The Current State of Government Cyber

First, let’s start with the big one that a lot of cybersecurity companies use for their policies – NIST. NIST has been around since 1901 creating standards and has done an amazing job doing so. However, it has only been since 2014 for cybersecurity. NIST published its Cybersecurity Framework on February 12, 2014. It provides a framework to deal with cybersecurity as a whole going into everything from identifying to recovery.

Then you have the U.S. Army Cyber Command. They started out as Network Technology Command (NETCOM) in 2002, which worked to secure and defend enterprise-level data networks. Army Cyber Command (ARCYBER) came along in 2009 to support the join cyber operations force. While they do monitor for cybersecurity vulnerabilities and attacks on our nation’s military, they don’t do anything in the homeland.

That’s where the Department of Homeland comes in with CISA. The Cybersecurity and Infrastructure Security Agency “is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future.”

The problem with CISA is they have just been around since 2014. While they have done a lot of good in the short time they have been around, they were much needed before that time. They are coming in late to the game and changing the ideas of government agencies can be difficult. That’s not to mention the fact that purchasing the amount of equipment that is required for a cybersecurity implementation the size of the U.S. government can be daunting.

There are, of course, other organizations that have cyber employees. NSA, CIA, FBI, and other government agencies have their own cybersecurity professionals, but they tend to work in their own areas as opposed to supporting multiple agencies.

The Cyberspace Solarium Commission

The Cyberspace Solarium Commission (CSC) formed in 2019 to provide a report on the current state of cyber in the United States. They presented their final report to the public today, March 11, 2020. Their report “proposes a strategy of layered cyber deterrence” and “consists of over 80 recommendations to implement the strategy”.

This report came from a bipartisan group of lawmakers and stated that there was a need for far more people trained for cybersecurity in the military. They also stated that Congress needs to dedicate committees to cybersecurity. Interestingly, they also stated that there was a need for more aggressive actions against the networks of other nations.

“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace. We must get faster and smarter, improving the government’s ability to organize concurrent, continuous and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.”

Report from the Cyberspace Solarium Commission, 2020

While some of the implications of the report are immediately able to be implemented, some require White House approval. No matter what your stance on politics is, you can’t deny that the fighting between both sides could cause a problem for any such implementation.

What Can I Do To Help?

Finding cybersecurity vulnerabilities and protecting against attacks has never been a government-only problem. The private industry will always be needed to help defend private and public infrastructure. Making your company ready for cyberattacks will not only help your company, but it will also help reduce the risk of that attack spreading to others as well.

Craig Cybersecurity can help your organization determine it’s risks and how to mitigate them. Give us a call today and we can help you in strengthing your company’s cybersecurity posture.

The post Cybersecurity Vulnerabilities and the Government appeared first on Craig Cybersecurity, LLC.

However, I would suggest that while the number of attacks is astronomical and is steadily increasing, it’s not because we aren’t doing anything about it. However, it’s because people using a computer don’t know how to deal with it. People tend to think of cybersecurity as someone else’s problem. They believe myths like, “My anti-virus takes care of everything” or “I’m not a target so I won’t get hacked.” Thoughts like these are what is allowing attacks to come through and why cybersecurity is everyone’s problem.

The Cold, Hard Facts

Proofpoint, a cybersecurity company that focuses on the human element, states in their “Human Factor 2019 Report” that 99% of cyber attacks require a human to do something to make it successful. That’s an astonishing number. To put it into perspective, of the 765 million cyber attacks that happened in April, May, and June of 2018 [1], nearly 757 million of those attacks could have been prevented if the user obtained training on how to mitigate attacks.

There is definite room for improvement of technology controls, though, as well. 1% of those attacks still amounts to 7.6 million attacks that occurred in 3 months. This number of attacks is a massive amount that needs to be mitigated by cybersecurity vendors and professionals. As attackers get smarter, the white hats have to as well. We have to be agile and ready to respond to these threats as soon as we see them.

Awareness is Key

Organizations and individuals usually think that cybersecurity products will protect them. Home users believe that having an anti-virus on their system will protect them just like corporations assume that their endpoint protection and firewalls are the be-all for protecting themselves against malicious actors.

However, user awareness is one of the biggest things you can do for yourself and your organization. Ensuring that your users have the proper training on the basics of cyber hygiene can go a long way when it comes to preventing attacks.

Obtaining training for your users doesn’t mean you need to send your users to a boot camp and spend millions of dollars doing so. There are simple things that you can do to make your users and yourself aware of things not to do. Will this help you ultimately mitigate these attacks? Probably not. However, it’s a great place to be in, and as we saw above, it will reduce your chance of attack significantly.

The Basics of An Attack

I’m going to tell you a super-secret hacker tip. We have to be able to get in to damage you.

That’s right – if we can’t have access to your computer some way, there’s not much we can do. Sure, we can keep you from using your internet possibly or make your day go a little less grand than it is, but unless we can have access to your computer, there’s not much we can do.

Let me set up a successful attack for you. It’s an attack called phishing. Yes, it’s a weird name, but what it means is sending an email that isn’t legitimate to make you do something that you wouldn’t have otherwise done. Phishing attacks go something like this:

A hacker will either find something that is of interest to you or a project you are working on and send you something related to it. They may send you an infected Excel file that contains “sales figures” or something along those lines. They may send you an infected Word or PDF with a project outline or something you need for that new project you are working on. Or they might send you a link that they ask you to click on for one reason or another.

Contrary to popular opinion, you are not “hacked” at this point. If you delete the email, there’s nothing that happens (for most cases – there are some exceptions). Remember, we said the hacker needs access to your computer to damage you. Right now, he/she has nothing but an email that evaded spam filters and onto your machine.

The problem comes in when you click on that email’s link or file. What generally happens next is something executes on your computer (a script or a program), and it “infects” your computer. Now that hacker has access to your computer. Now the problems start.

How to Stop The Attack

So how do you stop an attack like this? It starts with the very beginning of what is called the “attack chain.” It begins before you even knew it began.

1. Don’t Overshare. Yes, I’m talking about you, Facebook-holics. While it may seem cute that you are posting where you’re at and what you’re working on, it also tells hackers those details. They now know what they can email you about to get you to click on their link. If you have to share, make sure you set your privacy settings correctly so that only the people you want to see it do see it.
2. Use a Strong Password. Just because you use a number, letter, symbol, upper case, lower case, and a drop of blood doesn’t mean your password is secure. Remember, this_is_my_new_unhackable_password is much stronger than p@$$WorD1. Need a way to remember the passwords? 1Password is a great program to help remember your passwords.
3. Use Multi-Factor Authentication. Sometimes multi-factor (or MFA) is a hard thing to understand. You have your password, and you also have some other way to prove it’s you that’s logging in. Companies like Yubico and Authy can help you with this. I use them both.
4. Always Use a VPN on Public Networks. If you’re not at your home, there are more than your family on that Wi-Fi network. Depending on how secure your computer depends on how many people can now see your Facebook password. Use a VPN like Private Internet Access or ProntonVPN when you’re on a network that isn’t your home network.
5. Don’t Click on Email Links or Files. If you don’t know what a link is or don’t know that it’s coming from a reputable source, don’t click on it. Worried that a file might not be from whom you think it is, call them up to verify. Always, always always make sure if you get a weird email or chat from your “friend,” make sure you know it’s them.

Use a Cybersecurity Firm

If you’re not sure if you’re secure, you can always call up a cybersecurity firm to help you get to where you need to be. Companies like Craig Cybersecurity, LLC have experts on staff that are trained to help you be secure. You can learn more about how we can help here.

And, in the worst-case scenario, if you do get hacked, they can help you possibly restore your operations to where they should be. Stay safe out there.

References

1. Snider, M. (2019, January 1). Your data was probably stolen in a cyberattack in 2018 – and you should care. Retrieved November 1, 2019, from https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/.

The post Why Cybersecurity is YOUR Problem appeared first on Craig Cybersecurity, LLC.