May.07.2021
Time and again, we see regulators focusing on certain cyber security measures over others. The measures that hold regulatory focus are often those that, in a regulator's view, are standard practice that should form the baseline of any effective cyber security structure. While these concepts and standards are well known to cyber security and privacy specialists, they are less well understood by those who operate outside these specialisms such as GCs, board members and other legal and risk processionals.
We explain in non-cyber speak, the five most-commonly asked cyber security questions posed by regulators and law enforcement agencies in the aftermath of a cyber incident, including:
What is it?
Multi-factor authentication or "MFA" is a security control that requires a user to respond to requests to verify identity before allowing access to networks or other online applications. While an example of single-factor authentication would be a traditional password, MFA requires users to present an additional factor for authentication such as one based on the user’s knowledge, possession of a physical object, or other unique trait.
These additional factors should be unique to the person who is authorized to access that system. They should therefore be something only the user knows (like a favorite movie), something only the user has (like a secure ID token or code), or something only the user is (for example biometric information like face or touch ID).
What does it do?
The purpose of MFA is to prevent an unknown person trying to access organizations’ devices or networks.
Why do regulators think it is important?
Requiring a user to provide multiple pieces of information to verify that they are who they say they are can make systems more resistant to unauthorized access by cyber attackers.
In several recent high-profile cyber incidents, attackers gained access to internal networks by exploiting single-factor authentication. Regulators point out that that passwords are often reused across platforms and sometimes easily guessed, whereas MFA makes it much more difficult for attackers to obtain all required components for initial and ongoing access—even if they already have the password. Due to the fact that MFA is relatively ubiquitous, and low cost, regulators typically expect this to be in place absent some other effective compensating control. (And, some regulators even have explicit requirements that companies use MFA in certain contexts).
What is it?
Antivirus ("AV") software is a program or set of programs designed to search for, prevent, detect and remove software viruses and other malicious software like worms, trojans, adware and more. There are a number of AV solutions available in the market, which vary in terms of sophistication.
What does it do?
Malware, such as viruses and ransomware, is deployed by threat actors to compromise systems and AV programs help to guard against this. AV programs work to prevent, scan for, detect and remove such malware and help organizations to successfully fend off such attacks. AV programs can provide protection against these types of threats by:
Why do regulators think it is important?
AV programs are viewed by regulators as important gatekeepers to thwart attacks, or, where an attack has occurred, to identify and remove the harmful software.
Following a cyber incident, regulators and law enforcement will want to understand which, if any, AV software the victim organization was running and determine its effectiveness. Further, different systems and devices will usually require different AV approaches—investigators will often examine whether these were protected with the appropriate AV software. But, buyer beware, AV is not an end-all-be-all solution. AV can be defeated by hackers because they rely on signature-based indicators to identify malware, and different variants of malware (easy to do) can allow hackers to evade these protections. And, in some intrusions, hackers gain administrator credentials and disable AV solutions, often right before a ransom attack. So, while they are emphasized by regulators, they are not a panacea.
What is it?
Vulnerabilities and bugs are often detected by software or hardware providers after their products have been released to the market. Once detected, these providers release updated versions or code known as “patches” that can fix these issues. In many cases the companies using the products must take steps to perform the update or install the patch, lest their products persist with the vulnerability or bug.
What does it do?
Keeping software up to date can be critical to maintaining effective cyber security. Operating out of date software, hardware or operating systems or with a known vulnerability may provide unauthorized entry points for attackers.
Why do regulators think it is important?
Threat actors often scan for unpatched systems so they can exploit the known vulnerability and gain access to extract data or install malware. Regulators take the position it is therefore a highly preventable means of attack.
Software patches and updates are usually provided free of charge by the developer and are easily accessible through the software or online. (Though not always – some vulnerabilities exist because the software or operating system are no longer supported, and the patches are not made available). Where significant vulnerabilities are identified software and hardware providers often proactively inform customers and/or the public of the availability of patches. Regulators and law enforcement will not look kindly to organizations that fail to patch well publicized vulnerabilities within reasonable timeframes and that do not have in place patch management policies.
What is it?
Privileged access management refers to systems and controls in place to securely manage the accounts of users who have elevated permissions to critical, corporate resources. This includes, for example, administrator accounts, access to sensitive databases or the ability to change critical code repositories.
Accounts with elevated permissions are the holy grail for attackers as they allow significantly greater access to the company's infrastructure and permit lateral movement though the network.
What does it do?
Good privileged access management can help to prevent a cyber security incident, limit the damage that an attacker can do if they gain credentials for a user, identify a potential incident and contain an incident.
Managing access also helps organizations track logins to the system, which may make it easier to identify the unauthorized access by an attacker.
Why do regulators think it is important?
Regulators take the view that unnecessary access rights and user privileges enhance the risk that an attacker can gain access to systems and then run unfettered throughout the network. Users should be granted access on a need-to-know or least privilege basis in line with users’ role requirements.
Organizations with lax privileged access management run the risk of allowing hackers to gain extensive access to systems by compromising a single individual or an organization member with limited roles and responsibilities. This can lead to unauthorized access, attackers exploiting unused or compromised accounts to gain entry to privileged or sensitive areas, and attackers changing internal security controls or audit logs.
Following an incident, regulators will seek to understand the criteria for granting access rights and user privileges, whether such users receive specific training, and whether and how often such rights and privileges are reviewed. The more sensitive user or access rights are, the tighter the control of them should be.
What is it?
A penetration or "pen" test exercise simulates a cyberattack: a friendly hacker tries to gain unauthorized access to the system with the same tools and strategies a threat actor might use.
What does it do?
Pen testing enables an organization to assess the strength of significant portions of its cyber defenses, and to identify any gaps and weak links which could expose it to an attack. Carried out at frequent intervals, they can help organizations to address any vulnerabilities before attackers can exploit them or to uncover ongoing or latent attacks. But note, that there is a broad array of different security tests that can be conducted, all of which can identify weak or nonexistent security controls.
Why do regulators think it is important?
Regulators and law enforcement agencies are likely to ask for recent pen tests to determine a) if the organization took a proactive approach to testing its own systems and b) whether the organization took steps to promptly fix any shortfalls promptly.
Investigators will probe the frequency and quality of such testing, whether organizations limited the scope of any pen testing to particular environments only (for example, to meet payment card industry data security standard ("PCI-DSS")) and whether the third-party pen testers are part of a government certified scheme or have certain qualifications.