In this paper, I will outline best practices for preventing and mitigating ransomware attacks as detailed in the #StopRansomware Guide published by the Multi-State Information Sharing & Analysis Center. In this guide, measures for preventing and mitigating ransomware attacks are grouped according to six initial attack vectors employed by cyber-criminals to worm their way into your network. The first of these attack vectors that the guide addresses is Internet-facing vulnerabilities and misconfigurations. Most organizations should be used to addressing vulnerability and configuration management by now. What is changing is the degree to which organizations need to rigorously discover and address vulnerabilities and misconfigurations in a timely manner. For this attack vector, the guide recommends:

• Conducting regular vulnerability scanning to identify vulnerabilities on your networks. This is especially true of external, Internet-facing networks (in fact, we recommend employing continuous vulnerability scanning for these). We also strongly recommend that internal and wireless networks should also receive vulnerability scanning. In addition, we recommend penetration testing of your networks to help identify cascading failures and other subtle security flaws that simple vulnerability testing cannot identify.

• Ensuring that all entities on your networks (operating systems, software/firmware applications and hardware devices) are regularly patched and updated to the latest versions. They also recommend prioritizing patching of internet-facing servers that operate software for processing internet data. Organizations should especially employ CISA’s Known Exploitable Vulnerabilities Catalogue available at their website to ensure they are addressing the most serious vulnerabilities. In addition, the guide recommends that organizations that have trouble keeping up with this process should consider migrating systems to reputable “managed” cloud providers to reduce, not eliminate, system maintenance roles for identity and email systems.
• Ensuring that all devices (on-premises, cloud services, mobile and personal) are properly configured and that security features are enabled. They recommend reducing or eliminating manual deployments and codifying cloud resource configuration through IaC. IaC templates should receive security testing prior to deployment. They further recommend that checking configuration drift routinely to identify resources that were changed or introduced outside of template deployment.
• Limiting the use of RDP and other remote desktop services, and if they must be used, applying best practices security measures to help ensure they are not misused. They also recommend regularly updating VPNs, network infrastructure devices, and devices being used to remote in to work environments with the latest software patches and security configurations. MFA should be used for VPN and all remote access.
• Disabling SMB protocols 1 and 2 and upgrading to version 3 after mitigating existing dependencies (on the part of existing systems or applications) that may break when disabled.

The second initial attack vector listed in the #StopRansomware Guide is compromised credentials. To prevent and mitigate successful attacks from this vector, the guide recommends:

• Implementing phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. They further recommend employing password-less MFA that replaces passwords with two or more verification factors such as fingerprints or facial recognition.
• Considering subscribing to credential monitoring services that monitor the dark web for compromised credentials.
• Implementing identity and access management (IAM) systems.
• Implementing zero trust access control measures.
• Changing all default admin user names and passwords.
• Not using root access accounts for day-to-day operations, and rather creating users, groups and roles to carry out tasks.
• Ensuring that passwords of at least 15 characters are used. We further recommend using passphrases that are longer and harder to break, but that are easier to remember.
• Enforcing account lockout policies, and monitoring login attempts for brute force password cracking and password spraying.
• Storing passwords in a secured database and using strong hashing algorithms.
• Implementing local administrator password solution (LAPS) wherever possible.
• Protecting against local security authority subsystem service (LSASS) duping by implementing ASR for LSASS and credential guard for Windows 10 and Server 2016.
• Educating all employees on proper password security in your annual security training.
• Using Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted Admin Mode as feasible when establishing a remote connection to avoid direct exposure of credentials.
• Ensuring that administrators use separate access accounts for administrative duties and simple network access.

The third initial attack vector listed in the guide is phishing. As all of us know by this point, phishing attacks are one of the most common and successful attack methods employed by cyber-criminals. To prevent and mitigate ransomware attacks using this vector, they recommend:

• Including guidance on how to identify and report suspicious activity or incidents in regular user security awareness training.
• Implementing flagging external emails in email clients.
• Implementing filters at the email gateway to filter out emails with known malicious indicators.
• Enabling common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
• Implementing domain-based message authentication, reporting and conformance (DMARC) policy and verification.
• Ensuring macro scripts are disabled for Microsoft Office files transmitted via email.
• Disabling Windows script host (WHS).

These are only the first three of the six initial attack vectors included in the guide. In my next paper I will outline the last three vector which include precursor malware infections, advanced forms of social engineering, and one of the most fearsome attack vectors currently plaguing us all: third parties and managed service providers.

In this paper I will outline the steps recommended in the recently updated MS-ISAC #StopRansomware Guide for preparing your organization for preventing ransomware attacks. Being well prepared for ransomware attacks is not only common sense for the organization, it may deter cyber criminals from even attempting their attacks. Cyber criminals universally look for and attack those organizations that have the weakest information security programs.

In general, the first step in preparing for ransomware attacks is ensuring that you have a well-rounded and effective information security program in place. Specific to ransomware, you should ensure that your incident response plan has specific policies and processes in place that address ransomware attacks. It is also important to ensure that your incident response plan includes communication plans and templates. The incident response team should reach a consensus on what level of detail about the incident is appropriate to share with staff, regulators, law enforcement and the public, and how this information should flow. After conducting numerous incident response table-top exercises with organizations of all types, we at MSI have found that if the response team does not have communications planned in detail in advance, their incident response will be chaotic. Other plan preparation guidance found in the #StopRansomware Guide includes:

• Ensuring that your data breach notification procedures adhere to applicable state laws. If you are unsure about your state notification laws, see: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
• If your organization has electronic health information on the network, you may also need to notify the FTC (see: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule) or HHS (see: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). In addition to the above guidance, I would recommend that your organization should include any other regulatory or law enforcement agency that should be notified in your written incident response plans.
• For any personally identifiable information that may be breached, you should be prepared to notify the individuals or businesses impacted about the type of information exposed, recommended remediation actions and relevant contact information.
• You should ensure the incident response plan, including communications plans, are reviewed and approved by the CEO in writing, and that these plans are reviewed and understood across the chain of command. Your organization should also regularly review the latest ransomware incident response guidance available online to help ensure that you remain current.
• Ensure that hard copies of the incident response plan are maintained, and that an offline version is also available.

Operational preparation guidance found in the #StopRansomware Guide includes:

• Ensure that you maintain and test multiple encrypted backups of critical information, including offline backups.
• Ensure that you maintain and regularly update “golden images” of critical systems. This should include image templates that have a preconfigured operating system and associated software applications that can be quickly deployed to rebuild a system such as a virtual machine or server.
• Use infrastructure as code (IaC) to deploy and update cloud resources and keep backups of template files offline to quickly redeploy resources. IaC code should be version controlled and changes to the templates should be audited.
• Store applicable source code or executables with offline backups.
• Retain backup hardware to rebuild systems if rebuilding the primary system is not preferred.
• Your organization should also consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.

As a final preparatory step, your organization should implement a zero trust architecture for you network (see https://www.cisa.gov/zero-trust-maturity-model). Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.

Implementing these processes and controls on your network will bring you up to date with current best practices for preparing your organization for dealing with ransomware attacks. In my next blog, I will outline the measures found in the #StopRansomware Guide for preventing and mitigating ransomware incidents.

Ransomware is the leading information security threat that has emerged in recent years, and it’s only getting worse! In the first six months of this year, 1,393 organizations have issued data breach notifications. If this keeps up, and there’s no reason to think it won’t, 2023 will beat the record set in 2021 of 1,862 data breaches reported. Ransomware is a big part of this sad total.

Back in 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released their first Ransomware Guide to try to help organizations respond effectively to this threat. In the last three years, however, ransomware has evolved greatly. Because of this, they have released an updated ransomware guide now titled #StopRansomware Guide. This guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by the CISA and FBI. The new title was instituted to incorporate the #StopRansomware effort into the title. (#StopRansomware is a one-stop hub for ransomware resources for individuals, businesses and other organizations. The new #StopRansomware.gov website is a collaborative effort across the federal government and is the first joint website created to help private and public organizations mitigate their ransomware risk. It contains all the latest ransomware information and advisories produced by federal authorities).

The #StopRansomware Guide has two parts: part 1 concerns ransomware and data extortion prevention best practices, and part 2 is a ransomware and data extortion response checklist. The two parts represent current best practices and recommendations based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the FBI (these are known as the authoring organizations). The changes made from the old guide to this current version include:

• Added FBI and NSA as co-authors based on their contributions and operational insight.
• Incorporated the #StopRansomware effort into the title.
• Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
• Updated recommendations to address cloud backups and zero trust architecture (ZTA).
• Expanded the ransomware response checklist with threat hunting tips for detection and analysis.
• Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

In my next series of blogs, I will go into detail about the latest best practices recommendations for ransomware prevention and response that are contained in new #StopRansomware Guide. To get started, here are the initial steps that the guide recommends that all organizations undertake to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

• Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
  • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – learn.cisecurity.org/ms-isac-registration. MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
  • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations – learn.cisecurity.org/ei-isac-registration. (See the National Council of ISACs for more information).
• Contact CISA at CISA.JCDC@cisa.dhs.gov to collaborate on information sharing, best practices, assessments, exercises, and more.
• Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Remember, ransomware groups such a CLOP are ruthless, talented and waiting to pounce on any organization, government or private sector, that they are able to compromise. Get started today on educating your personnel and preparing to resist and respond to ransomware attacks.

When you mention building a good information security program to most business employees, especially developing and maintaining written information security policies, you’ll see most of them cringe and get that far away look in their eyes. I can understand that completely! Developing and implementing a modern infosec program is a long and often difficult process. You have to go through assessments to ascertain the level of your current infosec program, you have to determine what level of infosec program you need to finally attain and you have to plan exactly how you are going to achieve your information security goals. For most even smallish to medium-size organizations, this can take three years or more. It can make you tired just thinking about it!

However, the unexpected good news about the whole thing is that, once the program is in place, it’s a piece of cake to maintain it! All that is needed is regular reviews and updates of the program particulars to ensure they remain current and effective. On top of that, having a good infosec program in place and well maintained can help you keep your current customers and entice new customers to utilize your services. This is especially true in the modern business environment which is plagued with oodles of very competent cyber-criminals and adversarial nation states who employ everything from malware and zero days to clever attack strategies and mechanisms such as social engineering techniques to steal your money and ruin your business reputation. Let’s face it, if your organization provides or uses business services in the age of supply chain attacks, you truly need to be able to demonstrate information security competency just to keep your head above water.

So how do you begin the process of developing your infosec program? There are so many steps in the process it is natural to feel overwhelmed by the scope of the whole thing. Luckily, there is a fine mechanism out there to help you get off to a good start in implementing your program; this is the Center for Internet Security (CIS) Critical Security Controls assessment. In this assessment, you first consult with the assessor to discuss the particular business and the information security goals you need to achieve to provide strong security. In the next stage of the process, the assessor meets with pertinent staff (usually by teleconference) to ascertain what CIS security controls you currently have in place and what level of maturity they are at. This usually is done in two or three meetings. The assessor then analyzes the results of the assessment and provides your organization with roadmaps for closing the control gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a typical three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months). These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary. As you can see, having this process and roadmaps in place, your organization will have a good start on implementing the program and will quickly lose that feeling of being overwhelmed.

In my last paper I went over the reasons why conducting a Center for Internet Security (CIS) controls assessment is a good way to build a roadmap for establishing a solid information security program at your organization. This week I’m going to discuss how a CIS controls assessment is conducted, the control categories that make up the current CIS Critical Security Controls (version 8) and the results that you can expect to get from the assessment.

The first step in conducting a CIS controls assessment is determining which CIS implementation group (IG1, IG2 or IG3) your organization should aspire to achieve. For simple organizations that do not have a complex network, and that do not hold sensitive private or regulated data, IG1 may be appropriate. However, for most commercial businesses, implementation groups IG2 and IG3 are recommended. These higher levels of controls offer higher safeguards for private/regulated data and help the organization resist focused cyber-attacks such as ransomware. At this time, the organization also determines the amount of time they wish to allow for reaching their aspirational security goals. This can vary from one organization to the next, but a typical time frame for full implementation is three years.

The next step in the process involves interviewing knowledgeable persons in the organization in order to compare the CIS V8 controls to your current information security measures. The interviewer will question your personnel about each security control and rate your organization’s compliance as:

• Steady-state operational: these are controls that are already being used by the organization and that are included in written policies and procedures. To assure that these controls are in place, the assessor will ask for proofs such as screen shots or records.
• Ad-hoc: these are controls that the organization does employ at least somewhat, but that are not documented or applied systematically.
• Non-existent: these, obviously, are controls that the organization does not employ at all.
• Non-applicable: these are controls that are recommended by the standard, but do not apply to the technology stack or processes that are in use in the organization.

This interview process will probably take 2 or more sessions to complete as there are currently 18 control categories in version 8 of the controls. These include:

1. Inventory and control of enterprise assets
2. Inventory and control of software assets
3. Data protection
4. Secure configuration of enterprise assets and software
5. Account management
6. Access control management
7. Continuous vulnerability management
8. Audit log management
9. Email and web browser protections
10. Malware defenses
11. Data recovery
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skills training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing

In the next step of the process, the assessors will perform written gap analyses of both the baseline security controls (IG1) and the aspirational security controls (IG2 & IG3). These gap analyses will detail percentages of controls that are compliant, ad-hoc, non-existent and NA, and detail the levels of risk that these gaps pose to the organization.

Finally, the assessors will document a detailed roadmap for closing the gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months).

These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary.

As can be seen from this overview, conducting a CIS security controls assessment will provide your organization with a clear understanding of where you are now, where you need to be in the future and what you need to do to reach your security goals. This will bring an end to much of the confusion and frustration entailed in implementing an information security program. It will also give your organization the comfort of knowing that you are working with cutting edge information security controls that give you the most bang for your buck!

No matter what size business or organization you have, in today’s world, the ever-increasing cyber-menace we face affects all of us. To keep our heads above water, all concerns need to have at least a basic documented and monitored information security program in place. For small and medium concerns, how to accomplish this necessary task without breaking the bank can be a truly frustrating and confusing task to undertake.

For one thing, your concern has different information security needs depending on what type of organization you have. Is your network simple or complex? Do you hold or process regulated data such as personal private information, personal health information or financial information? Could compromise of your organization provide a portal for cyber-attackers to gain access to other organizations?

Another point of confusion is provided by the disparate security service organizations, security devices and security applications that are available. How do you know which of these you may need, and how do you pick between the varying offerings? What is the learning curve involved, and will you need extra personnel to handle the increased load? These are all questions that can be very difficult to get a handle on let alone answer decisively.

To help cut the confusion and avoid unnecessary frustration, it seems to me what is needed is a clear path to follow to your security goal. That means finding out where you are now, constructing a roadmap of what needs accomplishing and building a timeline for reaching each step in the process. This is where a Center for Internet Security (CIS) Critical Security Controls assessment comes into play.

The CIS was formed in 2000 with the goal of “making the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” To accomplish this goal, they publish a list of the most effective security controls available, which are arrived at through a consensus decision-making process of the cybersecurity community. These controls are constantly under scrutiny and are updated regularly. Currently, the CIS Security Controls are in version 8. In this version there are 18 safeguard categories, each with a varying number of individual information security controls to be implemented. These controls are further divided into three implementation groups (IG1, IG2 and IG3).

IG1 controls are those that provide “the basic cyber security hygiene that all organizations, regardless of size, complexity, and regulatory requirements should meet to resist basic attacks and breaches.”

IG2 controls are those at “the maturity level which is designed for distributed organizations with multiple sites, networks, and complex data structures but without regulatory concerns and a significant amount of sensitive data to protect…”

IG3Controls are at “the highest level of maturity, designed for complex environments with access to significant amounts of sensitive data who need to resist focused, well-resourced attacks.”

There are two basic factors that makes this type of information security controls paradigm most suitable for roadmapping the security needs of disparate organizations: The first factor is the effectiveness of the controls, especially when employed as a group. These are the controls that do the job and give your organization the most bang for your buck. The second factor is the granularity of the controls. The three implementation groups allow your concern to plan and implement your information security program in easy bites over a reasonable period of time.

In addition, knowing what you need to accomplish over a period of time allows your organization to choose how you want to implement your program with the end game in sight. This allows you to choose security service providers, devices and application wisely, avoiding unnecessary duplication and waste of resources. The fewer the number of these types of security assets you have, the easier they are to update and protect. This is in addition to the money savings you will incur.

In my next blog, I will describe what a CIS controls assessment entails and the different control categories that are included.

In my last paper I discussed the high level of risk that third-party service providers and vendors pose to organizations. If vendors have a connection to your internal network, or are trusted implicitly by organizational staff, they are a potential risk to private information and services at your business. Because of this danger, it is becoming increasingly important to conduct vendor risk assessments. In addition, vendor risk assessments will produce information valuable to increasing the accuracy of the organization’s business impact analysis. For small to medium size businesses, the goal is producing a useful vendor risk assessment without expending inordinate amounts of time and resources. I will outline below the basic methodology for conducting such a risk assessment.

The first step is formulating questionnaires for both internal employees and for the services providers being assessed. For the internal questionnaires, it is best to question application/vendor owners and subject matter experts. It is also valuable to have the input of IT and security personnel. Some of the information you may want to gain from this effort includes:

• What data and systems does the vendor have access to? How critical to the business are these systems and data? Is the data regulated or sensitive (i.e. PPI, PHI)?
• How does the vendor access these assets (i.e. via VPN, 2FA, simple user name/password)? Is access automatic or must it be enabled before access is granted? Is vendor access logged and monitored? Is there a shared access account used to communicate with the vendor, or is access individual to the employee?
• How critical is the availability of this vendor to business processes? Is the vendor really necessary (Are there other vendors used by the organization that provide similar services to other lines of business, and is it possible to a number of vendors with just one)?
• Has a review of vendor contracts and agreements been performed to see if they meet the organizations security policy and functional requirements?
• Are there periodic reviews of the vendor performed to check on their status in the industry (i.e. financial status, reputation)?

For the external questionnaires, the goal is to gain information about and from the vendor. This information can be gleaned from publicly available sources, user groups, the Better Business Bureau, or you can contact the vendor itself. Some of the information you may wish to collect includes:

• Does the vendor have a SOC 2, PCI DSS, ISO certification in place, or is there other evidence of a risk management program in place?
• Does the vendor support multi-factor authentication mechanisms such as hard tokens, Okta, etc.?
• Is the vendor financially sound?
• Does the vendor have a good reputation in the industry and among users of the vendor service or application?
• Does the vendor have a documented information security program in place that is compliant with the organization security program? Does the vendor perform logging and monitoring of their systems? Do they have an incident response program in place? Etc.
• Does the vendor have a history of security compromises or data breaches?

Once you have the information about the vendors you need, you can apply the regular risk assessment paradigm to them; what threats may menace the vendor, what impacts would the business suffer if the vendor were compromised, how likely is compromise of the vendor? From this you assign the vendor a risk rating, usually stated as high, medium or low.

After the risk ratings have been assigned to all of the organization’s vendors, the risk treatment process can be undertaken. For example:

• Should additional security controls be put in place around the vendor?
• Should a replacement be found for the vendor?
• Is there a way to avoid the risk posed by the vendor to the organization?
• Does the benefit derived from using the vendor outweigh the risk posed to the organization by the vendor?
• Can agreements with the vendor be renegotiated in order to meet the organization’s security and functionality needs?

Although this process is relatively simple, the organization can derive great benefit from undertaking it. In the present business climate, information security cannot be taken too seriously.

We all are a little overwhelmed by the complexity and difficulty of securing our private information against attackers such as cybercriminals and nefarious nation states. It seems that attacks come at us from all sides on a regular basis. One way we cope with this is to outsource our cybersecurity needs to third-party organizations that have staff who perform such services as network monitoring or security patching for a number of client organizations. Another way is to employ third-party security applications that provide such services as email security and data loss protection. We trade our money for their time and expertise.

And there is nothing wrong with that in a lot of ways. The people that form and work for these organizations are able to concentrate their efforts on specific aspects of information security, and often have a great depth of understanding of their particular subjects. Using them or their applications certainly will save you time and can also save you money. However, it is ironic that the very act of allowing such organizations and applications to connect to your networks is a great risk to your private information and systems in and of itself. So, in a way, by trying to simplify your risk management problems, you are actually increasing the attack surface available to cybercriminals, thereby making your cybersecurity problems even more complex and unwieldy.

A big problem is that, despite our best efforts, risk can never be totally eradicated; risk can only be lessened. This is the result of Order and Chaos and the very nature of reality. So even when a cyber-service provider is conscientious and diligent in their security efforts, they can still be compromised. And when they are, there is a good chance that their clients will be compromised as well. Unfortunately, no matter who was responsible for the compromise, you or your organization have the ultimate responsibility for the security of your own information or assets. This creates a no-win situation; you lose, your customers lose, and the service provider loses.

A current example of this is the LastPass hack that occurred sometime in August according to the company. Although details are sketchy, the latest information shows that the breach was massive and exposed encrypted password vaults as well as other user data. The company announced that hackers were able to copy a backup of customer vault data from the encrypted storage container. This means that these hackers have had months to try to guess the master passwords for these vaults. With time, cracking these passwords becomes more and more likely. This creates a huge hassle for clients who now have to change all their passwords and ensure that two-factor authentication is enabled wherever possible. It also has created a huge reputational hit for LastPass. Many information security professionals are even recommending that their clients dump LastPass.

So, what can we do to protect ourselves from the dangers of service provider compromise? The answer is that there is no perfect solution. The best thing we can do is be constantly aware of the situation and put no trust in our hope that the service providers we employ will not be compromised. We need to examine each service provider we use and ask ourselves if we really need the app or service. If we can get by without, then dump that provider. The less service providers we have, the smaller the attack surface we present to the outside world. We also need to do risk assessment of our current and prospective service providers to see how competent and stable they are, and to determine the impact we would experience if compromise did occur. In addition, we need to develop incident response procedures to help us minimize negative impacts that we can foresee, and practice our responses so that we are quick and competent if the incident occurs. Forewarned is forearmed!

Data is the mountain of unorganized fact that inhabits our computer systems and networks. It is analogous to unrefined ore in mining: we mine ore and then process it until we end up with useful metals. Similarly, we mine our computer networks for raw data and process it until we end up with useful information.

It is amazing what information we can glean from seemingly innocent and unrelated facts! People can combine bits of data and deduce who we are, where we live, how we shop, how many kids we have and a plethora of other information that we don’t really want to be common knowledge. This is true not only on the personal level, but on the business and government levels as well. Hence the rise of laws like GDPR, the California Consumer Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act. We can expect more privacy and data protection laws from more states and countries in the future. To address these problems, it is very important for organizations to develop and maintain a data management policy and the processes necessary to carry it out.

Among the most important of these processes is data inventorying. A data inventory (or data map) should fully describe the data asset and should include such information as the data’s name, contents, ownership, classification (sensitivity level), retention factors, origin, and other considerations that are important to the organization. Setting up such an inventory may be a daunting task, but once in place, will greatly simplify complying with regulatory requirements and other data management tasks. Along with data inventorying, it recommended that data flows should be tracked. Knowing what data you have and where and how it flows across the network is vital to protecting it.

Another important consideration in data protection is ensuring access to specific data is limited to only those individuals with a legitimate need for that access. This is where access control lists come into play. Access control lists should be strictly maintained and reviewed regularly. It is important to adjust these lists immediately when individuals change jobs within the organization, quit or are terminated. It is also highly desirable to employ strong access controls such as MFA to ensure that the person who is accessing protected data is indeed the person they claim to be.

Another way to protect data is through the use of encryption. Encryption is highly effective in protecting data if it is implemented correctly. Data should be encrypted when at rest and when it is being transmitted across networks. This is especially important in keeping ransomware attacks from becoming devastating. Even if attackers gain access to private data on your system, encryption means they can’t actually read it. This limits their attack to availability only, and eliminates compromise of confidentiality, which can save the organization from regulatory and legal penalties. Strong encryption algorithms should be employed, and a usable and secure key management system should be employed. Encryption keys should be among the most highly protected data assets you have, and ideally should be air-gapped from the rest of the network.

Data backups should be made regularly depending on business requirements of the organization. Backups should be stored in more than one location and should be protected as diligently as information on your production network. Backups of sensitive data should be encrypted and tested on a regular basis.

In addition, access to sensitive data, it’s modification and disposal should be logged and monitored. This should include access to encryption keys and security logs themselves. Protecting and managing data is not easy, but will provide your organization with a bounty of advantages that could help your reputation and save you time and money in the long run.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was adopted in March of 2022 and is an outgrowth of the National Infrastructure Protection Plan (NIPP) that has been around since 2013. What this means to organizations that are covered critical infrastructure entities it that they will be required to report cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in a very short time frame. Specifically, these organizations must:

• Report any “covered cyber incident” within 72 hours of determining that the incident has occurred to the CISA
• Report issuance of a ransomware payment to the CISA within 24 hours
• Provide CISA with supplemental information when substantial or new information regarding the incident becomes available to the entity

A question that immediately occurs to one upon reading these requirements is, what is a “covered cyber incident” under CIRCIA? Covered cyber incident under this law must meet any one or all of the following criteria. A covered cyber incident causes or creates:

• “Substantial loss of confidentiality, integrity, or availability” in information systems or “serious impact on the safety and resiliency” of operations
• “Disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero-day vulnerabilities)”
• “Unauthorized access or disruption of business or industrial operations” from the loss of services facilitated through or caused by a third-party data hosting provider or supplier

What business sectors are considered critical infrastructure in the U.S.? Critical infrastructure includes the following 16 sectors:

1. The Chemical sector
2. The Commercial Facilities sector
3. The Communications sector
4. The Critical Manufacturing sector
5. The Dams sector
6. The Defense Industrial Base sector
7. The Emergency Services sector
8. The Energy sector
9. The Financial Services sector
10. The Food and Agriculture sector
11. The Government Facilities sector
12. The Healthcare and Public Health sector
13. The Information Technology sector
14. The Nuclear Reactors, Materials and Waste sector
15. The Transportation Systems sector
16. The Water and Wastewater Systems sector

So, how are you to know if your organization is included under this new law? That is being determined now by the CISA. To define a covered entity under the law, they are considering three factors:

1. The consequences that a particular cyber incident might have on national or economic security, public health and safety
2. The likelihood that the entity could be targeted for attack
3. The extent to which an incident is likely to disrupt the reliable operation of critical infrastructure

These criteria not only cover critical infrastructure organizations, they cover organizations that support the security and resiliency of critical infrastructure.

Luckily, organizations in this sector will have some time to get ready for these new requirements. The deadline for the publication of the Notice of Proposed Rulemaking is not until March 15, 2024, and the deadline for issuance of the Final Rule is slated for September 15, 2025. My advice is to take advantage of this time and prepare!