Marc Ashworth, Senior Vice President and Chief Information Security Officer at First Bank, is a respected professional with over 30 years of experience in cyber and physical security, fraud, IT/security architecture, application development, business and departmental strategy, author and a keynote speaker. He is a board member of St. Louis Chapter of InfraGard, Co-Founded the State of Cyber annual security conference, and a Lifetime member of FBI Citizens Academy. Possessing security certifications in CISSP, CISM, CRISC, and Security+, Ashworth currently oversees First Bank’s Information Security Department, Corporate Security, and the Network Services Department.
The cyber landscape is rapidly changing. Records were set in attacks fraud, phishing, ransomware, and other cyber activity in 2020. Thus far in 2021, many of those levels are vastly surpassed. Political and economic tensions with Russia and China are causing increased in malicious cyber activity. Companies are being breached by thousands, as the recent Kaysea, Microsoft Exchange vulnerabilities and Solar winds have demonstrated.
The ransomware ecosystem continues to evolve and utilizing known breached systems that are being sold to ransomware affiliates and other cyber criminals. Companies’ defenses have been bypassed due to the supply chain attacks, internet exposed RDP servers, unpatched systems, and phishing. These criminal actors are maintaining presence in the network. Spending days even months learning the victim’s environment and exfiltrating data all before releasing ransomware. In many cases ransomware is the end result of a breach and not the only issue in the security incident.
Ransomware is all over the news right now. Marketing teams for security vendors and the press are utilizing the tactic of fear, uncertainty, and doubt (FUD) to influence company executives and boards for a quick solution. This added pressure to react and implement a new tool based off of FUD may not mitigate the highest risk in your environment. Security and IT teams are extremely busy and are typically reacting to incidents and fixing problems rather than being proactive and planning security. Not every company has a CISO to provide strategic security direction for the organization.
Rather than jumping on the FUD bandwagon. Take a break from the daily chaos and allocate some time to know your environment and develop a strategic plan to reduce your risks. Taking time to know what assets are in your environment and focus on evaluating the risks of those assets will help you determine the gaps. Allocating some time to analyzing your environment and determining the gaps in security and controls will cause risks to quickly surface.
"Rather than jumping on the fud bandwagon. Take a break from the daily chaos and allocate some time to know your environment and develop a strategic plan to reduce your risks."
During this break, analyze your most vulnerable systems such as those that are directly accessed from the Internet. Make sure they are patched and secure. There should be no external remote access via Windows remote desktop or a third-party remote access tools into the network. Remote access to the environment should be done with a VPN or SASE solution along with MFA. Consider implementing geo-blocking at your routers to areas that you do not do business. Next know what systems contain your data and protect them with segmentation, encryption, and identity access. Likewise, secure, test and validate your back ups and keep copies offline.
Consider application control for your desktops and servers along with a strong AV/EDR solution. Controlling what can be installed and what scripts can run will reduce the risk of malware that could lead to a compromised system. Likewise, disabling macros in office products to prevent running of malicious scripts that may be opened by your users. Finally, providing user awareness training on phishing and social engineering techniques. These are all some of the basics that should be done in every environment.
An internal and external penetration test from a trusted security profession can assist with the evaluation. The cost of the test will be a fraction of the cost of dealing with a breach. The results will help determine high risk systems and vulnerabilities that may provide a quick win on reducing your risk. It will also assist in prioritizing mitigation efforts and required purchases. Having a third-party report may also provide leverage to obtain the necessary budget required to purchase the correct solution.
Establishing regular governance committees with executive membership may assist in establishing security as a priority for the organization. Providing reporting on vulnerabilities, patching and other metrics on a regular basis may help with establishing security as a priority.
Not all companies have a dedicated risk department or security team, so evaluating risks may fall on IT. It is important to periodically dedicate time to evaluate risk in your environment and setting priorities for mitigation. Doing so will not only better protect the organization but may also reduce the time spent on break fix and incidents by knowing your environment
