In my previous blog on cybersecurity, I provided a high-level perspective on the cybersecurity environment for justice organizations today. I noted that the environment is worrisome — it is a virtual certainty that cyberattackers, at this very moment, are looking for a way to infiltrate your organization’s networks and systems.
But I promised a progression (crawl, walk, run) that you can employ immediately to quickly begin thwarting cyberattackers and protecting your networks and systems, as well as the critical data and applications that run on them. This strategy is based on industry best practices and thought leadership to which MCP has actively contributed.
Where to Start
While cybersecurity can be a huge, costly, and complex risk, basic and fundamental measures will make your organization a more “inconvenient target” and provide rudimentary building blocks for recovery. Here is a quick rundown of the basics:
- Verify that data is backed up frequently — This should be done fully, as well as incrementally, and backed up data should be stored in multiple secure locations.
- Frequently test restoration procedures on randomly selected files to ensure that backups are usable; also, periodically attempt a full restoration.
- Review the threat surface regularly — The threat surface refers to all network and system endpoints that a cyberattacker might try to exploit. At a minimum, review the threat surface each time a system is implemented or upgraded. (More on this can be found below.)
- Require strong, complex passwords — Then change them at regular intervals. Do not use the same password on more than one system.
- Use only authorized software in the enterprise network environment — Also limit installation and configuration privileges to technical staff.
- Ensure that network and application documentation is up to date — This is essential to troubleshooting problems with the least amount of time and effort and to preventing recurring problems.
- Implement software patch management procedures — This is to ensure that all software components are updated as patches become available.
- Use the “principle of least privilege” approach to controlling user accounts and data access — This principle requires that any process, program, or user in a computing environment must be allowed to access only the information and resources that are required for it to fulfill its purpose. For example, a user authorized only to back up existing software would not be allowed to install new software.
A Case in Point
Let me drill into one of these measures: strong, complex passwords. Updating your organization’s current policy to enforce the use of strong passwords or passphrases is imperative. When doing so, it is vital to consider four critical aspects of password/passphrase creation: length, uniqueness, complexity, and the ability to easily memorize them.
The common wisdom is that this will be a painful, productivity-killing exercise for your workforce. However, that does not have to be the case.
Here are the fundamentals regarding password strength:
- A strong password policy should enforce a minimum length of 12 characters, preferably more.
- Characters should represent at least three of the following four types: uppercase letters, lowercase letters, numeric characters, and symbols.
- Avoid using birthdays, usernames, addresses, and common words.
- Many networks, systems, and applications now allow the use of spaces, which greatly enhance complexity.
- Passwords should be changed every six months, at a minimum, because cyberattackers have become adept at leveraging reverse-engineering software that enables them to crack passwords quickly and easily.
But passwords have to be created, maintained, and remembered by human beings. We know that many people, if not most, use only a few passwords across all networks, systems, and applications that they access. They do this because long, complex passwords are difficult to remember. Of course, this is a bad idea. An equally bad idea is writing down complex passwords because they often are left where others can see them—almost unbelievably, people often write passwords on sticky notes and then affix them to their computer monitors for ease of reference, but also theft.
To aid retention in a highly secure manner, we strongly recommend that organizations move away from passwords and toward passphrases. The latter are very easily remembered and yet extremely difficult to crack.
Here’s an example. Let’s say that a user has an affinity for flowers. The user simply could use the common word “petunias,” but a much better option would be the passphrase, “Redrosesrule.” Now let’s use the password-strength-checker tool available from Thycotic, a provider of privileged access management software, to illustrate the difference between them. According to the tool, “petunias” would be cracked in 21 seconds by a computer system using reverse-engineering software; in contrast, it would take 1,000 years to crack “Redrosesrule.” But if we were to add a couple of capital letters and a numeral, to create “3RedRosesRule,” it would take 634,000 years to crack this passphrase. Clearly, leveraging all of the character types identified above is the best approach to password/passphrase creation.
Here’s another example. One passphrase that I use contains 12 characters that reflect all four aspects of password/passphrase creation identified above. According to the Thycotic tool, it would take 373 trillion years to crack this code—adding a 13th special character extends the timeline to an astounding 29 quadrillion years!
While cyberattacks and their aftermath can become a big, complex, costly problem for public safety and justice agencies, protecting your organization and its assets doesn’t need to be. You can start with the basics. Each of the tactics listed above takes some organization, discipline, and persistence — but they can be accomplished.
At MCP, we understand that your organization may lack the ready resources required for these fundamental changes. You may not have access to the technical professionals and industry-leading tools that make these initial steps easier and more cost effective.
MCP maintains these tools and expertise. We couple this with our appreciation of what it takes to meet your mission, an appreciation for how difficult even basic organizational change can be, and an understanding of how to help an organization successfully manage change.
A huge problem for organizations today in the fight against cyberattacks is that the attackers and their tactics are evolving continuously, seemingly by the minute. Because attack vectors mutate constantly, the legacy antivirus and whitelisting approaches cannot possibly keep up. Complicating matters is that numerous malware types have emerged that are completely undetectable by legacy antivirus programs and whitelisting tactics.
The ever-evolving threat landscape requires more and more sophisticated strategies, tactics, and tools. Consequently, MCP recently added an endpoint protection solution to its NetPulse Secure™ cybersecurity monitoring suite. Unlike traditional signature-based antivirus offerings, this solution uses artificial intelligence and machine-learning models to detect malicious software that cannot be detected and/or cannot be mitigated by legacy antivirus signatures. The solution is backed by MCP’s security operations center (SOC), which continuously monitors for threats 24 x 7, and alerts clients of suspicious activities.
This is just one of the resources we will discuss in our next blog. In it, we will identify intermediate and advanced tactics that will help you further improve your organization’s cybersecurity posture with more advanced tools and proactive strategies.
* * * * *
In the meantime, I hope that you will reach out—MCP has numerous subject-matter experts and solutions that will enable you to improve your organization’s cybersecurity posture. We’re eager to be of assistance —because your mission matters.
Joe Wheeler is vice president – justice and courts for Mission Critical Partners, and a member of the IJIS Institute board of directors. He can be emailed at JoeWheeler@MissionCriticalPartners.com.
 See the upcoming Joint Technology Committee Resource Bulletin, Cybersecurity for the Courts.