How do you know you are okay?
How do you know you are okay?
When it comes to cyber security issues, the question CEOs and their boards need to ask is not, ‘are we okay?’ But, ‘how do we know we are okay?’
Article from New Zealand Management Mag by Annie Gray.
While there is definitely an increase in awareness of cyber security risk at an executive and board level, the Government Communications Security Bureau’s experience over the past few years shows there still needs to be greater understanding of how leaders can best drive cyber security risk management, says the GSCB’s Director-General, Andrew Hampton.
He says the GCSB’s National Cyber Security Centre’s survey of cyber security resilience, based on face-to-face interviews with security professionals from more than 250 organisations, suggested that while most organisations are heading in the right direction, more work needs to be done to improve cyber resilience.
And he pointed towards four areas – governance, investment, readiness and supply chain.
Hampton, whose bureau contributes to New Zealand’s national security by providing information assurance and cyber security to the Government and critical infrastructure organisations, told Management, in reply to written questions, that a key challenge for leaders is knowing the right questions to ask.
“One of the key things is that leadership must recognise that effective cyber security risk management is not just an IT thing – it requires a whole of business approach.
“There are a range of questions that boards and executive teams should be asking as part of their risk assurance and management processes.
“They are in four key areas; knowledge of information assets, the potential impact of a cyber event, understanding your vulnerabilities and preparedness to respond.”
• Information assets: What are our most important information assets? How are we protecting these assets? Are we managing the risk to an acceptable level in accordance with our business objectives and do we have a security framework in place?
• Impact: What would be the impact of a cyber-attack? What are the cyber security risks to the organisation? What is the potential cost of a cyber-attack and the damage to our brand?
• Vulnerabilities: How well do we know the vulnerabilities of our systems processes and data? Do we have inventories of all of our IT systems? Are we following best-practice advice and do we conduct regular audits and security risk assessments?
• Response: What is our plan for dealing with a cyber security incident? Do we have an incident response plan and if so, how often is it tested? As part of response planning what is our communication strategy for dealing with a cyber incident?
In essence, Hampton says the question boards and CEOs need to ask is not, “are we okay?” but “how do we know we are okay?”
Hampton says there are many measures and frameworks for ensuring resilience.
“At a governance level it is not necessary to fully understand these frameworks but it is important to understand how an organisation measures up in terms of their compliance with them.
“In order to measure boards must first understand what normal looks like for their organisation. They should establish a baseline for security assessment of the organisation’s cyber security.” This includes:
• Understanding what your most important information assets are;
• Prioritising security risk based on knowledge of your sector and systems;
• Identifying critical assets that are key to delivery of your business objectives; and
• Understanding how the organisation identifies and keeps track of what is happening to its systems and data.
“In March our United Kingdom counterparts, the UK National Cyber Security Centre published a cyber security guide for boards. This is a really useful resource that sets out how boards can get the information they need to make well informed decisions on cyber security risk, understand and prioritise risk, then take the necessary steps to manage those risks. It is well worth checking out.” See https://www.ncsc.gov.uk/collection/board-toolkit.
So, if CEOs and board members could concentrate on just one or two areas, what does Hampton think it should be?
You need to “think ahead and be prepared”.
• Understand where your most important information is and ensure it is protected;
• Foster a strong security culture; and
• Understand the threats you are facing.
For more information see
https://www.ncsc.govt.nz/newsroom/nationally-significant-organisations-c…
CYBER SECURITY: DON’T FORGET THE HUMBLE PHOTOCOPIER
For all the focus on securing the desktop and network, it’s easy to overlook office multifunction devices as an IT asset that merits equal scrutiny for the security team. Yet, there’s just as much, or more, business critical information passing through and stored on these devices as the desktop.
Every page that’s scanned, printed or copied gets stored to a hard drive, and if not properly protected or securely deleted, is potentially vulnerable to exploitation, says Ross Wilkinson, a network and document security expert from Fuji Xerox New Zealand.
“Since these devices are connected to the network there’s a potential route of access available to external parties that needs to be protected,” he says.
Wilkinson points to Faxploit, a vulnerability that was discovered in mid-2018 that affected all-in-one printers and multifunction devices around the world.
“At a basic level, if hackers had the fax number for one of these machines, they could remotely connect and deploy malware that would compromise its security and give the hackers access to the device at an admin level, which could then in turn grant them access to the entire network.
“In the hacking game access is key, and once they’re in, the only limits are the hackers’ imagination. Because there are so many of these devices around the world, it served as a real wake-up call to many IT experts and vendors.”
He says that in response a number of manufacturers have issued software patches and updates to their devices. Many organisations are also looking at the fax function of their devices and determining if this is really still necessary.
“However for some organisations, the rather antiquated fax machine isn’t going away anytime soon. There’s still a surprisingly large amount of fax traffic worldwide, particularly in highly regulated industries like legal firms, pharmaceuticals and healthcare and government bodies where only a hard copy of a document is legally recognised. Until the rules and regulations governing those industries change to reflect advances in technology, the fax machine will be here to stay.
“Thanks to a quick response from most print providers the threat from Faxploit has tapered off, but as always in security it’s a cat-and-mouse game.”
Wilkinson says there are seven avenues hackers could use to access an office multifunction device:
1. Unauthorised use (i.e., logging in as someone else).
2. Eavesdropping or tampering with network traffic to, or from, the device.
3. Tampering with admin settings to open vulnerabilities.
4. Software tampering to revise the software running the machines.
5. Audit log tampering.
6. Stealing document data stored on the device.
7. Data breach through accidental misuse.
As to what organisations can do to better protect their data Wilkinson points to:
• Create unique user IDs for each person using the device: This makes all print jobs and actions accountable to a specific user and helps to prevent unauthorised access – both on-site and remotely.
• Restrict USB keys and portable memory devices: While these can be convenient for scanning and printing, they’re also well-known vehicles for deploying viruses and malware. Newer MFDs now include a number of features for better data portability, so instead of a USB you can print directly from your phone or scan directly to OneDrive or SharePoint from the machine’s touchscreen.
• Implement image overwrite (if not already configured): This is an admin setting on most MFDs where after every print job the image is overwritten (digitally ‘shredded’) on the device hard drive, ensuring it cannot be easily recovered or exploited if anyone were to access the device’s memory.
• Change the default admin credentials: You would do this on any other device on your network, so treat your MFD the same way.
• Disable functions and services you don’t use: Most MFD models come with an array of possible functions, features and ports that are mostly enabled by default. If you’re not using them, just turn them off.
• Implement a follow-me type print solution. This means that a print job is only released when a user is at the printer, ready to collect it. Also ensure that this solution (there are many available) uses modern encryption standards to encrypt your print data, and that it is kept in sync with your computer access directory, so that users who are no longer with the organisation lose any access to the MFDs.
Publishing Information
NZ Management Magazine Issue:
If you would like the opportunity to have your articles published on our website and included in the industry insights weekly newsletter, submit your content to [email protected] for consideration.