Three takeaways for a Small Business from the Microsoft Exchange hack

I heard this so many times: “My company is too small to be the target of an advanced attack”. Unfortunately, this is not true and the recent cyber-attacks on Microsoft Exchange servers clearly show it. Compared to the recent SolarWinds Orion security breach that directly affected mostly large organizations, the Exchange vulnerabilities were used to attack in excess of 30.000 organizations in the US alone, mostly small businesses and local government offices. 

Here are the three lessons that a small business should learn from this incident:

  1. Every organization (and person) is a potential victim of advanced cyber-threats. This highly automated attack that used four zero-day vulnerabilities shows that virtually no organization (large or small) is safe. Either to be used as a pivot point toward larger targets or simply by chance, it is only a matter of time until a sophisticated attack will “knock” on the doors.
  2. Cloud services are a safer choice, especially for small organizations. This is due to at least two reasons. First, many software providers (Microsoft included) have a “cloud-first” policy. That means the cloud solutions will get the new features, enhancements, and even bug fixes first. For example, in this case, the Microsoft Exchange Online is not affected by the attack. Additionally, the large cloud infrastructures benefit from the most advanced security options in the market and are staffed with the “creme-de-la-creme” in terms of cybersecurity personnel. Does this make them bullet-proof? No, but the likelihood of a breach is smaller. Second reason: small organizations are typically slow in applying security patches even when these become available. Many of the Microsoft Exchange servers affected by the zero-day vulnerabilities exploited in this attack will remain unpatched for months, leaving them vulnerable to attacks.
  3. Cybersecurity is getting professionalized. Highly professionalized. Advanced attacks are becoming increasingly common and are affecting a large number of organizations around the world. Basic cybersecurity skills are no match for the security challenges of today’s world. Small organizations cannot typically afford to spend resources on skilled cybersecurity professionals (not to mention that we are currently facing a significant shortage of cyber defense talents). Alongside the use of cloud services instead of on-premises infrastructure, an SMB should also consider relying on Managed Security Services and Managed Detection and Response Services to keep their IT infrastructure running and secure.

These three points should be considered for increasing the cyber-resiliency of the organization. But they are NOT replacing the actions required to check if your infrastructure was affected by the attack. For more context on the breach and the recommended remediation steps check this Microsoft blog post.

A Practical Approach to Cyber Resilience – Part 1 of a 3 Part Series

In a previous blog, I looked at the key differences between cybersecurity and cyber-resilience, and why cyber-resilience is a better approach for organizations to follow in 2021 because it is holistic.

The IT cyber-resilience is a complex objective requiring a solid understanding and a structured approach. NIST Special Publication 800-160, Developing Cyber Resilient Systems, is one the most comprehensive resources available for those enrolled on this journey. Although a bit difficult to navigate, the value of this publication is in its ability to provide the why, the what, and indications for how to approach the topic of cyber resilience.

Over the course of several blogs, I will extract several key learnings, with practical value for any organization looking to improve their resiliency to attacks.

NIST defines cyber-resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” The systems and environments that are cyber-resilient can withstand cyber-attacks, faults, and failures and can continue to operate even in a degraded or debilitated state. Also, of great importance, they can continue delivering mission-essential functions while ensuring that safety and information security are preserved during an incident.

To bring further clarity on the topic, four key cyber resilience characteristics (or guiding principles) are defined within the framework:

  • Focus on the mission or key business functions
  • Focus on the effects of Advanced Persistent Threats (APTs)
  • Assume an adversary will compromise or breach the system or organization
  • Assume an adversary will maintain a presence in the system or organization

Why are these principles important? They have a special practical significance as they help to correctly frame any approach to cyber-resilience. Here is what these characteristics are stating:

  1. Focus on the mission or key business functions – Cyber resiliency initiatives must focus on the capabilities supporting organizational missions or key business functions. Critical business elements should continue operating despite an attacker’s presence in systems and infrastructure, threatening mission-critical systems, and system components.
  2. Focus on the effects of APTs – Cyber resiliency has in scope all threats related to systems, but the focus must be on the effects of APT. Why APTs? Because of the persistence and long-term effects on the organization. The longer an attacker dwell time, the higher the likelihood to access sensitive data or influence the behavior of systems in ways that can directly or indirectly inflict damage to the organization.
  3. Assume an adversary will compromise or breach the system or organization – The framework states that a sophisticated adversary cannot always be kept out of a system or be quickly detected and removed, despite the quality of the system design and the functional effectiveness of the security components. This assumption acknowledges that modern systems are large and complex, and adversaries will always be able to find and exploit weaknesses in the systems, environments, or supply chains.
  4. Assume an adversary will maintain a presence in the system or organization – Lastly, any discussion on cyber resiliency must assume that the adversary presence may be a long-term issue because of the stealthy nature of the APTs. An extreme example is the attack on a major hotel chain’s reservation system that started in 2014 and maintained persistence for four years, before being detected.

In other words, any cyber-resilience initiative should be focused on advanced attacks that target critical business functions, with a special consideration for the attacker’s stealthy actions and persistence in the environment. These are key premises that organization looking to improve its cyber resilience should always consider.

In the next part of this series, I will explore the 5 steps Cyber Resiliency Analysis Process and provide a practical and effective way to address cyber resiliency.

To learn more on the importance of cyber resilience for organizations and how to improve the ability to withstand advanced threats, check-out the on-demand webinar: How to increase the cyber-resilience of your business.

Initially posted on Bitdefender Business Insights:

Cybersecurity or Cyber-resilience: Which one should be the prime objective for 2021?

Given the increased dependency on digital technologies for daily operations it’s not a surprise that organizations are concerned about cyber threats and the risks these are posing to their operations. But what is the best approach to this problem? Should an organization focus on cybersecurity or on cyber-resilience? Which of the two can be consider a prime objective for 2021? 

Cybersecurity is the more established term of the two and refers to the people, technologies and processes that serve as the line of defense against threats. Cybersecurity is centered on the idea that attacks can be prevented. It creates the expectation that the organization will be able to avoid being hit by attackers and it will not suffer cyber-breaches. Although preventing breaches from happening is something everyone wants, 100% protection effectiveness is not achievable. The recent years proved again and again that cyber threats are getting increasingly sophisticated and organizations, as well as individuals, are affected in a direct or indirect manner. 

Opposite to the core idea of preventing breaches, cyber-resilience is centered on the principle that some attacks will go through and the organizations must prepare themselves to quickly and effectively deal with the consequences. Cyber-resilience represents the organization’s ability to avoid, prepare for, respond, and recover after a cyber attack. Being ready to respond to security incidents, enables organizations to mitigate the consequences of cyber breaches and quickly resume the normal state of business operations. This make cyber-resilience an integral part of business continuity planning. 

What are the steps an organization should take to improve cyber-resiliency? The comprehensive path is through a cybersecurity program that addresses key four phases: preparation, detection, response, and recovery from an attack. When implemented thoroughly, this four-phase framework enhances the organization’s capacity to sustain operations through a cyber-attack while minimizing both disruption and reputational harm. A very good resource for the organizations on the way to cyber-resilience is the NIST Special Publication 800-160.

In conclusion, what is the best way forward? Are cybersecurity and cyber-resilience fully distinct approaches? Not completely. Both cybersecurity and cyber-resilience strive to limit the effects of cyber threats on businesses. They have in common some of the tools, processes and procedures. Both are good objectives for organizations to focus on, but cyber-resilience offers a holistic and more realistic approach. That makes it a more suitable (and an achievable) objective for organizations to follow in 2021 and beyond.

Accelerating Safely on the Digital Highway

I wrote this post a couple of months back but it’s highly relevant for 2021 and it’s worth being brought up again. You will also find below a reference to an interesting on-demand webinar hosted by InfoSecurity Magazine..

Despite today’s harsh medical crisis we are living great times of innovation. For the past years, digital transformation has been stuck more or less at buzzword level, but the last 2 months marked a sharp change, with many businesses being force into a new “digital only” norm. Now more than ever, digital transformation proves its value in an unprecedented and unforeseeable way: the higher the degree of digitization, the better an organization adapts to the current reality.

The ability to enable employees to continue their work while at home, the automation of processes or access to digital markets are key capabilities that improved the resilience of businesses and governments during the last months. These forced behavioral changes will have long lasting (positive) effects. One of the most spectacular is the acceleration of all digitalization initiatives in the years to come.

But, a word of warning. While it offers many advantages for organizations, digital transformation also creates significant security vulnerabilities. The more an organization relies on digital, the less capable is to continue to effectively operate with the IT systems down or compromised. Inevitable, things can and will go wrong at some point. Either by mistake, by intention or simply due to an unforeseen and unfortunate event.

What is cyber-resilience and why is it important?

Cyber-resilience is the ability to continue delivering the intended outcomes (digital services) despite adverse cyber-events. However, mastering cyber-resilience has some strings attached to it, bringing various challenges mandatory to be considered and overcame. Needless to say, navigating through the modern-day cyber-threat landscape is paramount to address and vital for ensuring business continuity.

If larger organizations are typically better prepared, cyber-resilience proves to be a more difficult challenge for mid-sized organizations due to less capabilities and resources. So, how can a mid-sized organization increase its cyber-resilience without sky-rocketing the costs?

In a special joint-webinar with InfoSecurity Magazine, we will explore how organizations can increase their cyber-resilience throughout digital transformation! The session will be focused on outlining the pillars of a security architecture that provide the ability to detect cyber-incidents early and effectively respond to emerging threats.

Key takeaways:

– How detection and response contribute to cyber-resilience
– How to tackle the challenges of implementing a detection and response solution in a mid-sized organization
– How to simplify the security architecture with an extended detection and response strategy

Initially posted on Bitdefender Business Insights: