Many organizations now wish to demonstrate compliance with Center for Internet Security (CIS) and SOC2 information security recommendations and requirements. Proving this compliance is a big plus to prospective customers and partners in the present business environment. In this blog I will outline this guidance as it applies to Information security training and awareness programs.

Section 14 of the Center for Internet Security Critical Security Controls (CIS CSC) V8 covers security awareness and skills training. Safeguard 14.1 mandates that the organization establish and maintain a security awareness program that educates personnel on how to interact with enterprise assets and data in a secure manner. This training should be provided for all organizational personnel as new hires and at least annually. In addition, the content of the program should be reviewed and updated at least annually.

Safeguard 14.1 also meets portions of SOC2 COSO principles CC1.4 and CC2.1. CC1.4 calls for the organization to demonstrate a commitment to develop competent individuals in alignment with objectives. Specifically, trust service criteria call for the organization to provide continuing education to personnel to ensure that skill sets and technical competencies are maintained. As to CC2.1, this safeguard meets two of the trust service criteria: the organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal controls, and the organization communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.

Safeguards 14.2 through 14.8 all detail specific areas personnel should be trained in. They include:

• 2: Training personnel to recognize social engineering attacks. This training is particularly important in the present threat environment, since many of the most successful exploits currently begin with and are enabled by some kind of social engineering attack.
• 3: Training personnel on authentication best practices such as MFA, password composition and credential management.
• 4: Training personnel on data handling best practices. This not only includes training on how to properly store, transfer, archive and destroy data, it also includes training personnel on proper workplace security such as clear desk/clear screen, work area security and printer security.
• 5: Training personnel about the causes of unintentional data exposure such as losing or improperly securing portable end user devices or publishing data to unintended audiences.
• 6: Training personnel to recognize and properly report potential security incidents.
• 7: Training personnel on how to identify and report if their equipment is missing security updates.
• 8: Training personnel on the dangers of connecting to and transmitting enterprise data over insecure networks. This includes training home workers in how to securely configure their home network infrastructure.

Safeguard 14.9 concerns providing role-specific security awareness and skills training for personnel with jobs that give them great access to or power over the network such as system administrators, security personnel, help desk personnel and web developers. This safeguard also partly meets trust service criteria in CC2.1. Specifically, communicating responsibilities with personnel responsible for designing, developing, implementing, operating, maintaining or monitoring system controls.

Ensuring that your organization has an information security and awareness training program in place, and that it at least meets the criteria above, will ensure your organization has a good, basic program in place that is compliant, and that can be built upon as new security problems appear and organizational security requirements change.

One of the very hottest topics in information security recently has been supply chain risk. For the purposes of this paper, I will be discussing a particular type of supply chain risk: cyber supply chain risk. Cyber supply chain risk is defined as a lack of visibility into, understanding of, and control over many of the processes and decisions involved in the development and delivery of cyber products and services. The way to address this risk is through the proper implementation of vendor and third-party service provider risk management.

The most comprehensive and current guidance on this subject can be found in the NIST special publication 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM). In this latest update, NIST has implemented their guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity, resulting in a massive body of guidance that is 315 pages long. Employing this guidance relies on users to examine their own systems and organizations minutely, and to custom-tailor the application of controls to fit their particular needs. This guidance is being constantly updated and users are urged to visit the NIST website to obtain the latest guidance for constructing their supply chain security program.

In the family supply chain risk management, 800-161r1 currently contains 13 sections of supplemental guidance for use in implementing a supply chain risk management program. I will outline vendor risk management strategies below, but I urge you to go through 800-161r1 yourself to get the full picture of supply chain risk management.

• Inventory of service providers.
  • Maintain an up-to-date inventory of all service providers, categorizing them based on the level of access to sensitive data and the criticality of the services provided.
  • Assess the financial stability of vendors to ensure long-term viability and performance stability.
• Due Diligence and risk assessment.
  • Perform initial and periodic risk assessments of service providers, documenting their ability to meet security and performance requirements.
  • Manage vendor concentration risk to prevent over-reliance on a single provider for critical services.
• Contract management.
  • All contracts with service providers should include explicit security requirements, data protection clauses, and the right to audit compliance with the contract terms.
  • Contracts should address the responsibilities for both parties in the case of a breach or data protection incident.
• Oversight and monitoring.
  • Regularly monitor service providers to ensure compliance with security requirements and contractual obligations.
  • Establish a process for reviewing service provider controls and performance, including the right to conduct audits or request third-party certifications of compliance.
• Contingency planning.
  • Require service providers to have adequate business continuity and disaster recovery plans that align with the organization’s own resilience strategies.
• Consumer protection and data privacy.
  • Require service providers to have adequate business continuity and disaster recovery plans that align with the organization’s own resilience strategies.
• Compliance with laws and regulations.
  • Service providers must comply with all relevant laws and regulations.
• Third-party relationship management.
  • Define clear roles and responsibilities for managing third-party relationships, including the process for ongoing due diligence and risk assessment.
• Vendor offboarding.
  • Develop secure and documented processes for vendor offboarding, ensuring the safe return or certified destruction of organizational data, and revocation of system access upon termination of services.
• • Performance metrics and continuous improvement processes should be established to measure the effectiveness of the vendor risk management program.

Undertaking these steps will help ensure that your organization is handling supply chain risk management competently.

Every week I see more news about organizations that have fallen prey to ransomware attacks. It just illustrates the fact the ransomware is a lucrative tool for cybercriminals and is therefore going to be plaguing us for the foreseeable future. To be proactive in protecting your organization from this threat, you should ensure that you are following the latest best practices guidance available. So, in this paper I’m going to summarize the best practices recommendations found in the #StopRansomware Guide published by the CISA.

Ensure you have complete knowledge of all of your IT assets, and that you manage them securely.

• You should maintain comprehensive inventories of all hardware, software, firmware, operating systems and data on your systems.
• You should know where all of these IT assets are located at all times, including data.
• You should know the relative value of these assets to your organization and protect them accordingly. This means conducting business impact analyses.
• You should map trust relationships among systems, and you should also map how data flows into and out of these systems. These maps and diagrams should be comprehensive in scope, well protected and stored in multiple locations and forms.

Ensure that the principle of least privilege is strictly applied across your organization. This means that all users should have access to only those IT assets that are necessary to perform their job functions. Those with high-level access to systems such as system administrators should employ very strong access controls and should be highly monitored.

If you use virtual systems, you should ensure that all hypervisors and associated IT infrastructure, including network and storage components, are updated and hardened to the latest best practices recommendations.

Ensure security settings are enabled and applied in cloud environments. Ensure you understand which security responsibilities are yours and which security responsibilities belong to the service provider.

Ensure you have a firm grip on remote access and remote monitoring and management software used on your systems. These mechanisms must be highly monitored and restricted. Ensure secure configuration of these mechanisms is maintained.

Ensure that your network is properly segmented. Separation should be maintained between operational technology and IT. Business units and IT assets should be placed in network segments according to business need.

Ensure that the usage of PowerShell is restricted to specific users on a case-by-case basis by using Group Policy. Typically, only users or administrators who manage a network or Windows OS are permitted to use PowerShell.

Ensure that domain controllers are properly secured to help prevent the spread of ransomware network wide. Ensure that domain controllers receive prompt security maintenance and are include in vulnerability and penetration testing. Harden controllers to only include a minimum of software or agents needed for business purposes.

Ensure that logging from network devices, local hosts and cloud services is verbose, and that these logs are securely stored.

Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior.

Ensure that you are conducting security testing, such as vulnerability and penetration studies, of networks and software applications.

Enable tracking prevention to limit the vectors that ad networks and trackers can use to track user information.

Enable website typo protection to limit the possibility of logging onto spoofed websites or other potentially malicious links that could compromise a browser.

Enable browser-based anti-virus for active scanning while browsing as an added layer of defense.

Block website notifications by default to limit a website’s ability to track user data that can be exploited.

Employing all of these best practices recommendations, and monitoring security and government websites for additions and updates to these best practices, will help your organization prevent ransomware attacks, and will also help you deal with them effectively if they occur.

This is a new world since I first began in the information security business. In the early 1980s, information security had little to do with the vulnerability of the computers themselves – this is before personal computers, Windows-type operating systems and the Internet. Mainframes were a tough nut to crack, and the possibility of compromise was pretty much an internal threat. What information security focused on then was signals and physical security. How to keep your information from being lifted from hard wires, documents and radio signals? The answer was cryptographic techniques and security policies actually developed during WWII and the Cold War. These same methods were then, unfortunately, applied to networked computer systems constructed from personal computer technology and operating systems, across a different medium than those used before: the Internet protocols. This is a recipe for information security disaster! Functionality, not security, was the overwhelming focus of these original protocols and operating systems, and applying security methods after the fact was like applying a Band-Aid to a torn artery.

When hacking and later cyber-crime problems first started appearing in the mid-90s, the business world and the general public didn’t take the problem too seriously at all. Having to use passwords and other simple security measures was viewed as a pain in the keester by almost all of us at that time. But little by little, privacy and security breaches started getting more and more serious and damaging; people began to pay more attention to cybercrime and businesses began to become a little more open to increasing their information security budgets. Network perimeter security controls became stronger, and we started paying more attention to internal security controls. But by this time cybercrime was firmly in the hands of professional, financially and politically motivated cybercriminals. This highly motivated group started finding new and novel ways to overcome or circumvent information security controls, applications and services. Every time new and more restrictive security methods were put in place, some new attack method to overcome the latest and greatest soon followed. This, alas, is where we stand today.

The fight continues, and the good guys are making great strides, both in security methods and in public and business willingness to participate in information security. The CIS Critical Security Controls and all the new AI-driven security applications are examples of this willingness. But I have noticed something disturbing happening here of late. The security measures being employed by businesses are getting so good, that people are starting to trust in their effectiveness too much; complacency is rearing its ugly head! And since the very idea of security began thousands of years ago, complacency has proved itself to be a fatal error. No matter what, you can count on security controls to be overcome one way or another. So far, this has never failed to occur in the history of mankind.

It therefore behooves all of us, especially those of us tasked with the privacy and security of information, to be constantly vigilant and even more forward thinking than the attackers that would steel our information and privacy. It must constantly be kept in mind that the attacker always has an advantage over the defender: the defender must get it right every single time, the attacker only must get it right once.

From the time an information security incident is first suspected at your organization until the end of the last “lessons learned” meeting, good communications are absolutely vital. Communications must rapidly and surely reach all interested parties in the proper order, but at the same time, they must be secure, authorized and only available to those with an immediate need to know. If your organization does not have a well thought out and practiced IR communications plan in place, you will not be able to reach these goals. And that could cost your organization both reputational damage and funds.

To build an IR communications plan, you need to consider all the various individuals and groups that are potentially going to play a part in the incident response. For example, all employees need to know how and who to communicate with if they notice a security problem. Help desk, supervisory and IT personnel also need to know how and who to communicate with if a security problem comes to their attention. And especially, IR team members need to know how, when and who to communicate with, not only among themselves and other members of the organization, but also with outside parties such as law enforcement, regulators and the media.

But the “who,” is only one step in the process. The other steps are the “what,” “how” and “when” to communicate parts of the puzzle. These tasks are easy on an individual basis, but quickly become complex. IR team members should meet and discuss these issues and make sure to document their decisions on how to handle them. Fortunately, the team will not have come up with all of this on their own. There is plenty of advice available on the Internet from private and government organizations that is available to all. I also recommend contacting similar organizations and user groups to see what advice they can give you from their own experiences with handling communications during an incident.

Here is some advice on IR communications that has proven beneficial to the organizations that we have worked with in the past:

• Some one person (usually the head of the IR team) should be in charge of communications during an incident response. This individual should be aware of and approve all important communications during the incident response.
• Ensure that there are multiple means of communication available. Phones, email, Slack channels, web-based communications, etc. can all be utilized.
• Ensure that all communications are secure and only available to their intended audience. A lack of proper secrecy during an incident response can be disastrous.
• Create communications templates of all kinds for use during the incident response, such as communications to be released to the media, to employees, to customers, to service providers, to regulators, etc. Having such templates saves a lot of time and effort among personnel whose attention could be better directed elsewhere. It can also help ensure that mistakes are not made on what is being communicated.
• Practice how communications will be handled during incident response exercises such as table tops. These exercises expose many gaps in IR communications techniques that you don’t want to discover during an actual incident.
• Ensure that all individuals and groups that may be involved in an incident response are made aware of how and who to communicate with during an incident. Documented communications policies and procedures should be included in information security training, policy documents, service agreements, contracts, etc.

Currently, when people think of social engineering attacks, they immediately think of email phishing. This is because for years now email phishing has been the preferred attack method employed by attackers to gain access to user computers and hence into private internal computer networks. But we all should remember that email phishing is only one type of social engineering attack method; there are many. Social engineering can also include such vectors as snail-mail spoofing, removeable media spoofing, SMS spoofing, blackmail, intimidation, in-person impersonation …and phone impersonation, which brings us to the subject of this blog: voice cloning.

Years ago, I wrote a blog about the dangers posed by digital recording of images and sound; about the fact that perfect fake digital recordings could be generated at will given the proper amount of computing power and expertise. How could we then fully trust security cameras and voice recordings to reflect reality? The answer was and is we can’t.

Now, thanks to AI technology, we have convincing fake voices being generated in real time! One little sample of a person’s speech and, like a parrot, the computer is immediately able to impersonate the voice. The implications of this technology are staggering to the world of information security management, especially when one considers the next stage in this technology which is to perfectly replicate both the voice and the moving images of a person in real time.

We haven’t been able to trust that users who sign into a network or service are really who they purport to be since networks began, but now we can’t even trust a phone call from somebody whose voice we know very well. This capability has not escaped the notice of cybercriminals. They are already using voice cloning to convince people to reveal private information or to allow them access to private systems with great success.

So how are we supposed to respond to this new threat? First, I would be sure to make personnel aware of the threat. Include voice cloning in your regular information security and awareness training mechanisms. Put up a warning on your security Slack channel and on posters, and include voice impersonation in your phishing training modules. Develop procedures for addressing the dangers of voice cloning and write them into policy. You can also use AI to battle AI. Employ AI-based software that can monitor audio to identify digital noise, signs of repetition or artifacts that are not present in a live voice. The worst thing you can do is ignore this threat and do nothing, so why not be proactive and get ahead of the threat now?

Policies are simply rules that say “this is the way we are going to do things.” If you want your organization to operate in a unified and coherent manner, you must have policies in place and you must ensure that everyone in the organization knows and complies with those policies that pertain to them. This all sounds obvious and simple, but trying to implement such a system quickly becomes complex and confusing.

In the specific case of information security policy, many organizations that have been in existence for years find themselves in the unenviable position of having to formulate a body of information security policies after the fact. This is a daunting task indeed, and needs to be approached in a logical and systematic manner.

The first step in this process is to assemble an inventory of all the information assets and processes that need to be protected. All critical information, software assets, hardware devices, personnel and service providers need to be included in this inventory. A list of critical business functions that employ these assets also needs to be made. Once these tasks are accomplished, policies need to be formed and documented that address the proper use and management of each of these functions and assets. These policies need to meet the goals of the organization and any laws and regulations that apply to them.

The next step in the process is to formulate and document procedures for implementing the policies of the organization. These procedures should be sufficiently detailed to show untrained personnel to how to perform them. Finally, all of these policies and procedures need to be reviewed and adapted regularly to ensure that they remain adequate to meet the goals of the organization.

As must be readily apparent, the final result is going to be a mountain of documentation that, despite its complexity, must be readily accessible and comprehensible to all that are governed by it. This quandary is where most organizations seem to fail. Many bodies of policy and procedure I have encountered have been hard to navigate, disorganized, redundant and sometimes even self-contradictory. This causes confusion and frustration among users and thus renders the hard work put into the process largely ineffective.

To remedy this as much as possible, organizations should take that extra step and expend the manhours and resources necessary to make their written information security program usable. Policies should be organized into logical categories such as access and identity management, vendor management, security incident response, etc. This allows users to narrow the field when they are looking for specific policies. Polices should also be kept in a central repository under the responsibility of specific individuals or groups within the organization. Policies should be backed up in multiple locations and forms for business continuity purposes. Access to specific parts of the repository should be easy for authorized users, yet should be based on need to know to maintain the security of private information and processes. Policies should be very well indexed and should contain tables of content. In addition, authors of policy should always be searching for ways to remove unnecessary redundancy from policies and to make the language in them unambiguous, direct and terse. Finally, every user should receive training in all the organization policies that apply to them, how to find them and how to apply them. Performing all of these tasks will help ensure that your organizational policies are of actual use and are not just ornaments to be dangled in front of regulators and prospective customers.

Despite all our network security efforts, attackers continue to compromise our private data and systems at an alarming rate. What’s worse, they do this using the same chain of steps. They find some way to get access to the internal network, they find a way to navigate around the network, they elevate their privileges and, voila! They can toy with your data and systems to the level of their expertise and rapaciousness.

The thing is, if we can break any one of these steps, we can most often keep the attackers from reaching their goals. And one of the most useful and available tools out there to help organizations disrupt the chain is multi-factor authentication (MFA). MFA can be very effective in preventing initial access to the network, it can also be very effective in preventing elevation of privileges and, therefore, can help prevent attackers navigating around the network. Because of this, we at MicroSolved plead with all of our customers and readers to employ MFA to the fullest possible extent.

Certainly, users should be required to employ MFA when accessing the network remotely. This is necessary to prevent attackers who have accessed users’ credentials from getting that initial foothold on the network. I personally advocate using MFA for any network or AD access.

The Center for Internet Security (CIS) V8 Security Controls also require employing MFA for all externally-exposed enterprise or third-party applications wherever supported. They also state that enforcing MFA for this purpose can be accomplished safely through the use of a directory service or SSO provider.

CIS V8 controls also require the use of MFA for administrative access. This also needs to be accompanied by requiring that all network administration be accomplished using dedicated administrator accounts. Administrators should use separate access accounts for all other network activities. These controls help tremendously in preventing attackers from elevating their privileges by simply gaining access to a normal user account.

In these dangerous times, all organizations should at least employ MFA as described above. When combined with encryption of sensitive data across your network and backups, these controls pose a formidable obstacle for attackers to overcome.

Over the last 15 years or so, we have greatly improved network security. We started by beefing up network perimeter security, and then moved on to improve internal network security and resistance to malware. So why are the number of network infiltrations and data breaches greater and more damaging than ever? I think the main reason is because cyber-attackers are employing alternate techniques such as phishing attacks to gain their primary entry to networks. And unfortunately, susceptibility to phishing attacks is primarily a human problem, not a technological one.

So, what can we do to fight such an insidious threat? We can make sure that we are doing all we can to turn personnel from our number one security risk into our number one security asset. And to do that, we not only need to make everyone in the organization aware of modern attack techniques, we also need to enlist their aid in detecting and reporting suspected cyber-incidents. Why not employ real, human intelligence to the problem rather than artificial intelligence?

The first stage in this process is to ensure that all your personnel receive comprehensive security awareness training and continuous security reminders. Personnel need training to understand how networks are compromised and what common network attacks look like. They also need to know how to react to suspected security attacks, and who and how to report these issues to. In addition, you need to make sure that your help desk, IT and security personnel are open to these questions and reports and do not look on them as a pain. You should also ensure that your personnel receive continuous updates on the latest attacks and techniques being employed by attackers.

To get your personnel to become security assets, it helps to be innovative in your approach to information security and awareness training. Right now, you are probably employing web-based security training modules to make your personnel aware of security issues, and there is nothing wrong with that. However, going through these modules is not usually viewed as a fun time by most personnel, and retention and buy-in is going to suffer. So why not supplement or replace part of this online training with group security training and/or awareness meetings? For example, you could have quarterly security lunches where your personnel not only receive up-to-date security information, but are provided with a good meal in the bargain. People always react well to events where food is involved!

Another technique that could be used to get personnel on your side in this effort is to provide them with incentives for good security performance. You could reward personnel for catching and reporting security events or for coming up with good suggestions for improving security in your organization. These incentives do not have to be costly either. People react just as well to public praise as they do to monetary incentives. There’s nothing like a good pat on the back! Put their pictures up on the bulletin board or on the website. Other incentives could be a special parking place they get to use for a week, or an afternoon off with pay; anything that might make other employees want to do well and get the same rewards.

Once you have put a good security training and awareness program in place, you need to have techniques in place for judging its effectiveness. One way to do this is to test personnel on their retention of the security issues they have been taught. I personally recommend not performing these tests immediately after the training session. I would quiz personnel on the information after a day or two had passed. This will help you determine how much long-term retention you are liable to get. In addition, you could perform security tests on your personnel, such as phishing tests. You could send personnel suspicious emails messages or could text or call them with suspicious requests. You should track how personnel do on these tests as well. This will help you identify persons that are more susceptible to cyber-attacks and give you the opportunity to provide them with extra training or incentives as needed. Whatever you come up with, remember that in this environment security and awareness training are at least as important as any other security measures you are employing to protect your private systems and information.

In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.

Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:

• Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
• Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
• Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
• Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.

The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:

• Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
• Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
• Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.

The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:

• Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
• Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
• Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.

Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.