To explain what I am talking about I will go back through the mists of time to when Ransomware was a new and relatively unknown thing. The typical course of ransomware was to show up in a zip file with execute-on-unpack set up. From there it would begin making rapid changes to local file systems and any connected network drives. It could cripple an organization in a matter of minutes. We had the same two choices then as we do now, pay the ransom (no guarantee on getting data back), or restore from a backup. Both take time and means the victim is losing money in the process.
During this time I was consulting for a company as the network and security manger when we were hit by not one, but three rounds of ransomware in the same day. The company was going through a complete security upgrade and everything from anti-malware to simple ACLs were being checked and redone. The problem was that most of this was still in the validation phase and while new software and hardware were purchased, it was not in place or configured yet (this is an important detail). When the ransomware attack hit, we quickly identified the offending email as one with the subject line “Xerox scan station document waiting”. The attachment had a double extension (.docx.zip) to help obfuscate its true nature.
Fortunately for my continued employment and for the organization, one of the first things I did after being hired was to update and change the way backups were performed and stored. This means the ransomware could not encrypt those files and we could kick off a restore and replace all the encrypted files. There would be some data loss, but it would be limited and not total. As the restore was taking place the same email recipient attempted to open the same file again, and this would happen two more times until the Exchange query to identify and remove the file completed. We were able to finish the restore, but it took much longer than expected.
I presented the after-action report to the CEO and CFO. In it there were some clear lessons learned. The first was the risk zip files represented to the organization, the need to speed up the replacement of the existing anti-malware and anti-spam software/hardware, and training was needed so that end users knew what to look for and did not try to open risky attachments. The executive leadership agreed on all counts. We immediately put in policies to block zip files, bought and installed anti-spam and malware solutions with record speed. The training… well, that did not go so well. No one wanted to attend training, and when we tried online training no one utilized that option either.
The result was that our campaign to educate the userland population of the reasons behind the changes failed. Although there was executive buy-in we failed to get middle and lower management buy-in and that led to end-users not understanding the need for our new restrictions and complaining to their managers about the risk mitigation steps. This oh-so-fun time culminated in a manager using it as an excuse for not meeting revenue goals. I was called before the CEO and CFO again and given a stern talking to about it. I was also told to relax the restrictions and allow zip files in the environment. The day after this happened, the company was hit by another round of ransomware.
As you might imagine the next call to me was “why did this happen again”. Using the lessons learned from the first and second waves, I explained it to them. This time an email went out from the CEO to the entire company explaining the new changes, it was in the weekly and monthly newsletter and the course work to understand the risk and ways to avoid them was made mandatory by HR. In short, the excuses of “I can’t do my job” went away and so did the ransomware.
So why the long-winded anecdote? Well, it serves to illustrate that risk and vulnerability management isn’t just for IT or IT security, it really is everyone’s job. It also shows that no matter the effort by the security or IT teams, if everyone is not onboard, those measures are for nothing.
Vulnerability and Risk Management must be a top-down approach and it must be part of everyday culture in an organization. This is not something that you can import or outsource. Even if you have a company that will help in identifying and remediating vulnerabilities and risk, it is all for nothing if everyone in your organization is not practicing it. It also requires some difficult choices when it comes to who has ownership and responsibility of managing risk. In this regard there is simply no simple solution. As nice as it would be to just outsource all your troubles, the reality is that you, the organization owner, have the ultimate ownership and responsibility. You control the business, and the endpoints… ah yes, endpoints, another tricky subject.
Taking a quick sidestep, let’s talk about asset management and how it fits into the culture of vulnerability and risk management. There is an adage that you cannot protect what you cannot see, or do not know you need to. In this regard most organizations fall short of the mark. This is because they rely on old doctrines and treat their organizations like they are castles. They have their walls and moats (firewalls and IDS/IPS systems) to protect the core parts of their castle and to prevent a direct attack on the King and Queen. However, they often ignore the “commoners” that leave and reenter the castle every day. These are today’s mobile and work-from-home workforce. These endpoints are at a high risk of compromise especially with changes to the workforce that were created by Covid-19. However, even with their increased exposure, many organizations are still not willing to spend the time and effort to remediate vulnerabilities that exist on them. Sure, they might get patches for the operating system, but third-party applications and hardware vulnerabilities are left in play. Even with modern (non-signature based) anti-malware these devices represent a significant risk and an increased attack surface. Matters are exacerbated when these devices are part of a BYOD program.
BYOD (Bring Your Own Device) is another (relatively) new and wonderful practice. The concept is simple; the company saves money by not having to buy and maintain mobile phones, desktops, laptops etc. That savings can have its own cost though. If there is not a sufficient BYOD policy that allows for the installation and management of company-owned security and vulnerability management tools, then the company has no security. Sadly, this is the model we see in many businesses that have a small employee count, but a large transactional footprint. They allow use of privately owned devices with no company-controlled security tools and then allow those devices to have, in many cases, unrestricted access to the company’s infrastructure. The thought of developers with full access to an AWS cloud and no security in place to protect them is the stuff of security nightmares.
To properly manage the vulnerabilities and risk in a BYOD environment, you must have strong policies in place to cover those outside assets and strong buy-in from the employees bringing their devices. That buy-in requires trust between the company and the employee. The company needs to trust that the employee is doing the right thing with the device or devices that have access to company owned items (data and infrastructure) and the employee must trust that the company is not going to abuse their control and access to those devices. You can see how this keeps coming around to everyone needing to be onboard with vulnerability and risk management as a part of a comprehensive security program. There is no other way to do it: it must be a pervasive part of the company culture in order to be effective. If you can build this into your culture then the steps needed to ensure proper security will not feel oppressive or punitive, they will just be “how things are done”.
Now, I know saying vulnerability and risk management must be part of your core culture is easy to do. It is not always the easiest to put into practice. The good news is that there are some simple steps that can be taken to get things started. The first is to involve everyone in the discussion. This is best done in a central chat channel or other collaboration software. It allows for company wide communication to be sent and for everyone to comment on it. Emails are also an option, but those tend to get ignored for other more important business-related items. Setting up monthly company meetings to discuss current and new vulnerability management (and general security) policies, tools, plans, etc. helps to generate the feeling of this being part of the culture. In all discussions around security and vulnerability management you should invite discussion and even dissenting opinions. The company still has the final say on things, but allowing for dissent to be voiced without repercussion is important. In most cases simply knowing their voice was heard is enough. Where it is not, the dissenter would not likely buy into the culture approach anyway, although they will begrudgingly accept the new policies or chose to leave. Either way the goal of ensuring vulnerability management is part of your day-to-day company practices is achieved.
It should go without saying that you should have security training on a scheduled basis. These trainings, although boring and often forgotten, should still be part of the culture. There are ways to incentivize the trainings so that employees want to keep the knowledge longer than it takes to pass the exam, including phishing testing, acknowledgements for clean systems (no malware events), etc. These might sound petty, but it is important to recognize effort to help keep the company secure and not exposed to attacks.
The concept of all-in vulnerability and risk management as part of a security program is simple. It should be part of every company from small to gargantuan. The steps to put it into place are not difficult, they can appear time consuming and do take effort. Company officers/owners also need to take responsibility and ownership of this culture. They must be a part of it and not find ways to exclude themselves from it. Doing this will have an amazingly positive effect on company security and a dramatic reduction in your overall vulnerability to and risk from attacks.