Securing Small Organizations - Doing More With Less

thank you everyone for taking the time out of your day to watch our presentation we're sorry that we couldn't make it to besides Athens 2023 but we hope you enjoy this video and we hope to make it out next year today my colleague and I are going to be presenting doing more with less securing your small organization so a little bit about us my name is Julian Botham I'm a penetration tester at Valencia risk I've been here for about two years now we're a small shop based out of uh Canada and because it's such a small shop I often get to wear many hats so I also do tras Audits and other forms of Assessments handing it over to my colleague paveli thank you Julian uh hi everyone my name is Pablo zalo I'm a risk analyst here at Valencia I'd be game I began my career focusing more on training uh delivering and creating it and issuing uh simulated fishing campaigns and gradually became involved in Risk assessments and uh cyber audience of all kinds pleasure to be with you today so why are we here um I think it's an important question to answer before we get things started probably and I often work with small and medium-sized organizations that don't have the resources funding or people to maintain a high security posture so what we've done is taken and created a hypothetical case study based on sort of what we've seen in clients in headlines and in just our own experience in the field to sort of illustrate that idea of a small organization that doesn't have what you know it may take to build a strong cyber security program and we're going to use that to sort of paint a picture as to where many Faults Are and to make some suggestions probably that's right Julian uh so through this simulation example for a lack of a better term you know we really hope to move the needle forward uh as regards cyber security uh after our talk we hope you'll walk away with three actionable ways to improve the cyber security standard of your organization so I think it's a good idea to preface this presentation with what the landscape is right now I'm sure many presentations that b-sides are going to do something something like this so of course we have to as well well what we're seeing is that ransomware is here to stay and I think everyone knows that now it's looking like it's going to be a 230 billion dollar increase over the next eight years and ransomware operators are making good money um it doesn't seem like this is going to be going away we're going to have to deal with it head on you know as a small organization I think many of you may Wonder well why would they attack me why would they target me we don't have much money to give them that kind of thing and what it really comes down to is they're looking for the lowest hanging fruit they're looking for the most vulnerable and they're just using automated scans to scout the internet huge fishing campaigns and often it's these organizations that are targeted the most and of course it seems like it's sort of the standard practice nowadays that double extortion is being used so it's no longer just a crypto lock of your systems they're also threatening to leak your data and they are fulfilling that threat in Canada we've seen a rise of triple extortion affecting Health Care Services as well where they're now approaching the patients whose medical records that they have for a ransom and of course every day we're seeing new evasion techniques whether it's the latest zero day or a new TTP to evade what's been documented everything's changing all the time that's right uh ransomware is really here to stay and you know we like this was confirmed to us when since the beginning of 2023 we saw States take ransomware cyber crimes and cyber attacks much more seriously and giving themselves the means to counter it so before we talk about what we would actually need from government we have to say that we've seen a shift towards the protection of users in 2023 so the Biden Administration you know famously uh repositioned itself to focus on risk reduction harm reduction towards organizations and individuals by shutting down threat actor groups instead of infiltrating them to punish them right on the other hand uh in Europe which may be more relevant to to this audience we've seen the gdpr give the European commission the means to punish big Tech when it abuses user data so what do we need from government well this can be crystallized in two main points uh the first thing that we'd like to see would be incentives for organizations to be uh compliant with cyber security standards and Frameworks this could be through tax breaks or you know in other ways but by complying with Frameworks people within organizations and organizations themselves stay safe and they keep their customers safe and I said probably oh sorry just sorry to interrupt there go ahead I know um we had delivered a similar presentation to the iappp earlier this year and one of the things that we heard from them when we surveyed them and ask them what they think government could do would be tax credits uh sort of these incentives for these small to medium-sized organizations to actually Implement these controls to some sort of standard and to make it a lot easier we all know that cyber security is not cheap and often the executives feel it's just a cost there's no real profit to be had in cyber security right um compliance with Frameworks is important uh it gives all organizations a baseline degree of cyber security that's a good place to start from and Quant uh quantitative quantitatively measure how far along that organization has grown so thank you for that Julian the second thing that we'd like to see would be some sort of central threat exchange what we find is that cyber security I don't have to tell you has its own vocabulary and jargon and it can be complicated for common people to understand uh or you know Layman to understand uh the implications of a threat and what should be done to remediate them so if we had this sort of agency at the global or Continental level that would facilitate distribution uh of actionable threat intelligence items we would be very happy to see that as well yeah and I I know for many listening to this it sounds like a pipe dream these sort of ideas and it is at the moment but it's it's our responsibility in the industry to advocate for this and speak about it just as we are here today because with that action we can't actually see change maybe I'm just a little bit optimistic but I think things have been moving in the right direction thus far they just need a further nudge and if we don't get those things from government what are gonna what's gonna happen well bad things are about to happen so let's do a little introduction uh pavlate into the hypothetical case study that we developed for everyone today sounds good so we'd like you to Envision a a healthcare facility a hospital by the name of coordinates Hospital so it's a it's a small hospital with a small I.T shop that takes care of their cyber security and a fishing campaign gets launched against the end users and while most don't fall victim to that campaign some of them do and with several users downloading malicious programs uh embedded in the email this leads to a widespread and undetected infection across the network of the hospital now with that position the attackers leverage it to gain domain administrator accounts and stay in the shadows biting their time for several months and the time came the day struck and the ransomware hit everyone was freaking out the IT team was receiving emails from Physicians clerks you name it uh I'm sure their inbox was filled up as this sort of terrifying message scrawled across everyone's computers the IT team going to the executives pass along this information and said hey guys we've been hit as things were happening uh the executives took their time to research what Bitcoin was and what a ransomware attack was uh it appeared that the hospital website had been defaced now this is something that we see very often in ransomware attacks the attackers want to turn up the heat and they want to increase the pressure and likelihood of being paid out so then as you know things are in our contemporary times Twitter or else in a fury everyone is talking about it the executives look up what Bitcoin is what ransomware is and while they're doing that they're put in a position where they have no other choice but to Cobble together the crypto take the hit and pay the rent somewhere operators and threat actors and I think this is really common probably so let's take a step back at and sort of distance ourselves from what happened and how to understand where their gaps were foreign so I think one of the important things to note here is that csplh and of course you guys didn't know this but they didn't have an idea of where their vulnerabilities where their critical Assets in their environment were and how to protect them they didn't know you know whether or not they could function out without some of those Services if they'd be all right if you know the workstations were crypto locked and they could Turf those and rebuild them uh but you know the medical records of course are their crown jewels in this case they also didn't have an incident response plan that they had run through before they didn't know what to do as we kind of explained there and I'm sure many people picked up on that but the executives when faced with this sort of dire consequence um didn't know what was going on they didn't know how to react and often you know what we see is that they think these kind of things are it's problems and probably so fundamentally um another thing that we saw is through the way that the infection spread uh we saw that there was an absence of a cyber security culture at cornice now the cyber security culture has two components so that's one more uh more formal one which involves awareness training awareness training was not aligned with the current threat landscape it wasn't gamified or interesting and staff literacy wasn't tested in fishing campaigns most importantly there wasn't a culture in which peop staff members felt like they could talk to Executives about cyber security and where they understood their roles as stakeholders and furthering that culture of cyber security so what are we suggesting um I think the overarching theme uh for small organizations is to rethink your risk we understand that you don't have the resources to go ahead and do a full tra of your organization those are costly expensive and time consuming and for a small it shop with little funding it's not it and it's not it's not feasible but I think the first important step towards bettering your cyber security posture is having conversations about what organizational risk is and I think often at the executive level or even throughout the organization people Define organizational risk and cyber security risk as separate entities when in actuality they're the same thing um I've spoken to a colleague who had given a similar talk and run through a tabletop exercise at a conference and afterwards he was pulled aside by a caeo and that CEO said to him before a ransomware attack uh cyber Security's it's problem after it happens it's our problem and I think that really illustrates the sort of mindset that a lot of Executives have a lot of people in the industry in the outside of the industry have is that cyber security really isn't our problem until something happens so what are we suggesting in sort of the absence of a tra well I think it's important to sort of sit down and look at what your crown jewels are that's something that's very feasible much more easily done and just look at okay what are the extent essential business um sort of units in your organization what are these essential assets that you guys can't go without in order to uh function on a day-to-day basis these may be in you know csplh's example um the medical records they may be some equipment um and it's important because as you take this information and you get an understanding of where your critical assets lie you can use that to build into simulations so what are we saying when we say simulations well I know it's a lot easier said than done but getting some time out of your executive's calendar to sit them down and I think that's that's important to note on its own that it can be challenging to get them to chat about cyber security into help them understand that if something had happened um just because their calendars full doesn't mean you know when a Cyber attack is going to happen it's going to be when they have time for it um but get them down and uh sit them through a scenario where some of these essential services are taken offline see what they would say and I think many people's first answer when it comes to paying rents and wears will never do it but if all these essential services are halted and the ransomware is a decent price uh they're The Ransom fee they may end up doing it right and it's important to have these conversations involve people like your legal team your Communications team uh whoever owns those critical assets who may not directly feel like they are part of cyber security and Empower them to realize that they're a stakeholder in this as well and it's not just limited to Executives um there are great opportunities to run simple and effective technical simulations as well the Cyber HQ out of the UK offers a tabletop in the box which allows you to sort of create a command and control emulation in your network and allow your it team to do a little bit of threat hunting get them to stretch their legs in a way that they haven't and make it something fun um and I think it's important to run these simulations because if you don't have an incident response plan in place it illustrates to these people at the high level and at the technical level the importance of one and even if you do have one it'll help you find gaps in that yes that's quite true Julian and let me riff a little bit on your uh remark about simulations because it can be simulations are useful in that you get to experience where and identify where your blind spots are and mitigate them without actually being In the Heat of the action and what's interesting about simulation about simulations is that they actually apply it to a variety of different cyber security functions so Julian mentioned tabletop exercises at the executive level technical exercises at the technical level but there's also phishing campaign simulations uh Microsoft no before different Services provide are provided to craft your own fishing campaigns and test staff cyber literacy and their likelihood to fall for them the reason why that's important is that the overwhelming majority of malware gets within a system through social engineering and tricking people into you know letting it in pretty much right so that should be an integral part of what it means to build a cyber security culture when you're procuring your uh trading modules make sure that they're up to date with the current threat landscape make sure that they cover um all of the information that someone that a user should know and optimally if you can tailor some training modules to specific functions in your organizations uh you should do that uh but most most importantly is create that cyber security culture in your organization where employees feel free to ask questions about cyber security where it knows this and follows that mission along and where executives are open about it yeah sorry I just want to interject there but I think it's important to really drive home that it's not about putting the bulletin up in the uh in in the lunchroom saying you know don't share your password it's a lot more than that when it comes to building a culture oh 100 uh and uh one of one of the ways one of the ways that this is done is through discussion engagement but most importantly since covet began uh personal devices and work devices are personal cyber life and our professional cyber life are intertwined staff members have to understand that they're stakeholders in their organization cyber security but also that cyber security doesn't end at the office or you know at work functions um these are cyber the the the techniques that are taught in training their cyber hygiene techniques that should be applied in in your professional life just as much as your personal life and so if we think if you're able to take these three things away to your company apply them we believe that you're going to be able to do more with less and secure your small organization