Several months ago, MSI was called for an incident response. The business was under a denial of service attack (DoS). They had no internet connectivity. They had no phone service. They were under attack.
It had started several days ago, an employee had clicked on a phishing email that requested the employee to logon to a bank site. It had been a very targeted spear phishing attack. The employee reported encountering some unusual activity on their computer – but only reported it upon reflection after a full blown attack had began several days later, and not immediately when encountering it. On the day of the attack, when the attacker or attackers, started to remotely elevate their activities on and through the employee’s compromised workstation, the employee experienced difficulty and disruption with the web site, the one they had been phished through several days ago. The employee contacted technical support of the bank site. While they were on with tech support (the real ones), the employee got a call from the attacker impersonating as the bank tech support. The attacker eventually got rude and evasive, and several minutes later, a full blown denial of service attack was set on the office IP. Bandwidth was exhausted, the office could not access or be accessed from the internet.
There were several concerning issues from the experience. The primary concern was to return the office back to operation and back in business. However, it was not possible to track down much of the attacker’s activities and source of attack due to the lack of logs. Firewall logs. Server logs. There were some firewall logs, however, the setup was not for permanent storage. The firewall logs were cleared and reset after each reboot. And there had been several reboots during the day, through attempts to troubleshoot and fix the denial of service attacks.
The other concerning issue was that for the size of the the victim business, there was no full time IT staff. There were up to 150 employees and workstations at the office. No single employee with full time responsibilities for network and computer services. There was a capable office manager with the help of an outsourced, temporary and on-demand network services, probably very skilled and knowledgeable, friend, with an other full time job. The employee had no one to turn to immediately in the office when encountering suspicious or issues with their computer or network access.
After the incident, a full report was delivered with a recommendation for a full time IT staff in the office. Maintenance, updates, upgrades, and monitoring of an Active Directory domain with the associated hardware and software for an office that size requires more than several hours of attention each week. (The victim business was still using a Windows Server 2003 domain controller.)
All surveys and research indicate that security is a priority to most organizations. However, the proof is in the pudding. Prioritizing security within a business includes having an adequate number of staff whose primary responsibilities are of the company network and devices. More and more companies are outsourcing their IT staff. Although the technical or grunge work may be outsourced (the author has strong opinions against much of that practice), organizations often forget about policies.
Outsourced IT work may be on-demand; if the printer is not working, or the network is slow or intermittent, or a workstation is behaving abnormally, or the creation of a new user or changes to access control, or a software needs to be installed on workstations, etc. Most of the times, they’re there (local on site or remote connection in) only when called for.
However, an organization’s security policies should include regular updates of firmware or software, and that could mean every few days at the most. Attacks are constant and on-going. Businesses and users are inundated and overwhelmed with new attacks and old. Thousands of new malware are discovered and reported each day; as a result updates and fixes are released and need to be applied.
A company’s security maintenance schedule should include monitoring of network use, management of firewall rules, monitoring user activity, compliance and audit, backups and logs, etc.
Phishing is the number one method of attack that leads to a compromise. Spam and email filters need to be actively monitored and tweaked for effectiveness. Users should be reminded regularly through training to stay vigilant, and educated with the latest phishing techniques to be able to discern from the phishing emails.
Even if the IT work is outsourced, the organization needs someone to be make the decisions and implement the policies. If an organization is not large enough for a Chief Information Security Officer, then the outsourcing for a security expert to provide guidance on security issues should be an option. Virtual CISO services are increasingly more prevalent. An outsourced vCISO can offer time and insight to the organization on an ongoing part-time basis. And such services can be performed remotely too.
Regardless if there is a full time IT staff or a part time network person to perform network services that are needed, or if there is a CISO, full time or virtual, to administer and implement security policies, an organization needs to have its network and devices maintained on a regular basis, updates need to be applied on a regular basis, backups need to be performed and validated, security policies need to be drafted and implemented and monitored. And all the fore-mentioned is at the very least. Security is a priority is not just responding to a survey indicating that it is.