“What can I do?” Over the last few days, we’ve all asked ourselves some version of this question and searched for ways to make ourselves, our families, businesses and allies a little safer.
We’ve heard that question from our partners and customers, too: as an organization that’s been helping protect some of the world’s most security-sensitive organizations for decades, we understand the urgency of this moment and using it to have conversations, make investments and take action.
Because each of us can help make a safer internet today and over the long-term. We should all feel empowered to protect our digital infrastructure and identities. More than empowered—we should all feel responsible for doing so.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is sharing resources that individuals, organizations and corporate leaders can all take to protect themselves. We’ve also put together the following five recommendations to build cyber resilience now and in the future:
- Prepare today for tomorrow’s long-lasting effects
- Focus on the fundamentals: implement multi-factor authentication
- Build toward zero trust with least privilege, contextual authentication and exception-based security
- Prioritize the cybersecurity skills gap
- Be wary of ‘Help Ukraine’ scams
Additional steps on each of these points follow below.
Each of those five steps represents core cybersecurity fundamentals that predate today’s crisis and will endure beyond it.
That’s important for leadership to remember: while there are no “specific or credible cyber threats to the U.S.” at this time, per CISA, and no “current specific threats to UK organizations,” per the National Cyber Security Centre, today’s geopolitical crisis could result in tomorrow’s cybersecurity challenges.
“There’s a risk that whatever cybertools Russia uses in Ukraine don’t stay in Ukraine,” U.S. House Intelligence Chairman Adam Schiff said, pointing to the new FoxBlade ‘wiper’ malware that erases computer data.
Broadly, when malware directed at “a certain target gets released in the wild” it can “take on a life of its own. So we could be the victim of Russian malware that has gone beyond its intended target,” Shiff said.
Senator Mark Warren, who leads the Senate Intelligence Committee, noted that sanctions could lead to “either direct cyberattacks against NATO countries” or “ransomware attacks at a massive level.”
One of the highest-value changes both individuals and organizations can do is to implement multi-factor authentication (MFA) on all accounts.
CISA explains that adding a second layer of authentication—including “a confirmation text message or email, a code from an authentication app, a fingerprint or Face ID, or best yet, a FIDO key”—makes it 99% less likely for an individual to be hacked.
Organizations need MFA as well: CISA advises that businesses should confirm that “all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.”
This step is becoming more critical with every IOT and IIOT device that comes online, as these smart devices represent likely ransomware targets. Last year, the Russian ransomware syndicate DarkSide breached Colonial Pipeline’s network by using a VPN account that was no longer in use and not protected by MFA.
January’s national security memorandum built on last summer’s Executive Order 14208 and directed federal agencies to begin developing zero trust architecture.
‘Zero trust’ is about as frothy a buzzword as there is in cybersecurity. The important part is the key maxim: never trust, always verify. That means that security teams should find and eliminate any implicit trust or privilege in all users, accounts, apps and devices. Nothing and nobody should get a free pass: your security system should authenticate every access request that comes its way.
But don’t let perfect be the enemy of the good: zero trust is a long-term aspiration, not an immediate end state. Any step that organizations can take to find and minimize trust is valuable.
Instituting least privilege—providing the minimum set of entitlements that a user needs in order to do their job—is an excellent way for organizations to reduce their attack surface and take an important step toward zero trust.
After you’ve taken that first step, continue your zero trust journey: context or risk-based authentication can help your security system make smarter, smarter, faster and better-informed security decisions. If a given user logs in every day at 9 AM Pacific from the same Apple device and requests the same set of applications, then my security system should be able to treat access requests within those parameters with a high degree of confidence.
Another high-value move that organizations can make is to set strong identity governance policies and develop exception-based security. If User X has 150 entitlements, and if 120 of those entitlements are shared with every other user within an organization, then my security team should focus on the 30 credentials that are unique to that specific user.
Today’s cybersecurity issues have been brewing for years. In fact, they’re not strictly technology problems—they’re people problems as well. We’ve seen a cybersecurity skills shortage for the last five years, and last May there were more than 460,000 open cybersecurity positions in the U.S. alone.
As an industry, we haven’t done ourselves any favors: we’ve been far too exclusive when hiring and training when we should have been inclusive. We’ve buried what we do in layers of jargon and acronyms that deter candidates and obscure the importance of what we do.
We need to make cybersecurity accessible and important for everyone. That means giving kids basic cybersecurity skills in kindergarten, then laddering in cybersecurity as a viable (and important) career choice as they move up through school.
Cybercriminals will exploit any crisis. We saw it when the pandemic began and we’re seeing it now, with scammers using the invasion as a pretext to ask for cryptocurrency ‘donations’ to help Ukraine.
Social engineering feints like this will always result from major disruptions—I expect we’ll see similar tactics, phishing and spear-phishing result from the invasion. Cybersecurity leaders should tell their teams to be on the watch and remind their users not to click on any links that look too good to be true.
NPR and Charity Navigator have listed several legitimate charities helping Ukraine.
Join our free webinar on Wednesday, March 16 at 2 PM ET to learn more.