Keeping Information Security Simple – InfoSec Requires Advanced Preparation

Letter from the CISO, Vol 2 Issue 12

Washington University Community:

Are cyber threats like pop quizzes?

I was recently asked, “How are cyber threats like pop quizzes?” I’ve realized this is an interesting question, but not in the way I originally thought. Initially, I thought of reasons they were similar. They are unexpected, test knowledge and preparedness, induce stress and pressure, and present learning opportunities. However, I started wondering, “If there is a pop quiz in every class, every day, are they still pop quizzes? If there are final exams every day, is it still a class? If cyber-attacks are continuous, are they like pop quizzes at all?”

Vigilance is key.

The recurring mantra of my monthly columns is that we must all be “vigilant, skeptical, and a little paranoid.” I have primarily focused on the being “skeptical and a little paranoid” parts of this phrase because a person can so easily become a victim of a phishing attack via email, text, or social media. However, today I would like to focus on vigilance.

Malicious actors will strike the moment you let down your guard. It does little good to be careful just most of the time. For example, it’s generally not good enough to drive sober most of the time because driving while impaired is too dangerous to do even once. Similarly, if you aren’t always skeptical of phishy email messages, you will undoubtedly, eventually, fall for one.

Vigilance requires advanced, “left of boom” preparation.

In a recent meeting with WashU’s Liaison to CISA (U.S. Critical Infrastructure Security Agency), he highlighted that 90% of what they could do to help us recover from a cyber-attack has to be “left of boom,” meaning before the cyber-attack happens.

This includes all the technical defenses, such as firewalls, 2-Factor Authentication, VPN (Virtual Private Network), email link and attachment analysis, file and system backups, and hundreds of other controls, plus the phish testing and social engineering awareness training we do to help everyone recognize and avoid clicking on phishing links and downloading malicious software.

Without this pre-work, our ability to prevent, interrupt, or recover from a cyber-attack would be greatly reduced.

The most important part of preparing for an exam is studying beforehand. If you don’t study, you might be able to pass the exam because it was too easy, you were able to guess the answers, or it wasn’t a very good test. But most examiners don’t consider failure to study as a valid excuse. Students prepare for exams by attending class, reading the textbook and other materials, taking notes, and doing homework.

Similarly, information security professionals study attack patterns and vectors (attending lectures and seminars), leverage industry standards (sort of the textbook and supplemental readings), and apply their tools and techniques to real-world and imagined problems (homework, in-class, and group projects).

Why is this important to you?

Most readers of this column are not information security professionals or even IT professionals, but this information is still very important and relevant to you. While you didn’t sign up for the cybersecurity course known as real life, you are enrolled, cannot drop the course, and there is an exam every day.

Good news – it’s an open-book exam, and you can ask for help.

In fact, this newsletter, and the entire internet, are available for you to look for answers.

Last month I recommended a list of six technical things you can do to improve your security:

  1. Consider security and privacy before you buy things.
  2. Turn on full, automatic updates of the operating system, firmware, and applications.
  3. Change default login passwords to long and unique passphrases.
  4. Use a password manager.
  5. Turn on two-factor authentication (2FA) everywhere you can.
  6. Enable backups of your information.

More details are available at Keeping Information Security Simple – Congratulations: You are a Risk Manager and a Systems Administrator – Know It or Not, Like It or Not

Today I will add just two more recommendations.

Test your backups: The first is related to #6 above. You should occasionally test the functionality of restoring and recovering files from your backups. This can be as simple as creating a test file and saving or synching it to the backup system. Then delete the file from your computer and see if you can restore it from the backup. Some systems are better at allowing you to access previous versions of files than others. I do this frequently when I want to revert to the original version of a file, but sometimes it is hard to recover a deleted file.

Enable your firewall: The second recommendation is to turn on your computer’s software or host-based firewall. A firewall will help protect your computer from unauthorized access over the network, particularly when working in a public place like a coffee shop or hotel. Please visit the following links for more information about how to enable this feature on Windows or macOS.

If you need help with any of these things, please don’t hesitate to reach out to our office.

Thank you for reading and being members of the university’s information security team!

Good luck, and be careful out there!

-Chris Shull, CISO