A robust cybersecurity program consists of many tools and technologies that create a trustworthy computing environment. Fortunately, there are resources to help select the right tools for our organizations. Some resources are even free to local governments. (See cybersecurity resources.)
Simply installing traditional antivirus and antimalware software that rely on signatures, which are like fingerprints that can help identify viruses, no longer protects computers and networks. While signatures are still viable for detecting malware, they should be only one layer in the endpoint security strategy. Some technologies that add layers of protection on top of traditional antivirus programs include:
- Endpoint detection and response (EDR) – This proactive technology identifies threats that antivirus companies haven’t identified or patched. EDR continuously monitors network endpoints looking for anomalies in expected patterns to identify threats. EDR can respond to help mitigate an attack, including quarantine of the suspected malware to remove the threats and provide a root cause analysis. Extended detection and response (XDR) is an extension of EDR that improves capabilities and insight into the network and can cover more than just endpoints to include cloud services and other platforms that are a part of an organization’s network.
- Ransomware rollback – This tool can revert an affected system to a known healthy state while identifying the process that caused the ransomware attack and remediating the problem. Ransomware rollback is sometimes included in EDR/XDR offerings.
- Application whitelisting – This process approves files running in a network environment and prevents files not on the approved list from running without intervention. The drawback is that it requires careful setup and ongoing maintenance.
- Next-generation firewalls – These firewalls provide application controls that can help filter malicious applications, user controls for more granular control of user security and sandboxing that sends files to be reviewed for malware before being let through.
- Intrusion prevention systems (IPS) and intrusion detection systems (IDS) – These systems are often included in next-generation firewalls but can be standalone products. An IDS continually monitors for malicious traffic via rules, behavior analysis or both. IDS let you know when potentially malicious traffic is detected. IPS does what IDS does but will attempt to stop the malicious traffic from gaining entry into the network.
TRAINING OPPORTUNITIES
It is often said that the weakest link in an organization’s security posture is the human element. A security awareness training program is extremely important and should have buy-in from the highest levels of the organization. All employees who work with a computer should be required, at a minimum, to have annual meaningful training that discusses current and emerging cyberattack trends. The Florida Legislature passed a bill (CS/HB 7055) that requires local governments to adopt cybersecurity standards and participate in annual training.
Organizations should evaluate programs that incorporate phishing tests and reminders throughout the year. Simple activities to implement are providing tips on having a safe computing environment and recognizing October as Cybersecurity Awareness Month. (For more information, visit bit.ly/3IPxzQ3.)
By Mike Taylor
Mike Taylor is the Associate Director of Technology Services for the Florida League of Cities.