaving applications at a loss without instant recovery, but it can also impact the reputation of an organization too.

            A Disaster Recovery Plan includes recovery options that help aide data-at-rest but also should include the type of cryptography used to ensure confidentiality of data that is stored in relative backups. For example, if the organization plans to accept payment transactions they must adhere to PCI-DSS compliance standards (2021, August 12). This includes protecting card holder data with a modern algorithm such as Advanced Encryption Standard (AES) algorithm (2020, November 4). Using PCI-DSS compliance as an example for payment card transactions, but that is just another layer of defense. Operational assets that are running Windows OS, which is not limited to servers or employee workstations, should have BitLocker enabled as a best practice. BitLocker is another encryption standard that uses the AES algorithm (2022). To taper off the discussion of a Data Recovery Plan, it is important to justify the backup solution you decide to use. This means ensure that this solution provides an encryption standard for data-at-rest and data-in-transit. Veeam is a solution that allows an option to enable backup file encryption. Veeam uses an AES-256-bit encryption standard for their backups (2020, November 4).

            Although including a proper DRP is imperative to an organizations success with reducing downtime while providing a recoverable solution for loss of data, it is most important that the organization implements a line of defense for system protection. This could include a variety of solutions such as a Firewall, Antivirus, an IDS/IPS, a DMZ, or an automated patching solution. An automated patch solution in any environment directly benefits endpoints and servers, and other technologies included in the infrastructure.

            Deploying an automated patch solution is an integral part to an organizations network infrastructure. Whether we’re security analysts or a help desk tech, you know how important it is to ensure a workstation or server stays up to date.  Outdated machines can lead to configuration changes that can cause network interruptions with other applications or pose as an additional threat creating more risk for an organization. Outdated machines in a network environment are an absolute risk to any organization big or small, you might as well try running away from a wolf while you’re out of shape. It is imperative that any machine on the network is up to date with any security update available unless it is necessary to revert to a previous version.

            The impact of an outdated patch management policy without an automated application can result in poor system functionality, network interrupts, configuration issues, or problems working with modern 3^rd party applications. Additionally, improper patch management can result in a malicious attacker using a zero-day vulnerability that could impact confidentiality, integrity, and availability of data on the infrastructure. A zero-day vulnerability is a vulnerability found in the wild that has not been patched (2022, March 24). Including the impact on availability, patch management can result in malicious intent by an adversary, costing organizations millions. Having improper patch management has a cost, on average, $4.24 million in the year of 2021 (2021). It’s quite a steep number that can easily be fixed with automating your patch management system. Although, it may cause scattered availability issues, it is imperative to an organizations success that helps protect confidentiality, integrity, and availability.

            Yes, most things that are great come with a downside, patch management does require an impact on availability for the organization. Whether it’s the remote employee working 300 miles away from the hub location, or downtime due to critical patch updates requiring a long reboot, there is an impact. Although, an automated patch management solution can provide reduced downtime, reduced workload and increase security for a client or your organization. Please understand the importance of patch management and security. The WannaCry Ransomware took advantage of poorly patched machines and infected 200,000 computers across 150 countries (2022, March 9). Even 57% of data breaches are attributed to poor patch management, and many other unfortunate statistics. Automated patch management is the answer, especially organizations with reduced resources than their counterparts.

            Providing automated patch management increases up-time ensuring software and applications are up to date, increased security from cyber-attacks, feature improvements and maintaining compliance with government regulations (Rapid7, 2022). Incorporating automated patch management will also maintain compliance standards for any PCI-DSS devices or identified HIPAA information. Automated patch management program creates a secure environment, reducing the possible impact of a zero day, and elevated customer service. Happy customers are derived from efficient availability from the technology that they use, and automated patch manage helps with that.