Simply Cyber (vol 20): Gearing Up for Cyber Fitness

Four inches of snow fell in Denver last week and—after grumbling about the need to schlepp heavy, potted tropical plans inside to winter overseeing the snow launched the first anxiety attack about the need to prepare for ski season. Start the 100-lunges-per-day routine, work on core strengthening, checking the condition of gear.

The feeling of anxiety lingers—but I’m not lunging yet. Does that sound about the same for organizational cybersecurity programs? I see a strong connection between gearing up for a safe ski season and gearing up for digital safety (but then, I see cyber connections everywhere).

Company leaders frequently push back against recommendations for cybersecurity initiatives: too costly, can’t take people off the production floor to learn about digital safety practices, haven’t had a problem yet, the threatened cyber auditors haven’t materialized. They sound like my ski buddies who say, “the best way to get fit for skiing is to ski.” OK. It’s an approach. But is first-hand experience of business-altering consequences from a cyberattack the best way to get fit for cybersecurity? What about starting with a cyber fitness program? What kind of gearing up can small and midsized manufacturers do to get started?

SAFETY GEAR
Ski braking systems and releasable bindings were mandated when I learned to ski in the 1970s, but helmets were for downhill racers and not mere mortal skiers. I was a slow adopter—sure, there was that mild concussion several years ago, but I got over it. And there was the cost, helmet-hair condition, and inconvenience of packing another bulky thing in my boot bag. Then came a series of wake-up calls:

A ski friend was wacked by a snowboarder on the first run of the day while she was standing still. Her nose was changed, but she had no head injury, thanks to the helmet.
Brooker replays started running through my mind as my skiing got a lot faster. (Brooker was the downhiller cum ragdoll whose 1987 epic ¬Kitzbuehl crash ended his career).
A one-point landing on the top of my head when I missed seeing a cliff while skiing an unfamiliar slope in near-whiteout conditions. My sister said she would not feed me applesauce.

In celebration of season opening in a few weeks, here are some ski/cyber equipment safety tips.

Tune your edges: firewalls and ACLs.
Frequent tuning keeps my ski edges sharp and responsive should I need to slow down or stop. Firewalls protect an organization’s digital boundaries or edges—externally and even internally, prevent intrusion and proprietary information extrusion, and alert system administrators to suspicious activities. Check firewall and ACL (access control list, not an anterior cruciate ligament reference) configuration to ensure that organizational objectives are served:

open ports that should be closed are closed—and closed ports that should be open are open
business rules are in place for content filtering (based on address, protocol, packet attribute—e.g., nine digits could signify a Social Security number)
system activity logs capture information that is useful for monitoring communication traffic.
access control lists (ACLs) enforce organizational policy for whitelisted (permissible web sites for use by company employees) or blacklisted web sites (websites employees cannot access using resources that sit behind the firewall, dating sites, for instance)
ACLs also support organizational policies around least privilege, segregation of duty, and network segmentation.

Use protective gear: AVS and VPNs for all connected devices.
As a confirmed helmet wearer, I now enjoy unanticipated benefits like a warmer head (and hands and feet) in addition to less anxiety about brain injury. Using protective gear on all devices—including employee-owned mobile devices—that connect to network resources can also relieve organizational anxiety about information vulnerability and exposure to cyber attackers.

Antivirus software (AVS) is simply a best business practice. Although it won’t prevent zero-day malware from getting through, it will stop known virus signatures from infecting your network. All devices should be scanned upon logging onto the organizational network.
Virtual private network (VPN) software establishes a protected, encrypted tunnel through which messages travel to their destination. Encourage—I would say require—employees to use a VPN wherever they travel. Some software can be deployed for as little as $3 per month and downloaded to six different devices. There’s no reason not to do this.

Patch your equipment: servers/routers, desktops, software.
My summer-sale-bargain ski gloves ($15 at a Vail shop!) are still usable and warm—with the help of a few strategically placed strips of duct tape begged from the Vail ski school. Patching your hardware and software are maintenance activities that deliver good ROI.

Maintain a regular schedule for patching (updating) organizational equipment and for alerting employees to recommendations from the Department of Homeland Security (DHS) on protecting their home software and equipment (routers and computers).
Update virus signatures on a regular basis—or ensure that your third-party service provider is doing so. Request updates from service providers about changes made as part of organizational configuration management practices. This is an area of focus contained within the NIST 800-171 framework.
Ensure that uninterrupted power supply (UPS) equipment is in place where needed.

Ready to gear up and feel less anxious? Organizations can address close to 20% of the security control objectives contained in the NIST 800-171 framework by following the above practices. Enjoy safe cyber cruising!