Not just in personal finance, but also in cybersecurity, the phrase “making hay while the sun shines” holds true. Cyber threats are persistent but often remain concealed until they strike. In such unfortunate instances, the safeguards you expected to work have failed, and your secure coding checklist was not followed. To make matters worse, a standby service has failed to activate, and the log files for crucial insights of the attack have gone missing. Moreover, rumour-heard reporters kept reaching out to you for details. As an example, this episode could begin with a seemingly benign web defacement and escalate to a massive SQL Injection, compromising sensitive data, causing prolonged service outages, and leaving uncertainties about the timeline and sources of the attack, despite painstaking investigation.
Many companies invest heavily in cybersecurity but pay less attention to its ongoing operations. This is not by choice but due to prioritization constraints. Tech staff often face hectic schedules and long working hours. One moment, we are racing against time to meet project deadlines; the next, we are scrambling to recover from system outages. On quieter days, we conduct training sessions, attend sales pitches, experiment with emerging technologies, and endure the monotony of meetings. If any time remains, we work on procurement tenders, technical documentation, reports, and assist with recruitment. After getting home late, we clear urgent emails, get a few hours of rest, and repeat the routine the next day. As a result, aspects of cybersecurity that are not immediately pressing are often neglected. Over time, we let our guard down, allowing the busyness to take over our minds.
Just as regular exercise is essential for maintaining physical health, consistent drills are necessary to ensure cybersecurity fitness. These drills help confirm that all safeguards, processes, and alerts remain effective and operate as intended. Most importantly, they allow businesses, staff, users, and vendors to identify any missteps and validate assumptions made from the last review, and be ready for actions should crisis erupts.
Penetration Test
The idea behind a penetration test (Pentest) is to identify our own vulnerabilities before our adversaries do. The tools allow us to scan the entire network, mapping out hosts, operating systems, protocols, services, and versions in use, and critically uncover any shadow IT without our knowledge. With scripting, we can simulate common attacks like brute-force attempts on websites and databases. It can, also, check against a list of Common Vulnerabilities and Exposures (CVEs) such as SQL Injection and Cross-Site Scripting, etc., and alert us if our hosts were indeed vulnerable. Over time, the accomplished Pentest and its checklist could serve as a key performance indicator of the enterprise and to be tracked yearly.
Red Teaming
Unlike penetration testing that aims to uncover vulnerabilities, Red Teaming simulates a threat actor’s thought process to target specific assets, whether personal data, intellectual property, critical services, or privileged access for financial gain. This exercise tests various methods and pathways to bypass corporate defenses, evade surveillance systems, and exploit both system and human vulnerabilities within an organization, all while leaving no trace.
For example, understanding that remote reconnaissance might be blocked by corporate firewalls, the Red Team could exploit exposed remote access services to establish a covert foothold. This allows them to bypass perimeter defenses and advance the exploits further, such as harvesting login credentials and creating shadow accounts with elevated privileges to exfiltrate sensitive data. In another scenario, the Red Team might study the organization’s hierarchy, impersonating a procurement officer to submit fraudulent purchase orders to suppliers or posing as a newly hired senior executive to trick employees for financial gain.
From denial-of-service attacks to DLL sideloading, DNS poisoning, identity theft, ransomware, social engineering, spear phishing, and SQL injection, Red Teaming adapts its attack vectors to bypass specific defenses. As cyber threats evolve rapidly, it is advisable to engage external Red Team services, as these vendors bring a wealth of experience and up-to-date industry knowledge.
Phishing Drills
Phishing attacks are inexpensive to launch but highly effective. They exploit human emotions such as fear, greed, empathy, and curiosity. A single inadvertent click or screen touch can lead to disastrous consequences for an organization, and with finger-tip access to Generative AI and deepfakes, it has made it worse. While technology can provide some level of protection, regular drills and user education are far more effective in mitigating human error. But are there supporting data?
A well-designed phishing drill can help test several assumptions. First, does the relevance of the drill’s theme affect the likelihood of falling prey? For instance, general staff may be quick to click on an announcement about pay structures, while healthcare professionals might be more concerned with changes in patient care regulations. Second, do regular reminders from corporate leadership help reduce phishing click rates? Third, are employees who are subjected to regular drills less susceptible than those in a control group?
The results from previous drills I’ve experienced were encouraging. Staff members were particularly vulnerable to phishing emails related to organizational matters, with a 24% fall-prey rate compared to just 8% for other themes. The drills themselves were highly effective, reducing the click rate to 15% for those who received two rounds of practice, compared to 18% for the control group. However, management intervention, such as reminders from corporate leadership, did not significantly reduce the click rate.
That said, phishing drills aren’t without challenges. They can lead to resentment or erode trust among staff. Still, they remain a worthwhile exercise as they address the reality that individuals are often the weakest link in an organization’s security.
Table-Top Exercise
A cyber breach can cause far-reaching damage to an organization beyond just its infrastructure and systems. This includes business disruption, potential privacy violations, financial and reputational losses, legal claims, regulatory penalties, and more. With so much at stake, incident response should not be confined to the tech team alone but must also involve business partners and corporate leadership, including the heads of communications and legal.
In the event of a breach, time is of the essence. The tech team must sift through vast amounts of data and devices to identify the source of the attack and neutralize it. The situation can quickly become chaotic, with team members rushing into action from all directions, calling for additional resources, deciding on the best course of action, issuing public communications, and updating users and board executives, all while new findings and hypotheses continue to emerge.
Infrequent though they may be, cyber breaches can leave both tech and corporate leadership unprepared. Some team members may be unclear about their roles, while others could be distracted by irrelevant system issues. This is where a tabletop exercise becomes invaluable. By working through realistic scenarios, the interdisciplinary incident response team can familiarize themselves with their roles, actions, procedures, and responses in the event of a breach. Only when our response becomes as automatic as a muscle reflex can we contain an attack and minimize damage as quickly as possible.
Finally, with regular drills, we will be prepared to defend, recover quickly, and minimize losses in the event of a breach.
*Copyedit: ChatGPT