August 4, 2020
Good morning, everyone!
|CISA's 3rd Annual National Cybersecurity Summit will be held as a series of two-hour webinars every Wednesday for four weeks, beginning September 16 and ending October 7. Each week will have a different theme and the presentations will highlight topics relevant to CISA's mission and include keynote speeches and remarks from leadership from across the government and private sector. You can now register for the event here. For more information, visit www.cisa.gov/cybersummit2020.|
Managing Risk in the Supply Chain
This is one of the hottest cyber security topics lately, managing risk in the supply chain. I read an article this week that made the topic super relevant to all business owners in just one sentence:
“Upon notice of the attack on May 20, Freddie Mac stopped working with Opus”
I read that sentence in an article last week, that Freddie Mac told regulators that one of its vendors, Opus Capital Markets Consultants LLC, had suffered a cyber attack earlier this year. I think there are two hard lessons in this story:
(1) No matter how much time, effort and money Freddie Mac has invested in securing its own systems, the personal information of its borrowers was compromised in the supply chain. (Opus provides due diligence and quality control services to mortgage lenders, according to its LinkedIn profile.)
(2) Opus lost a large client as a direct result of the data breach, despite the fact they ”found no evidence that Freddie Mac’s information has been misused or stolen” – but they also had no evidence to the contrary.
No matter where in the supply chain your organization falls, managing cyber security risk needs to be a part of your strategic planning. If you haven’t given much thought to the cyber security posture of your vendors, now is the time to start. Your customers are starting to think about your cyber security posture. I’ll talk more about this in the coming weeks.
So You Decided to Cloud
I daresay everyone reading this newsletter has at least some data stored in the cloud. Hopefully you have taken precautions to secure it, but what about backups? You may say “oh, the software company makes backups for us” – but what if something goes wrong? Last week I read a Twitter thread “Locked out of your cloud account” that really caught my attention:
”Last Thursday, I was locked out of my cloud MDM [mobile device management], my data was deleted, and MDM agents for every device @trailofbits were silently removed by the vendor, leaving the entire company unmanaged. There was no advance notice and no explanation.”
Yikes! This immediately brought to mind an incident from a few years ago, Hacker puts 'full redundancy' code-hosting firm out of business:
”A code-hosting and project management services provider was forced to shut down operations indefinitely after a hacker broke into its cloud infrastructure and deleted customer data, including most of the company’s backups. The customers of CodeSpaces.com, run by a company based in Wayne, New Jersey, called AbleBots, were informed Wednesday that their data might have been permanently lost following the compromise of the company’s account on Amazon’s Elastic Compute Cloud (EC2).”
Ouch, that hurts. Does it make good business sense to rely entirely on your hosting vendor? Here’s what I tell my clients: “If you store your data in the cloud, have local backups. If you store your data locally, have backups in the cloud.” Cover all your bases. Honestly, you can never have too many backups! Just be certain they are good backups.
What is a Good Backup?
You just read that last sentence and started wondering exactly what is a good backup, eh? Three important points:
(1) Secured. If your local backups are stored on portable devices (thumb drives, external USB drives, etc.), make certain those devices are physically secured. It’s too easy for a rogue visitor (cleaning employee, yes, this has happened!) to pick up a portable device and cart it off. Make sure you know how many backups you have, where they are stored and who has access. Securely destroy old backup devices that are no longer needed.
(2) Encrypted. All your backups should be encrypted, with an encryption key that YOU determine and hold, not some third-party vendor. The encryption key should not be stored with the backup. Encryption protects against the data being read if the backup is lost or stolen.
(3) Verified. I hate to tell you how often we are called by a company asking whether we can retrieve data off a dead hard drive. The rest of the story usually includes no notice that the drive was failing, and also no notice that their automatic backup hadn’t worked in awhile. Most any backup software keeps basic log files that say when the backup began and ended, how many files and how much data was backed up, and whether there were any errors. Simply checking the logs will give you a good idea if there are issues. Also, it’s a good idea to periodically run a test: create a test file and save it, delete it a few days later (after a backup that looked good in the log file), and then (after another backup that looked good in the log file), try to restore it from backup.
Adding “cyber” to your disaster recovery plan
I hope this newsletter has you thinking about your disaster recovery plan! If your current plan only covers hurricanes, tornadoes and fire -- you need to add "cyber" to assure business continuity. This is the subject of my August 25 work(fromhome)shop and I’d love to “see” you there!
Talk to you again soon!