Posted by: David Scott
1 year plan
The Washington Post recently reported that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing and communications.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use Policy (AUP): Make certain people in your organization are not opening security vulnerabilities. Then review your Mobile Policy. Folks shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address. If your org has a Bring Your Own Device (BYOD) Policy, ensure that it is updated to support the AUP, the MP, and all other security policies and documentation sets.
They also shouldn’t be posting comments to boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism.
Make everyone in the organization a virtual security officer.