Letter from the CISO, Vol 4 Issue 5
WashU Community:
I recently attended an executive education program on “Cyber Resilience” with Chief Information Security Officers (CISOs) from many large organizations, some even global enterprises, and it was amazing how similar our challenges are.
Cyber resilience is ensuring things keep working despite adverse cyber incidents
The challenges all the organizations face are very similar, regardless of size. It made me think about what we can all do to make ourselves individually more cyber-resilient.
The key difference between cyber security and cyber resilience is one of emphasis. In cyber security, we focus more on preventing bad things from happening. Cyber resilience is more about how we keep going and recover when bad things sneak through our defenses.
Cyber security point of view
When organizations like WashU assess their preparedness for cyber security attacks or incidents, we think about a wide range of capabilities. These include how we secure our accounts, physical devices, and information. My July 2024 column on CrowdStrike’s big goof and the importance of Cyber Hygiene noted ten important things everyone should do to better protect themselves from cyber attackers. While all of them are important, the three most important are:
- 2-Factor Authentication (2FA) to keep people from getting into your accounts.
- Device security to keep people from getting into your devices and recover them if lost.
- Backups make a copy of your information to guard against loss of your device or accidental deletion of important files. It is increasingly easy to do so using Apple iCloud, Google Drive, or Microsoft OneDrive.
Each of these things has two sides – what you need to do before and after bad things happen.
Many of the before steps also greatly reduce the likelihood of them happening and causing pain, which is great. But this reduced likelihood shouldn’t lull you into complacency. An essential part of being vigilant, skeptical, and a little bit paranoid is to think about what to do if these measures fail, which brings us to the cyber resilience point of view.
Cyber resilience point of view
Considering these three “most important” safeguards, what will we need to do after the bad thing happens to contain or limit the harm?
In short:
- If the phone you use for 2FA is lost, it is really helpful to have the “account recovery codes” most systems (like Gmail) offer when setting up 2FA. If you don’t have them, I recommend generating a new set, printing them out, and hiding them in a safe place.
- Similarly, if your phone or computer is lost, stolen, or damaged, what’s your plan for recovering or replacing it? If you set up a “Find My Device” service in advance, you might be able to recover it if lost. But if it’s stolen or damaged, do you know where you would get a replacement device? If I lose my iPhone, I’ll be comparing the deals I can get between Apple and AT&T and also looking for overnight shipping! What’s your plan?
- Experienced computer people know how important it is to back up their files and often do so. Sometimes, we forget it is equally important to periodically make sure we can recover a file from those backups. I’ve even made the mistake of deleting a bunch of videos (which take up a lot of disk space) from my computer because I knew they were on my backup disk, only to find I was wrong. In another case, the disk had died. In other words, periodically (and before assuming anything), we should test to make sure we can restore files from our backups whether we’re using a local hard disk or a cloud service.
Bottom line: in addition to putting up cyber defenses, make sure they work, and make sure you know what to do if they fail.
Call to action
In all these cases, my constant plea to be vigilant, skeptical, and a little bit paranoid will go a long way to protecting you.
And if you know more about cyber security than your friends – and if you’ve read this far, you probably do – please share this information with them and help them put it to use.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO