Marianne Bailey has borne witness to some of the most extraordinary cyberattacks of our lifetimes and offered guidance to the highest levels of government as they rushed to stem the bleeding. Her service as Deputy National Manager for National Security Systems (NSS) and Senior Cybersecurity Executive for the National Security Agency has given her unique insight into the ways that cyberattacks propagate and affect both public and private enterprise. She is now cybersecurity practice leader for Guidehouse.
Here, she talks to Richard Pallardy for InformationWeek about how companies can most effectively fortify their defenses, especially in light of the novel cyberwar occurring between Russia and Ukraine -- and Ukraine’s allies. She also offers detailed advice on how to renegotiate agreements with third-party providers, ensuring the highest possible level of response to an attack.
How has the security landscape changed in light of the Ukraine crisis? Are there aspects of security that companies should be more concerned about in the current moment?
There has been a low-level cyber war going on for decades. At NSA or in the DoD, I've been in positions where I got to see a lot of them from a classified perspective. Cyber adversaries are very, very different depending on what they're after. There are a lot of things that happen that aren't brought out into the public eye. Ukraine just made it very visible for many more people. It made it very, very clear that if there was going to be some type of physical conflict like Ukraine, the country that is trying to dominate is going to use cyber warfare as a further tool. It shouldn't be surprising to anybody. But it always seems to be surprising, which really surprises me. Let's say I have the ability to cause major damage. I can do it from my own country. It's a pretty darn low cost of entry, and it's going to have a phenomenal impact. Why am I not going to use it? Cyber is now a weapon of war.
Do you think the direct attacks on Ukraine will propagate and affect other areas?
I have not seen that, to be honest with you. But I will tell you, we know from previous cyberattacks that there have been many examples where they were not contained. They go global. Look at what happened with the NotPetya virus. I was in the Pentagon at the time. It was a Friday night, pouring down rain. The White House was calling at seven o'clock asking “What do we do?” We were watching it move across the globe. The great thing for the United States was we had about seven hours of notice. We could make sure that we had the protections in place that we needed in most cases, and we didn't have much impact here. But it did in fact affect a lot of companies in Europe. But the intent was never to do that.
One of the other concerns is cyber vigilantism. There are a lot of cyber vigilantes in Ukraine --organizations are retaliating against Russia and retaliating against their social media. I can see why it's really, really tempting to do that. But it's also very dangerous. Are they looking at the second and third order effects? Let's just say they launch something against Russia, and they launch it from the UK. Then Russia thinks it’s the UK, not this other crazy group, and so they retaliate. It can start things that don't need to be started and it can escalate very quickly.
What sorts of inventories should companies take in order to secure their defenses?
All companies should have great asset inventory. Most companies do not. They should know every piece of equipment that they own. The bigger the company, the harder it is to track every single computer that's theirs, every single router that's theirs, every single piece of equipment that touches their network. They need to know they bought it with a purpose. And that it's supposed to be there. We see this all the time. They don't know whether it's a piece of equipment they bought or if it’s something a bad guy put there.
They should also have a very robust vulnerability patching regime. Every month, they should scan for vulnerabilities in their system and then patch them. They should have very strong multi-factor authentication. It's not just a username and password anymore. We are lousy as humans at creating passwords that a machine can't break in a second. I used to give this briefing on basic cyber hygiene. I showed them a picture of a dog placing an order on Amazon. The owner walks in and the dog looks at the owner. And he's like, “What? If you didn't want me to order stuff, you shouldn't have used my name for your password.” Because that's what people do.
They should also have a really strong operations team that's monitoring their network security. They should have strong data governance policies and a strong data backup. If they don't have strong data governance policies, they don't know where their data is. When they get hit with a ransomware attack, they have a very hard time. They don't have backups. People move to the cloud. They think everything's great. Well, now your data's just on a server somewhere else. It doesn't mean it's safe.
Are there particular frameworks that you advise using?
Definitely the frameworks provided by the National Institute of Standards and Technology (NIST). There are other frameworks, but most of them are based on the ones developed by NIST. So they've taken this and tweaked a little bit to something called a cybersecurity framework that needs to pass is the thing, this cybersecurity framework. There's NIST 800-53, which details the security controls you need to implement, for example.
Cloud Security Alliance (CSA) has a cloud controls matrix. And then there's the Center for Internet Security (CIS) Controls Version 8. Most people test their products against them. And there's very specific criteria that they have to meet.
What kinds of failure points should companies look for in their systems?
One of the things that we see quite often with large companies is that they don't really look at the cybersecurity of the companies they're acquiring. They don't realize that they just opened up their entire network, their entire big company, to the vulnerabilities allowed by that company through something like their timesheet processing.
Phishing happens, which is one of the biggest [entry points] for ransomware, because humans click on things that they shouldn't. You get an email that looks pretty real. Now your credit card is due. You're late. You got a speeding ticket. People click on it, and it downloads malicious software onto their computer. Training people to look out for stuff like that is important.
The other thing that we see a lot of is end-of-life hardware. If you’re operating/using old hardware and software, companies like Microsoft have stopped patching it. It'll have tons of security vulnerabilities. There's nothing you can do about that because they're not upgrading it for you. Get rid of end-of-life software. You think that's easy to do? Your phone automatically updates all the time. But many companies really can't afford rolling over their technology as fast as they need to. They do really need to look at their technology. If it's not being patched anymore by the vendor, they need to get rid of it.
What are some best practices for ensuring data segregation?
You need a strong data governance process. First of all, you really need to understand what data you have, where it is, and what you use it for. There are a lot of regulations around data today and more regulations dropping every day. Financial services companies are seeing huge fines for not protecting the data, for example.
I recommend something called micro segmentation. You segment the data so the only people that need to have access to it have access. It should be on a need-to-know basis -- a granular level of access control. My job may be accounting, and therefore I should only have access to accounting data. If it's a healthcare company and I’m doing accounting, why do I need access to patient records? I don't. You only need to tag the data. It's very easy to set up controls so I can't access that.