Stay Grounded

Leveraging GRC & IR for Cyber Defense

The Incident Response Life Cycle serves as a critical safeguard within a GRC framework, enabling organizations to proactively manage risks, respond effectively to incidents, and maintain business resilience.

  1. Preparation: developing a comprehensive incident response plan, defining roles and responsibilities, and establishing clear communication channels.

  2. Detection & Analysis: identifying and analyzing potential threats through monitoring, logging, and threat intelligence.

  3. Containment & Eradication: Once an incident is detected, this stage involves isolating the affected systems, eradicating the threat, and preventing further spread.

  4. Recovery & Post-Incident Activity: restoring systems and data, conducting a thorough post-incident review, and implementing corrective actions to improve future response.

GRC and IR Connection

The IR Life Cycle is deeply intertwined with GRC. By implementing a well-defined IR process, organizations demonstrate their commitment to:

  1. Governance: Establishing clear policies and procedures for incident management.

  2. Risk Management: Identifying, assessing, and mitigating potential threats.

  3. Compliance: Adhering to regulatory requirements and industry best practices.

200 Seats, One Breach: A GRC Success Story

CyReauX recently completed a mission for a Junior College. Here's a brief background of the organization:

  • Organization: A small junior college with approximately 300 students and staff

  • Security Environment: Students are allowed to bring their personal devices; However, they are encouraged to utilize the college's VPN in order to access their coursework online.

  • Initial Situation: The networking engineer discovered a malware infection in their network, potentially impacting student records and financial data.

Limited Security Awareness Training

After retrieving security awareness logs from their security awareness platform, we noticed a gradual increase in campaign clicks, indicating a gap in their security awareness trainings.

CyReauX Assessment

Root Cause Analysis: Here, CyReauX collaborated with the network administrator to understand the full picture. Below are the key takeaways from their analysis:

  1. A student, using campus Wifi clicked on an infected link from a phishing attack.

  2. Malware successfully exploited the student's device with malicious code and gained access to their email account.

  3. The malware impersonates the student and sends phishing emails to individuals they recently contacted, including faculty members

  4. Four members of faculty clicked on the infected pdf before the incident was reported. The issue with this is that it took approximately 6 days before the malware was contained.

We analyzed and reviewed multiple facets of their security practices, including their policies, incident response plan, and security awareness phishing campaign configurations. Below provides insight of our findings.

OutDated Policies

Three policies pertaining to this specific incident stood out to us during our assessment.

  1. Student Security Awareness Training

    1. The organization does not implement any security awareness seminars or training for students. They are to only sign the Acceptable Use Policy at the beginning of the semester. Without any formal trainings, students are more susceptible to vulnerabilities.

  2. Data Security Policy

    1. There weren't antivirus requirements for personal devices. This indicates students not understanding adhere to the college's data security policy for overall protection.

    2. The policy did not include details on restricted user access nor enforcement. We concluded that faculty and staff members have access to modify settings to opt-out of updates the for anti-virus software.

  3. Vulnerability Scanning

    1. While both external and internal vulnerability scanning is mentioned within their policy, it does not specify any duration, I.e. weekly scannings on Sunday at 6pm EST. This underscores that the organization does not have a structured vulnerability scanning process, further increasing the risk of future security breaches.

Recommendations

Policy Updates:

WIth our expertise, we advised the organization to change a few of their policies to be resilience focused. Here are a few recommended changes provided:

  1. Revise Section Title to "Endpoint Protection."

    1. Within the policy add a "restricted user" clause which specifies faculty and staff are prohibited from modifying the settings to postpone or opt out of automatic updates for organization owned devices.

    2. Include a "tamper protection" clause which is prevents unauthorized modifications or disabling security settings.

  2. Data Security Policy

    1. We recommended creating a few clauses within the "Student Device Security" section to specify the importance of both downloading the provided anti-malware software, as well maintaining current, up-to-date versions of the anti-malware software

  3. Student CyberSecurity Awareness Seminar

    1. Upon our analysis, we advised the organization to include a student body cybersecurity awareness seminar.

      1. Freshman students will attend the 1hr seminar during their freshman orientation.

      2. Upper-level students will attend upon arrival of the first two months of the semester.

The organization has security awareness trainings and phishing campaigns configured throughout the year; however, based off recent data, we advised on the following changes:

  1. Creating groups for randomizing campaigns. This reduces any potential sharing of information pertaining to the campaigns. Each group has 20-30 members from different departments, and are tested once bi-monthly.

  2. Remediation Groups. For those who have clicked a phishing campaigns more than once must attend a non-skip awareness training module through the organization's security awareness portal.

  3. Incentives. In our experience, data shows that incentivized employees are more likely to be vigilant about phishing attacks and report suspicious emails to the IT help desk.

    1. We trained the help desk team on how to utilize the "phishing" button feature, along with curating a small training for all employees to ensure they understand how to utilize the feature, creating a stronger risk aware culture.

Cyber security Awareness Phishing Campaign:

Download Sample Student Device Security Policy

Download Sample Endpoint Protection Policy