10 Cybersecurity Questions to Ask Yourself

OK, maybe more than 10 ... but here’s a list to help you get started on your program

Gary Kline | CYBERSECURITY AND STUDIO DISASTER RECOVERY, Radio World | November 2019

Be honest with yourself: How aware are you of your cyber preparedness? Do you know what being prepared really means? If you can’t answer these questions with full confidence, it’s time to insert yourself into the cybersecurity process.
Cybersecurity is a top priority for businesses of all sizes; a lack of readiness and defenses can lead to serious financial and operational
consequences. Cyber extortion (ransomware) is big business and is not going away anytime soon.
The following questions and thoughts are a place to start in hardening your broadcast organization’s infrastructure and preparing for the worst case. And yes, you should be prepared for the worst, so you know what to do if an attack is successful. They are intended to help you start a conversation.

#1. Do you have a security-aware culture in your facility? In your organization? Be honest. Knowing that your IT staff or outside contractor installed a new firewall or virus program last year doesn’t mean you are fully prepared. It does not necessarily mean you have a constant security-aware culture that involves regular routines such as:
a. Backing up crucial data to both a local machine and the cloud and ensuring at least one of the backups is *not* connected to the network source it is backing up.
b. Updates and patches are run regularly on all devices such as firewalls, switches, PCs, IOT, etc. We say this all the time but so many facilities do not do it.
c. An ongoing awareness and training program for all existing and new employees across all departments. Many attacks arrive via a simple email. Educate
everyone what to look for.
d. Anti-virus and anti-malware software installed on every machine — sounds like Security 101, right? I find machines all the time that are not running both and/or not updated recently with the latest security databases.
e. Implemented security restrictions and locked all outside access except where needed. Don’t laugh. I find VPN and Remote Desktop active on machines often, and no one remembers who they were for or what the original purpose was.
f. Block all known malicious IP addresses and keep that list constantly updated.
This is just a sample listing of key things a security-aware organization should be doing. There are many more. IT trained professionals in cyber-security know what to do. There are also many excellent sites online with guidelines that dig deeper than we can here.

#2. Along with #1 above, when was the last time you had a serious sit-down with your IT team, administrator or outside contractor to discuss cyber security? How often do you meet? In that meeting, did you know what specific questions to ask? If not, it is time to put together a list of questions. This ebook and this article can help you get started.

#3. Have you considered hiring a third-party outside security consultant to help with assessing your internal and external systems for their penetrability? Have you asked a trusted security expert to attempt to penetrate your network and systems to ensure you are defended properly? I know several broadcast-related companies that send phishing emails with fake viruses and ransomware to employees to test their cyber training; see 1(c) above. If the employee clicks on the suspicious attachment, they are provided further training on how to spot these things. The email gateway still ranks as one of the top arrival vectors for attack, so it is critical that everyone have some training on how to spot that one email which can cause you untold hardships.

#4. Is your network segregated to minimize the damage if something should get through? I often find that networks within the station are combined, on purpose or by mistake. I’ve been in several facilities where they claim their networks are segregated, yet we find that’s not the case. For example, a PC with a double-NIC (two network cards for separate networks) can be compromised and certain viruses can jump from one network to the other. So the machine that handles traffic but must connect to the automation system — and it is using two network cards — might not be as safe as you thought. Or that one PC that has Remote Desktop on it so someone can get into the network but only though that one “external” machine ... well, it may not be the “firewall” you think it is. There are ways to handle remote access properly and securely. Your trained IT staff or outside security contractor can help you with this.

#5. Backup, backup, backup. I mentioned this already but it is so important to preventing disaster that it deserves its own reference. It is imperative that you regularly backup all critical files, and do so to locations that cannot be reached by the virus. There are several cases where ransomware found its way to a network backup and encrypted the very files that were supposed to protect the operation! Do you backup every 24 hours? Do you maintain backups offsite? (That’s not only a good idea for protection against the virus but also for events such as fire, hurricanes, other things that could keep you from accessing the studio or transmitter location). With backups you can reinstall critical software and data and potentially alleviate the need to pay a ransom. Or it may simply be less costly in time and resources to restore a machine using a recent backup then using a decryption tool. Therefore, very regular backups are crucial. If for example, you need to restore your music and spot commercial database and audio files quickly, you’ll want that backup to be very recent. Otherwise, you may lose the past several days or weeks of new material — and this could cost the station financially. I often come across TOCs that supposedly are making backups but are not. The backup tape machine hasn’t worked in who knows how long, the NAS drive is full, the software that runs the backups hasn’t been running for weeks or months, or perhaps the directories selected for backup are not correct. The takeaway here is that you should ask yourself or your IT administrator for proof that backups are being run, and run often, on a regular recurring basis.

#6. If you are attacked, do you have the tools in place to quickly detect and determine its origination point within your facility? Do you have the tools (and instructions to staff) in place to isolate the virus or ransomware quickly? Do you use a security event manager? What is your “first 15 minutes” plan? As mentioned, network segregation is critical in situations where you become infected. If the business network is infected for example, do you have a way to prevent this attack from spreading to other business networks in your building or within the company (for larger networks or group operators)? Do you have different offices tied together using a WAN/MPLS or other means which might allow the virus to hop over and then start spreading again in an entirely different location? If you believe a virus is crawling through your network, do you have a plan in place to stop it immediately from moving further along to the next server or PC? Do you know how to kill your network shares immediately? Do you have a plan to yank users and machines from the network in seconds? What if an attack happens at 3 a.m. on Sunday morning? Do you have the technology or people in place to alert the proper team leaders? And do you have a response go-team on call including holidays? This is not make-believe or a far-out fantasy. These attacks are happening regularly to small and large operators, and of course, in all industries.

#7. If your data becomes encrypted, do you have a plan of action filed away so you know what to do? Have you thought about whether you would pay a ransom if presented with such a demand? There are different schools of thought on whether to pay. Many have paid, and many have not. It is reported by Symantec that only 47% of those who pay the ransom to the bad guys get their data back. It is also claimed by several reputable security firms that if you do pay this time there is a chance you will be hit again because the data kidnappers know you will give in. (Of course, we all know you will be fully protected after the first successful ransom, right?). Let’s say you don’t pay; better have your recent backups ready to go. Do you have a backup system that provides for restoral easily and quickly? Do you have a go-team put together who will be ready to restore systems and a chain of command to direct team members on what to do and when? (see #6). If you decide to pay, most ransoms are paid with bitcoin; do you know how to purchase bitcoin? Do you know from where? It can take a few days to obtain bitcoin, depending on how you buy it. Major cities have bitcoin-capable ATMs that can speed this up. The average ransom ranges from a few thousand to much higher. Do you have a source for that kind of money in a hurry should you need it? Now is the time to think about these things and have a plan written down. If you don’t, you may be scrambling at the last minute while your critical systems are down. That kind of delay can cost you money because your operations are down. If you work with an outside security expert or have such staff internally, and you are not sure what your plans are should you get attacked, ask for one. Do not be unprepared. On a positive note: Did you know that some ransomware attacks use a software variant that has a free cure? There are free decryption tools out there that might work in your case. Something to check first.

#8. Some ransomware attacks are widespread. We’ve all heard about them. You’ll see them on TV and on most credible news and IT websites quickly. In some cases, these large-scale attacks are shut down and decrypted within 24 to 48 hours by law enforcement or white hat hackers. If you are affected by one of these large-scale attacks, check with your security provider, consultant, vendor or IT staff to see if there is a fix before paying any ransom.

#9. If you are in the United States, contact the nearest field office of the FBI or Secret Service and report your ransomware event and request assistance. They may be able to help you. If you are in Europe, go to the Europol website and it will direct you to the local agency in your country. If in Australia, report your event to the Australian Cyber Security Centre. Most countries have a governmental agency that wants to hear from you.

#10. Ask for help. I say this often. Do not be afraid to ask for help. Whether you are a managing director or engineer and IT director, it is OK to ask for resources to assist you with cyber-security. You have friends who know things. You have vendors who know things and who have internal resources to assist you with this. There are local IT firms with experts. Consultants. Lots of free advice on the internet. The United States and many other governments provide free information on ransomware, viruses and other forms of malware.

I walk into too many facilities that are not prepared defensively and that starts at the top. Go back to #1 above. Make sure you have a security-aware culture.

Gary Kline is a broadcast consultant who has been actively involved in radio broadcasting for over 30 years. He has held technical positions with several major broadcast organizations, most notably as senior VP of engineering at Cumulus Media. He has provided engineering support and consulting in the United States, Canada, China and several South American countries. He is a past recipient of the Radio World Excellence in Engineering Award.

Original Article: VIEW PDF