In the wake of a cyber incident, regulators and law enforcement agencies closely scrutinize the cyber security measures in place at the affected organization.
Time and again, we see regulators focusing on certain cyber security measures over others. The measures that hold regulatory focus are often those that are considered standard practice and should, in a regulator's view, form the baseline of any effective cyber security structure. While these concepts and standards are well known to cyber security and privacy specialists, they are less well understood by those who operate outside these specialisms such as GCs, board members and other legal and risk processionals.
We explain, in non-cyber speak, the five cyber security questions regulators and law enforcement agencies most commonly ask in the aftermath of a cyber incident, and why they matter.
What is it?
Multi-factor authentication or "MFA" is an electronic authentication method that requires the user to present two or more pieces of information to gain access to the relevant device or system.
These pieces of information should be unique to the person who is authorized to access that system. They should therefore be something only the user knows (like a password), something only the user has (like a secure ID token or code), or something only the user is (for example biometric information like face or touch ID).
What does it do?
The purpose of MFA is to prevent an unknown person trying to access organizations’ devices or networks.
Requiring a user to provide multiple pieces of information to verify that they are who they say they are makes systems more resistant to unauthorized access by cyber attackers.
Why do regulators think it is important?
In several recent high-profile cyber incidents, attackers gained access to internal networks by exploiting less secure, single-factor authentication. The fundamental problem with single-factor authentication—i.e., a login and a password—is that passwords are often reused across platforms and sometimes easily guessed.
By contrast, MFA makes it much more difficult for attackers to obtain all required components for initial and ongoing access—even if they already have the password. Due to the fact that MFA is relatively ubiquitous, and low cost, regulators expect this to be in place. (And, some regulators even have explicit requirements that companies use MFA in certain contexts).
Antivirus ("AV") software is a program or set of programs designed to search for, prevent, detect and remove software viruses and other malicious software like worms, trojans, adware and more. There are a number of AV solutions available in the market, which vary in terms of sophistication.
Malware, such as viruses and ransomware, is deployed by threat actors to compromise systems and AV programs help to guard against this. AV programs work to prevent, scan for, detect and remove such malware and help organizations to successfully fend off such attacks. AV programs provide protection against these types of threats by:
AV programs are viewed by regulators as important gatekeepers to thwart attacks, or, where an attack has occurred, to identify and remove the harmful software.
Following a cyber incident, regulators and law enforcement will want to understand which, if any, AV software the victim organization was running and determine its effectiveness. Further, different systems and devices will usually require different AV approaches—investigators will often examine whether these were protected with the appropriate AV software. But, buyer beware, AV is not an end-all-be-all solution. AV can be defeated by hackers because they rely on signature-based indicators to identify malware, and different variants of malware (easy to do) can allow hackers to evade these protections. And, in some intrusions, hackers gain administrator credentials and disable AV solutions, often right before a ransom attack. So, while they are emphasized by regulators, they are not a panacea.
Keeping software up to date is critical to effective cyber security. To ensure this, organizations need to be able to quickly fix known vulnerabilities in their systems (patching).
Operating out of date software or operating systems or with a known vulnerability poses a significant cyber security risk and may provide unauthorized entry points for attackers.
Threat actors often seek out unpatched systems to gain access to extract data or install malware, and it is therefore a highly preventable means of attack.
Software patches and updates are usually provided free of charge by the supplier and are easily accessible through the software or online. (Though not always. Some vulnerabilities exist because the software or operating system are no longer supported, and the patches are not made available). Where significant vulnerabilities are identified software and hardware providers often proactively inform customers and/or the public of the availability of patches. Regulators and law enforcement will not look kindly to organizations that fail to patch well publicized vulnerabilities within reasonable timeframes and which do not have in place patch management policies.
Privileged access management refers to systems and controls in place to securely manage the accounts of users who have elevated permissions to critical, corporate resources. This includes, for example, administrator accounts, access to sensitive databases or the ability to change critical code repositories.
Accounts with elevated permissions are the holy grail for attackers as they allow significantly greater access to the company's infrastructure and permit lateral movement though the network.
Good privileged access management can help to prevent a cyber security incident, limit the damage that an attacker can do, if they gain credentials for a user, identify a potential incident and contain an incident.
Organizations with lax privileged access management run the risk of allowing hackers to gain extensive access to systems by compromising a single individual or an organization member with limited roles and responsibilities. This can lead to unauthorized access, attackers exploiting unused or compromised accounts to gain entry to privileged or sensitive areas, and attackers changing internal security controls or audit logs. Managing access also helps organizations track logins to the system, which may make it easier to identify the unauthorized access by an attacker.
Unnecessary access rights and user privileges enhance the risk that an attacker can gain access to systems and then run unfettered throughout the network. Users should be granted access on a need-to-know or least privilege basis in line with users’ role requirements.
Following an incident, regulators will seek to understand the criteria for granting access rights and user privileges, whether such users receive specific training, and whether and how often such rights and privileges are reviewed. The more sensitive user or access rights are, the tighter the control of them should be.
A penetration or "pen" test exercise simulates a cyberattack: a friendly hacker tries to gain unauthorized access to the system with the same tools and strategies a threat actor might use.
Pen testing enables an organization to assess the strength of significant portions of its cyber defenses, and to identify any gaps and weak links which could expose it to an attack. Carried out at frequent intervals, they can help organizations to address any vulnerabilities before attackers can exploit them or to uncover ongoing or latent attacks. But note, that there is a broad array of different security tests that can be conducted, all of which can identify weak or nonexistent security controls.
Regulators and law enforcement agencies are likely to ask for recent pen tests to determine a) if the organization took a proactive approach to testing its own systems and b) whether the organization took steps to fix any shortfalls promptly.
Investigators will probe the frequency and quality of such testing, whether organizations limited the scope of any pen testing to particular environments only (for example, to meet payment card industry data security standard ("PCI-DSS")) and whether the third-party pen testers are part of a government certified scheme or have certain qualifications.