Thursday, March 3, 2022 - “Cyber security is really a team sport,” said Gregory Lemmon, Infrastructure and Cloud Solutions Architect, at the BVI Finance Breakfast Forum.
The forum was held on February 24 and was session three of the ISSA BVI and BVI Finance cyber security series where founding member of Information Systems Security Association (ISSA) BVI teamed up with fellow ISSA member and Financial Services Business Executive, Jennifer Potter to co-host.
During the presentation, Mr. Lemmon explained that the team approach is integral in combating cyber-attacks, which can cause data leakage, breaches or customer data exposure; which can further result in regulatory investigation and fines, along with loss of customer confidence and business.
Ms. Potter iterated, “Cyber risk is not an IT role or discipline. Information is as valuable as currency to an organization, and it ought to be treated that way.
The duo then gave an overview of cyber-attacks, specifically outlining the Lockheed Martin cyber kill chain model, which is a seven-phase attack methodology. These phases include Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
With each phase discussed, the cyber experts presented board and executive concerns, along with recommended actions in line with the webinar’s theme, to “drive improvements in corporate defense and operations”.
It was explained that the model is not linear, and that successful attacks vary from several years to a few minutes. An important note was that at any phase in the model, threat actors go back to the Reconnaissance phase, where they continue to conduct data gathering using non-intrusive methods.
Ms. Potter gave an example of reconnaissance where a threat actor may make an observation of an employee wearing his or her branded company key card out in public. She explained that the branding tells a threat actor what company the employee has access to, and in turn, may identify that employee as a potential target.
Other examples of reconnaissance include harvesting email addresses; browsing a company’s website; reviewing social media profiles; downloading and reviewing articles shared by an employee and the organization; along with looking at job postings, especially IT positions that often list the technologies in use at the organization.
Downloads, Mr. Lemmon explained, can indicate not only the original location of a file, but also the computer on which the file is saved. With naming conventions, threat actors “may also be able to infer the names of other computers in use at your company”.
Ms. Potter said that companies should be mindful that CEOs and board level executives tend to be most targeted at the reconnaissance phase, and that “companies should ensure that the protection for their email inboxes is at the highest level”.
The team went on to carefully describe other phases of the cyber kill chain. Weaponization, they explained, involves creating the malware specific to the organization. While delivery involves the tool used to send the weaponized bundle to the victim (via email, USB or other methods), exploitation happens when the malware has been delivered and successfully triggered on the target system.
At the installation phase, a threat actor has installed malware on the asset and has the freedom to move through the network and can destroy data or equipment, read emails and other sensitive information, and trigger ransomware code.
What can be done?
Ms. Potter said that businesses must operate as though a cyber-attack is imminent, stating, “You have to operate on the assumption that you’re going to be breached, and your hope is that that breach will be insignificant. What you can do is minimize the impact that the breach will have on the sustainability of your organization and its ability to survive that breach.”
She advised: “You have to set a risk appetite. Determine what part of the business is super important, [and make this the area to] allocate the majority of your resources.”
More specifically, the ISSA members’ presentation outlined various recommendations including policy creation, vulnerability assessments, threat emulation exercises, and regular security awareness training of team members. Another recommendation is that a company pre-draft incident response messages for high impact scenarios to inform stakeholders in a reasonable timeframe. This, Mr. Lemmon culminated into an acronym he referred to as the three P’s, which meant to prevent, to protect and to prepare.
To watch the full session click here.
For further information please contact: