Gabe, Lisa, and I attended the annual CyberSecurity Summit at my Alma Mater, Marist College. Back in the day, at the beginning of the IBM/Marist Joint Study, I was asked to be on the board of that program. My 20-year-old self had a lot of fun hanging out with the CEO of IBM and discussing what was possible. All these years later, WOW!
It was wonderful to see so many of you there in person.
Here are my takeaways from the conference:
Part I:
- There are many NYS and Federal resources available to assist in our collective cyber defense. I thought they did a good job presenting many of those resources with their subject matter experts.
- As hard as the State is actively working on this, it admits it has been focusing mostly on the three largest cities and is about to include the two largest towns in every county.
- They admit they are struggling, just as we all do, with issues of completeness and deployment.
All of you appear to be way *after* #2 regarding their direct focus. I would also say that you are much more capable than most of the towns, villages, and cities in the room.
Part II:
The insurance expert re-iterated what you have repeatedly heard from CSI over and over and most recently from me at our last Tech Talk:
- You need to know what is in your cyber insurance policy.
- You need to know what your responsibilities are for coverage and strictly follow them.
- Your cyber insurer often provides "breach counsel," which are attorneys skilled in cyber events. Most traditional law firms supporting K-12 school districts do not have this expertise.
- Your cyber insurer often provides or recommends firms to help you remediate the breach.
The cyber insurer will look for forensics information (i.e., system, switch, firewall logs, AD Audit information, AV, EDR, MDR, and XDR information). Do you even have that to give them?
Ensure that the forms you filled out as a condition for insurance were 100% accurate. It is far better for you to say "no" to a question than "yes" and then find out later that it was either inaccurate or wishful thinking. If you are in the process of implementing MFA but have not done so, then you don't have MFA implemented. An example in recent memory was the Travelers Insurance case, where the client said they had MFA, but it was configured to "fail open" without MFA, and the attackers went right past it and hacked the network. Travelers refused to pay.
Do not engage anyone that you are not willing to pay for directly without having the insurance company's authorization.
Do not alter anything before having the insurance company's authorization.
Part III:
They had a pretty geeky AI discussion, which I thought was good but maybe a bit much for some of the audience.
Part IV:
The final part was a total geek-out "watch me hack a system" demo. It was impressive, scary, and made my eyes bleed.
My takeaway was that it was a good illustration of what I have been saying: "Everything can be hacked." It illustrated the importance of limited admin rights and why implementing the free Microsoft LAPS is imperative to you this summer. (If you haven't watched Austin's amazing discussion about the new LAPS, reach out to Lisa to get a link and watch it ASAP.)
Most importantly, it illustrated how we mere humans trying to protect our districts don't have the capacity or resources to defend against all of what was shown alone.
The most important thing you can do is to wrap your endpoint and, ultimately, your entire network around an overarching Security Operations Center (SOC) service to provide 24x7x365 visibility to people who can see those attacks and defend against them in real time. The quality of the SOC is more important than any other tool you can purchase.
This is the culmination of our message, all these years of multiple layers of protection, each looking at the network from its perspective so that one of those layers can see and kill the attacker.
In the Marist example, I believe either an EDR-focused SOC or a network-focused SOC would have seen all of that and killed it quickly.
All of us would have noted the attempt and gone on with our day.
I know I am not smart enough and don't have enough mental bandwidth to defend against that attack without outside expert help.
I suggest you reach out to Lisa and discuss how to add this visibility across your network so the bad guys will find you a very unappetizing target and move on to someone less prepared.
Give us a call.
-Scott Quimby, CISSP
Unsubscribe
CSI 1401 Route 52, Suite 100B Fishkill, New York 12524 United States (845) 897-9480
You must be logged in to post a comment.