The subject of my last several articles has been focused on the requirement for all businesses in the Defense Industrial Base to implement system security, with the framework for system security, the Cybersecurity Maturity Model Certification (CMMC).
The CMMC framework is dedicated to controlling access, that is, access to the information management system and access to physical information. The framework is also about what happens when there is a loss of access control, how to respond, and how the organization recovers. The simple fact is that all systems, no matter the amount of security, are subject to attack and compromise.
When addressing the system security plan requirements, it is apparent that the controls are not only focused on protecting the confidentiality of information, they are also addressing the integrity of the information and the availability of the system. In terms of these goals, confidentiality is the protection of information from those that do not have access rights; the integrity of information is the assurance that the information has not been changed. Availability is access to the system; if the system is inaccessible or if the information on the system cannot be accessed, then there is a loss of availability. Of these three, it is the loss of availability that impacts small businesses most often.
For any business, the availability failure will most likely come via an email. In fact, most successful compromises are delivered by email. That is accomplished by someone in the organization accessing malware that is, through any number of means, bundled within an email attachment. The basic thread is that the user downloads or opens an email attachment, then the malware is deployed and hosted on the computer. It then seeks to control the system; with most systems without defensive controls, this is not hard to accomplish.
Since this process has been going on for years, most users are less and less likely to open an email from unknown sources. This has then resulted in an increase in the sophistication of attacks. Nevertheless, small businesses, the ones with few defensive controls, are common victims of ransomware attacks. These are attacks against the availability of the system, as a ransomware attack will encrypt the company data; once the data is encrypted with no ability to decrypt, the data is lost. Often the ransom is paid without a result.
The attacks are becoming increasingly more complex and sophisticated. At this time of year, the holidays, the attack vectors change to capitalize on the season and the times. Around Christmas, there are attacks in the guise of package delivery notifications and attacks based on buying habits. Due to the increase in working from home during the pandemic, there are now specific attacks against remote workers. There are attacks offering COVID-19 vaccines and test kits.
Not only is the system owner often forced to pay for the decryption of their data, such an attack often results in another exploit, which is the victim paying another ransom to prevent the release of confidential information recovered from the system. The result of a successful attack can be an organization paying two ransoms, first to recover the system information, and second to prevent the release of company confidential information. Combating these attacks against system availability and the loss of confidentiality is a combination of tasks.
One of the first steps is following basic cybersecurity and system security best practices; these are outlined in the CMMC framework. These include defense in depth, segmented roles and access rights, and air-gapped backups. An air-gapped backup is most likely the best way to recover from a successful ransomware attack. Second is training: The better trained an organization is in recognizing and avoiding these attacks, the more likely they are to be avoided.
From the hacker's point of view, there is a world of opportunity, as most systems are not very well protected. Their goal is to exploit systems with the least amount of effort; even for criminal organizations, time and effort are money. Your business goal is to make things hard for the lazy hacker. That is, by doing simple things, change the default login and passwords on all devices, use long passphrases. Use multi-factor authentication to help ensure the identity of users; encrypt your data so that it cannot be exploited. Back up your data, even if it is stored in the cloud, on to a removable drive, one that is physically disconnected from the system. This reduces the chance that malware is migrated to the device. Ensure the software on systems are current and updated; ensure this is true for your antivirus software.
These are steps you can take without too much effort to reduce your system vulnerabilities.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.
This is the sixth column in a series on the CMMC program. Read the other columns here.