4 step

A 4-Step Process to Achieve True Cybersecurity Success

Varciti IT Solutions

CompTIA 4 phases to cyber security

June 02, 2022 | By Wayne Selk

Cybersecurity phases blog

Where are you in your security journey? As a cybersecurity practitioner for the past quarter century, this is a question asked of many in the managed services provider community. The answer to the question varies. Some believe they have reached cybersecurity nirvana—that they are experts taking a leadership role; others don’t know how to get started. Some have started and are stalled. Wherever you are in your own cyber journey—or wherever you think you are—you might need help getting to the next step.   If that’s the case, view and download the infographic below to help you continue on your way.

The four phases outlined in the infographic were adopted from a ConnectWise whitepaper and video. The goal was to help managed services providers better understand the NIST Cybersecurity Framework and how they could mature their organizations in cybersecurity. The NIST framework is a risk-based framework, not maturity-based. This distinction is very important since most MSPs understand maturity yet lack the understanding around risk.

Download the Four Phases of Cybersecurity Infographic:
Vertical (mobile friendly)  / Horizontal (desktop friendly) 

1. Learn to Walk Before You Can Run

As you review the infographic the maturity model becomes very evident. Phase 1 is about getting started on your security journey. This is the most important phase and one many MSPs overlook. By skipping items in this phase, or the entire phase, MSPs could find themselves very unprepared for the subsequent phases and exposed to a cybersecurity incident.

It is important for all organizations, regardless of size, to have policies documented that are aligned to both business objectives and to the risk tolerance of the organization. Most MSPs feel they are too small for documented policies. Yet they also say they want to grow their business. Having policies documented when the organization is small allows leadership to focus attention on growing the business.

Another important item in this phase is understanding where sensitive and business-critical data are stored, processed and transmitted—both in and out of the company. This requires a complete inventory of all systems and devices, the software and applications, and who has the ability to access the data on each of those components. Once the inventory is complete, assign a risk severity to each of the data items identified. Your critical and high-risk items are the elements in need of the most protection and security controls.

Hopefully, you are not surprised to find sensitive or business critical information not under your direct control. If this is the case, focus your attention on resolving this issue quickly. The last thing you want is a severe negative incident that puts you in danger of losing your business. As you move into Phase 2, please keep an eye on the items from Phase 1. As you grow or as change happens within the organization, you may need to review your policies to ensure they are keeping pace with your business objectives. The same is true for your inventory.

2. Investments, Training Will Pay Off

Phase 2 is all about investing in your people, making your processes better, and solving for gaps with technology when appropriate. This is the opportunity to strengthen the security in your organization and really start developing your cybersecurity practice and culture. With your security skills and solutions inventory complete and keeping it up to date, you have set the business up for success. Instead of wasting precious dollars and time wondering if you have everything protected, you have created the ability to quickly find and assess whether or not the controls you have are able to best protect your business

If you find the controls are not adequate or a gap exists that has the potential for exposing your business data, then determine if a change in personnel or a process may solve or reduce the impact before investing in a technology solution. According to the latest Verizon Data Breach Investigations Report, the human element accounted for 82 percent of data breaches in 2021. Also, 42 percent of data breaches were accomplished using stolen credentials, according to the report.

Technology is not going to solve for the human element and training alone is not enough either. Organizations need to take a very hard look at the security culture within the business. This is one of those top-down items and “do as I say, since I am doing it too” necessities all businesses need to work on regardless of size. Creating a security culture takes time and patience. The reward for doing so will pay dividends every day.

To that end, documented policies can have a direct impact on creating a security-first culture in the organization. Find new ways to increase awareness and understanding for the entire company. Perhaps engage your people to read about a topic or gap in the organization and write a paper or give a brief presentation during a staff meeting. Discuss the topic or gap and uncover ways to solve or mitigate any risk which may exist. Encourage your people to embrace security rather than have them find ways to avoid the controls in place. Reward positive behavior and encourage those who slip to try harder.

3. It’s Time to Start the Conversation

Reaching Phase 3, you are ready to start taking your security show on the road to customers and prospects. Armed with knowledge on how policies help a business and putting your best foot forward around security culture, you’re now prepared to help customers start on their security journey. You may find having conversations around security are easier and less stressful, since you can speak from experience; practice wheat you preach, as it were. Understanding your customer’s needs and helping them align their business objectives raises their awareness and understanding around cybersecurity. Showing clients and prospects that you understand their business helps gain trust, which is the cornerstone for any business relationship.

4. It’s Never the End of the Road

As you move into Phase 4, you begin to realize your journey is all about continuous improvement and helping others succeed. The feeling comes naturally as word of your success spreads across the industry and your client base. It is at this moment you realize the entire organization is hitting on all cylinders; business is booming, and questions are being asked like ‘How did you do this?’ At this point, you’re capable of giving back to the community and your peers. Your community includes your vendor partners and your customers too. Please remember that this is a journey, not a destination. The threat landscape is always changing and evolving, each and every day.

CompTIA is here to help you achieve your goals and objectives as a service provider regardless of where you are in your security journey. We have content to help your people better understand cybersecurity, as well as membership in the CompTIA ISAO to keep you up to date. The CompTIA ISAO is your one-stop shop for threat information and intelligence. Wherever you are on your security journey, the goal should always be for continuous improvement.

Wayne Selk is vice president of cybersecurity programs at CompTIA.

Spear phishing

Spear phishing

Spear phishing campaigns —they’re sharper than you think

  • Diana Kelley Cybersecurity Field CTO
  • Seema Kathuria Senior Manager, Cybersecurity Solutions Group

Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns. Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

Even though spear phishing campaigns can be highly effective, they aren’t foolproof. If you understand how they work, you can put measures in place to reduce their power. Today, we provide an overview of how these campaigns work and steps you can take to better protect your organization and users.

Graph showing that the percentage of inbound emails associated with phishing on average increased in the past year.

Figure 1. Percentage of inbound emails associated with phishing on average increased in the past year, according to Microsoft security research (source: Microsoft Security Intelligence Report).

Step 1: Select the victims

To illustrate how clever some of these campaigns are, imagine a busy recruiter who is responsible for filling several IT positions. The IT director is under a deadline and desperate for good candidates. The recruiter posts the open roles on their social networks asking people to refer leads. A few days later they receive an email from a prospective candidate who describes the role in the email. The recruiter opens the attached resume and inadvertently infects their computer with malware. They have just been duped by a spear phisher.

How did it happen?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:

  • Review corporate websites to gain insight into processes, departments, and locations.
  • Use scripts to harvest email addresses.
  • Follow company social media accounts to understand company roles and the relationships between different people and departments.

In our example, the attackers learned by browsing the website that the convention for emails is first.last@company.com. They browsed the website, social media, and other digital sources for human resources professionals and potential hooks. It didn’t take long to notice several job openings. Once the recruiter shared details of jobs online, would-be attackers had everything they needed.

Why it might work: In this instance it would be logical for the victim to open the attachment. One of their job responsibilities is to collect resumes from people they don’t know.

Infographic showing the typical campaign path for phish emails, from Reconnaissance to Exfiltration.

Figure 2. Research and the attack are the first steps in a longer strategy to exfiltrate sensitive data.

Step 2: Identify the credible source

Now let’s consider a new executive who receives an email late at night from their boss, the CEO. The CEO is on a trip to China meeting with a vendor, and in the email, the CEO references the city they’re in and requests that the executive immediately wire $10,000 to pay the vendor. The executive wants to impress the new boss, so they jump on the request right away.

How did it happen?

In spear phishing schemes, the attacker needs to identify a credible source whose emails the victim will open and act on. This could be someone who appears to be internal to the company, a friend, or someone from a partner organization. Research into the victim’s relationships informs this selection. In the first example, we imagined a would-be job seeker that the victim doesn’t know. However, in many spear phishing campaigns, such as with our executive, the credible source is someone the victim knows.

To execute the spear phishing campaign against the executive, the attackers uncovered the following information:

  • Identified senior leaders at the company who have authority to sign off on large sums of money.
  • Selected the CEO as the credible source who is most likely to ask for the money.
  • Discovered details about the CEO’s upcoming trip based on social media posts.

Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

Infographic of the Attack Spectrum, from Broad to Targeted.

Figure 3. The more targeted the campaign, the bigger the potential payoff.

Step 3: Victim acts on the request

The final step in the process is for the victim to act on the request. In our first example, the human resources recruiter could have initiated a payload that would take over his computer or provide a tunnel for the attacker to access information. In our second scenario, the victim could have wired large sums of money to a fraudulent actor. If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:

  • The machine could be infected with malware.
  • Confidential information could be shared with an adversary.
  • A fraudulent payment could be made to an adversary.

Catch more phishy emails

Attackers have improved their phishing campaigns to better target your users, but there are steps you can take to reduce the odds that employees will respond to the call to action. We recommend that you do the following:

  • Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
    • An incorrect email address or one that resembles what you expect but is slightly off.
    • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
    • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
    • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?
  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.

Figure 4. Enhanced anti-phishing capabilities are available in Microsoft Office 365.

  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 (see Figure 4 above) and improving catch rates of phishing emails.

login Issues

There are over 300 million fraudulent sign-in attempts to the Microsoft cloud services every day. Cyberattacks aren’t slowing down any time in the near future, and it’s worth noting that most attacks have been successful simple means. It only takes is one compromised set of credentials (user name/password), a legacy or an unpatched application to cause a data breach. This shows how critical it is to ensure password security and a strong authentication process.

Learning about common vulnerabilities and the single most important action that you can take to protect your accounts from attacks is MFA.

Common vulnerabilities

  • Business email compromise, an attacker can gain access to a corporate email account, through phishing or spoofing, and can use it to exploit a system for many reasons. Accounts protected with only a user account and password are the easiest to compromise.
  • Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
  • Password Usage, Considering that up to 73 percent of passwords are duplicates, this has been the most successful strategy for many attackers and it’s easy to do. The process of password spray and credential stuffing attacks make it easy to compromise a system. Common passwords and credentials compromised by attackers in public breaches, social media share and tell sessions are used against corporate accounts to try to gain access.

Multi Factor Authentication (MFA)

What you can do to protect your organization

You can help prevent some of these attacks by banning the use of bad passwords through group policies and enabling a stricter password policy, blocking legacy authentication, and training employees on phishing attacks. However, one of the simplest and most effective things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA enabled, knowing or cracking the password won’t be enough to gain access.

According to the SANS Software Security Institute there are two primary obstacles to companies adopting MFA implementations today:

  1. A misconception that MFA requires external hardware devices.
  2. Concerns about potential user disruption or concern over what may break.

Matt Bromiley, a SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.

Passwordless authentication technologies are not only more convenient for end users but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.