23 Aug TASSCC 2021: Battling Cybersecurity Threats
The Texas Association of State Systems for Computing and Communications (TASSCC) hosted its first hybrid conference, “Riding the Tides of Change,” this year.
The event, which took place August 9-10 at the Moody Gardens Hotel, covered a lot on the topic of cybersecurity. As the world transitioned to virtual work in 2020, cyber threats skyrocketed. Now, in 2021, organizations are dealing with the same threats – and will continue to as long as our virtual infrastructure keeps growing.
So, TASSCC 2021 speakers took the stage to share all about cybersecurity threats – how to prevent it and how to deal with it. Here’s what they had to say:
IT INFRASTRUCTURE WITH BUILT-IN SECURITY FOR GOVERNMENT AND EDUCATION
Tom Boehmer | Regional Director – SLED, Nutanix
Jay Ellis | Information Security Analyst, Prairie View A&M University
Tom and Jay joined TASSCC 2021 to discuss lessons learned from Prairie View A&M University’s recent cybersecurity incident. Since it’s an ongoing case, Jay couldn’t share all the cyberattack details, but he could share some key points of what happened and how the university responded.
Last year, hackers took advantage of a vulnerability in the university’s system and gained access to its directory. According to Jay, it’s common for credentials to be sold on the Black Web once they’re compromised. So, a former student’s credentials were purchased, and the hacker was able to access the virtual desktop infrastructure (VDI).
Due to this cybersecurity breach, the system remained down for about a week. And as a result, students had to give up their spring break to make up that time.
The incident really affected everyone in the university (from students, to faculty, to staff), making cybersecurity a top priority.
Tom stressed that it’s everyone’s responsibility to combat cybersecurity threats, and that’s reflected in the actions taken after the attack.
Jay said the university quickly rolled out multifactor authentication, meaning users now have to verify their identity through username, password, and a pin sent via text.
They also implemented microsegmentation, which gives the university the ability to isolate systems. In this most recent attack, more than a thousand were affected. But next time, they can instantly isolate the attacked system and minimize impact.
They have also increased training on anything and everything cybersecurity-related, Jay said. It’s essential that end users are equipped with the knowledge of how to recognize and respond to cybersecurity threats.
To close the session, Tom and Jay shared their best practices, which they organized into three buckets:
– Require multifactor authentication
– Segment networks, applications, and users by risk classification
– Use microsegmentation to prevent malware spread
– Patch all systems
– Use WORM based object storage for snapshots and backups
– Use network inspection tools to identify spurious network activity
– Deploy Security Information and Event Management (SIEM) tools
– Leverage anomaly detection tools for usage and storage
– Create snapshot and replication plans to match recovery objectives
– Replicate to one or more locations
– Follow the 3-2-1 backup rule (three copies, two media types, one offsite)
– Test, test, test – so that you’re confident in the recoverability of your environment
HUMAN HACKING: CYBERPSYCHOLOGY
Erik Huffman | CEO & Founder, Handshake Leadership
91% of cyberattacks start with people – not technology, making humans the weakest link in every digital network. Erik, the founding researcher in cyberpsychology, took the stage to explain the problem and share what can be done to address it.
According to his research, cybercriminals exhibit the same characteristics as any other type of criminal – low self-control, more risk-taking, impulsive, shortsighted, insensitive to others, and seek immediate/easy gratification.
Technology just happens to provide these criminals with advantages for social engineering and persuasion because it:
– Is more persistent than humans
– Offers anonymity
– Manages large amounts of data
– Targets millions in seconds
– Can use many modalities to influence
– Can go where humans can’t
And in 2020, these advantages were magnified when the world moved from technology reliant to technology dependent.
So, what’s the psychology behind this problem? Erik shared a few key contributors:
– When you read a name (in an email from your spouse, friend, co-worker, etc.), the limbic part of your brain is going to react. You’re going to feel something. And when you authenticate the messenger before you authenticate the message, you’re already in a bad spot. You’re already likely to open that email and click on a link.
– When you don’t recognize a name (in an email from an unknown sender), the default voice that you’ll read it in is your own – and your own voice is often the most trusted.
– When it comes to cyberattacks, victims are often only presented with just enough information to make a wrong decision.
– Cybercriminals often rely on emotional persuasion, which encourages you to stop thinking and start acting.
Erik himself admits to falling for cyberattacks. He’s opened and clicked on emails that claim to offer speaking or documentary opportunities. However, he’s an Achiever (Enneagram 3), so “job offers” appeal to him.
A big part of his research is on personality types, and what types of “attack vectors” they’re most susceptible to:
– 1 Perfectionist – Spear phishing
– 2 The Helper – Holds doors open
– 3 The Achiever – Job offers
– 4 Individualist – Spear phishing
– 5 Thinker – Social validation
– 6 Guardian – Spoofing
– 7 Optimist – Pictures with language, link with a picture
– 8 Challenger – Social validation
– 9 Mediator – Threat language, ransomware
To reduce human error moving forward, Erik recommends knowing your users. In addition to the personality types, know the generational differences. His research found that younger people are more likely to share passwords than older people.
In addition, he said letting users know that they are the difference between cybersecurity and cyberattacks is key. Cybersecurity is a decision-based science. So, once users know they have control, they can become more self-aware in their decisions.
ZERO TRUST ARCHITECTURE: WHAT IS IT, AND HOW CAN IT HELP YOUR ORGANIZATION
PJ Joubert | Public Sector Regional Sales Manager, Zscaler
Frost Walker | CEO & Founder, ATX Cybersecurity Strategies
Bob Smock | Cybersecurity Professional, KWR Acuity Strategies
Using Gartner’s definition, the group describes Zero Trust Network Access (ZTNA) as products and services that create a context-based, logical-access boundary that encompasses a user and an application (or set of applications).
With ZTNA, the trust level is explicitly and dynamically calculated based on context (policies and credentials) to determined what a user can or can’t access. Unlike the traditional VPN, users only gain access to certain apps – not an organization’s entire network. This leads to better security and lower risk by reducing the attack surface.
According to the group, benefits include:
– A more resilient environment with improved flexibility and better protection
– A reduced attack surface area
– Flexible and responsive connection for collaboration with digital business ecosystems, remote workers/partners
– Enables access independent of user’s location or device
– Normalizes user experience where access distinctions are removed
– Provides access to only the specific application, not the underlying network
PJ said Zscaler has been doing Zero Trust since way before it became a buzzword, and they recently rolled out ZTNA for the state of Oklahoma. At the moment, there are only two states that have incorporated Zero Trust from an enterprise, state-wide standpoint.
Rather than just give users ZTNA access to apps, he recommends also applying Zero Trust principles throughout the organization, which can include:
– Applications, which can be achieved through workload segmentation
– Devices, which can mean posture checking
– Data/Content, which can be accomplished through data classification and data loss prevention
MODERNIZING SECURITY WITH AUTOMATION
Dimitri McKay | Principal Security Specialist, Splunk
64% of security tickets generated per day are not worked. The average security analyst can only handle between 18 to 24 cases in eight hours, while most companies have tens, hundreds, or thousands of cases coming in every day.
Dimitri opens up the session with these statistics and offers a solution: Automation.
In his opinion, the best security programs are built on automation. And while a lot already use it some areas (like ingesting data and alerting of issues), it’s not being leveraged to its full potential. Most organizations have not yet automated tasks like:
– Closing known false positives
– Capturing quality data to make investigations shorter
– Block and tackle (for example, automating a security response to stop an issue from getting worse)
– Tracking and measuring analytics (such as average case time, number of cases closed, etc.)
Dimitri then introduces the concept of SOAR (Security, Orchestration, Automation, Response) and demonstrates how it can improve the Security OODA (Observe, Orient, Decide, Act) Loop. He said government and nonprofits who have incorporated SOAR see:
– A 45% increase in efficiency
– A 49% increase in problem diagnosis accuracy
– Less than 12 months of return-on-investment time
– 76% commercial versus 24% in-house automated tasks
To close, he advises the audience on next steps:
– Start with use cases
– Evaluate your options (TIP: Look for a tool that’s flexible and scalable)
– Choose solution
– Implement (TIP: Start with minimal use cases, then work your way up to more automated tasks)
GET READY TO THINK LIKE AN ATTACKER
Sherrod DeGrippo | Sr. Director of Threat Research and Detection, Proofpoint
Sherrod presents the audience with an exercise to help them delve into a threat actor’s brain, helping participants understand:
– What are threat actors thinking?
– Why are they doing this?
– Why did they choose me?
In the exercise, she helps them create an attack email, noting that email is the number one threat vector. She narrows it down even more, explaining that business and government emails are threat actors’ focus. People rarely use their personal email more than their work email, so that has become the target, leaving organizations vulnerable.
Threat actors are typically financially motivated or state aligned. Most of them, according to Sherrod, are located in Russia, China, Iran, or North Korea. In these cultures, it’s seen as a legitimate profession. As long as attacks are sent outside of the country, the act goes unprosecuted. Attackers are actually seen as a type of software developer – even going into an office every day to get the job done.
She also shares that the most common attacks come in the form of a URL (the most popular) or an attachment. Attackers then use social engineering, which is defined as influencing someone to take an action because they’re in a heightened emotional state like excitement or fear.
The most common social engineering lures are:
– You need to complete compliance (or safety) training ASAP. Click this link to access it.
– Download this security attachment to your laptop.
– Click this link to unblur content.
– You have been recommended for this job opening. Click the link to apply.
– Your hotel booking is ready. Click the link to check in.
A popular lure this past year is COVID-19 tracking. Individuals will get an email, claiming to alert you of those in the office who have tested positive. It encourages you to click a link or open an attachment to view the list, and then you unintentionally allow the threat actor in on your network.