Since a large percentage of cyber breaches result from users/people falling victim to an attack, how do we justify the significant technical expenditures?
In simplistic terms, there are three control types that we spend money on—preventive, detective and corrective. Since a control can fail via logical (cyber), physical or personnel breakdown, we need to measure the likelihood of each and then spend money to reduce their potential impact. It's important to layer your controls and not rely on just one. So if we're worried about people falling victim to an attack, we need to train those people to recognize potential attacks, then supplement training with technical controls that stop the incident and detective controls that identify when an issue occurs.
Regarding users being the weakest link, how realistic is a lateral movement to increase privileges when it comes to a domain account with no additional groups other than the users group?
There are two attack patterns to be concerned with.
The first pattern is using another account. Perhaps an attacker has gained network (virtual private network or VPN) access using a standard user account and then switches to another account (maybe a service account with privileged entitlements) that did not have VPN access. Both accounts may have been purchased on the dark web. The service account could also have had a weak password. System administrators often struggle to maintain service accounts because they do not know their purpose.
The second pattern is leveraging a known weakness called pass-the-hash. With this pattern, a user can execute commands by leveraging a trail of hashed credentials left on Windows devices previously logged into by powerful accounts.
Do laws already exist in the U.S. which define repercussions for those using artificial intelligence (AI) to represent themselves as someone else for criminal activities?
No, there is nothing yet. The main challenge for taking legal action against criminal cyber activities is attribution. Identifying who conducted the attack and prosecuting individuals is difficult. In addition, cybercriminals usually attack from different countries, making it harder for the U.S. to prosecute.
Have you seen organizations that often use a hybrid approach of combining the cloud and the classical server-client hardware configuration? This question is very general, but we have some highly sensitive data, and employees are very wary about storing it in the cloud, even though it might be more secure than in-house storage.
Yes, energy and government organizations usually have a hybrid approach to the cloud—the same for some health care organizations. Architecture and a zero-trust model are recommended in these situations.
Does RSM give board-level presentations on cyber security? We generally have outside cyber professionals present, but I think information from a board perspective would be valuable.
RSM’s cybersecurity team often participates in board-level presentations and discussions related to cybersecurity, whether broad presentations on threats and trends within your industry or focused on your specific cybersecurity program. As the role of the board of directors continues to change and more regulatory changes emerge from governing bodies like the Securities Exchange Commission (SEC), the need for board members to be more educated on cybersecurity and to understand the organization’s cybersecurity program will continue to be of more importance. RSM has also published thought leadership pieces on the role of the board in cybersecurity as well as presented on this topic with the National Association of Corporate Directors.
We are in the process of evaluating hiring a chief information security officer (CISO) or using an outsourced model. Do you have what we should look for in a provider if we decide to outsource this position (a virtual CISCO or vCISO)?
The first thing I would look at is the experience of the vCISO team. Does the vCISO operate independently (one or two CISOs) or as a larger team? You can get so much more value from a vCISO team than just one individual. Also, does that vCISO or team have industry-specific experience? That’s a huge value add.
Second, is the vCISO team implementing cyber metrics and KPIs? Michael Dell has a famous quote, “Anything that can be measured can be improved.” So the vCISO teams should come up with a set of metrics they want to implement to maintain a strong cyber program year over year—and continuously measure against those metrics.
Another thing you want from a vCISO team is involvement with your team from a growth and career perspective. Ideally, they should mentor and collaborate with your existing team to keep them involved, engaged and learning. The last thing you want to happen is for your internal team not to be engaged and leave.
I heard you guys talk about monitoring your environment, and we have been doing this for a number of years now. But at what point do you reevaluate your provider to ensure you are getting the best product/services for the price?
The answer is straightforward – always.
Frankly, if you’re wondering when to evaluate your provider, that time is already upon you. You base your relationships with outsourcing providers on trust—trust that they are executing in alignment with agreed-upon expectations and providing the value your organization needs to receive out of the relationship. Given these contracts span multiple years, your outsourced provider should be a trusted advisor and viewed as a member of your core security team. Ask yourself, “Am I getting the outcomes I expected out of this relationship?” and “Does my provider understand what we do as an organization?” If the answer is no to either question, it’s definitely time to revisit the relationship.
Also, don’t let switching costs deter you from exiting a bad relationship. That small cost pales compared to the impact of a compromise or breach of your security programs and damage to your organization’s overall reputation and goodwill. If you’re interested in evaluating your current provider, let us know. A member of RSM Defense, the team running our fully managed XDR platform, would welcome the opportunity to help you align expectations with expected outcomes.
Will you talk about the percentage of root-cause attacks, such as social engineering, lack of patching, zero-day vulnerabilities, etc.?
In addition to the RSM US Middle Market Business Index Cybersecurity Special Report, we also publish a specific report on attack vectors that we use throughout the year in our internal and external penetration tests. The attack vectors report has specific percentages of successful attacks. In addition, if you are interested in the cost of a breach and the most common attacks, please see the NetDilligence Cyber Claims Study, which we sponsor.
What is the best approach to integrating a company-level cybersecurity risk process with overall enterprise risk management?
There are several options and approaches for integrating cybersecurity risk processes with overall enterprise risk management (ERM), including the ISO 27000 series and NIST 800-30. RSM has experience using these frameworks and others to align ERM with cybersecurity risks in multiple industries. We use this alignment to create a holistic strategy that allows technology groups to show alignment with business priorities. In addition, resilience frameworks applied to the organization seem to be more effective lately in aligning ERM to cybersecurity risks. The simplest way to immediately align with business priorities would be by using your organization’s business impact analysis to align your cybersecurity program to business-documented priorities. We do this alignment as part of an organizational business continuity plan.