We have spoken extensively about the effective approach towards cyber security and that there needs to be an effective culture that is built and developed so that employees know what standard operating procedures (SOPs) are needed in specific situations.
The problem with developing a culture is that it takes a long time and the cyber threat is immediate. When facing a clear and present danger, nothing beats strategy. After all, Strategy eats culture for breakfast.
I recently read a Forbes article which pointed out how this can be done effectively. Especially when it comes to remote working, which is something that will gain in prominence in the future.
Encourage cyber ‘social distancing.’
The article points out that companies need to encourage employees to adopt the same strategy for cyber viruses they use in the real world. Cyber “social distancing” is about recognizing risk and keeping your distance.
The article adds that helpful technology solutions should include a secure email gateway to detect phishing attacks and spam, a VPN solution to secure remote connections or a secure access solution to ensure that only authenticated devices access the network.
Use a cyber-intelligence approach.
The article points out that, to truly strengthen an organization’s cybersecurity posture, look for external signals of impending attacks.
The article adds that the ability to predict an attack and prioritize remediations accordingly is key. Go to the hackers’ trenches (e.g., deep/dark Web, hackers’ communities, and closed communities), decode threats that are relevant to the organization and understand the context of the attack.
Employ cloud-based solutions.
The article points out that cloud-based cybersecurity solutions that protect the device, cloud, and identity of the user—that is the ticket for secure remote working.
The article adds that the new generation of cybersecurity solutions, optimized for secure remote work, are deployable in seconds, cloud-managed, silent to the user and invasive to the attacker.
Secure the perimeter.
The article points out that businesses need to secure the corporate perimeter when moving to a remote workforce. This means tying VPN to Active Directory and enabling multifactor authentication to make sure the right people are accessing networks, apps, and data.
The article adds that businesses should mandate VPN use on public Wi-Fi and remind employees to avoid opening emails and clicking on URLs from unknown senders and to keep passwords safe.
Consider virtual desktop environments over VPNs.
The article points out that companies must ensure employees can securely access everything they need to do their jobs effectively from home.
The article adds that using VPNs has been the traditional method, but it limits access to a small number of internal company applications and cannot secure many of the online apps employees need. Companies should consider testing and bolstering a virtual desktop environment to provide a great user experience.
Trust, but verify.
The article points out that when working remotely, it is easier to be misled by fake requests from people you know (spearphishing).
The article adds that companies should teach their team how to spot the signs, as well as how to verify any requests. The easiest way is to always use another channel, like calling them or jumping on a video call.
Carry security protocols over to home offices.
The article points out that it is not just about the security platform that the CISO has put in place but how employees continue that business continuity into the home office.
The article adds that it’s critical that as users move to remote working the security team has a plan in place to carry all of the security protocols and policies over to ensure that home users are just as secure as if they were in the corporate office.
Deploy mobile security software.
The article points out that the most effective cybersecurity measure is the implementation of an agile mobile security platform that can be installed on any device accessible by the employee—regardless of the operating system or manufacturer—and that is built around a model of data-centric security.
The article adds that without those key elements, companies risk slower deployment times, lost company data and extensive overhead costs.
Remind employees to guard their home routers.
The article points out that we have seen with smart cities and enterprises that remote contractors and staff may have the greatest VPN, but their home router may be the weakest link.
The article adds that many people buy home routers and never change the default password. Botnets are out seeking these open doors—once they gain access, they infect the worker’s PC and enter the organization through the VPN. This is an area not managed by IT.
Know your access points.
The article points out that the rush to work from home is a situation in which the prepared do better. It is critical to keep an up-to-date network map to handle whatever comes along. For example, show where your VPN access points are and whether they have the correct access.
The article adds that most organizations struggle to maintain a reliable map of their changing world, but it can be automated.
Remember that temporary pain will bring long-term advantages.
The article points out that the COVID-19 crisis is accelerating many developments that will improve the cybersecurity posture of organizations. Security teams are looking for SaaS security applications that can be deployed with ease and with no disruption to productivity.
The article adds that many organizations are still far away from this, using only on-premises solutions, and the crisis is forcing them to change their approach.
Create a specific action plan for critical functions.
The article points out that, like any new service, secure remote working needs organizations to define and implement security policies, procedures, and controls. However, in most companies, the challenge is that a few critical functions are not designed to work offsite.
The article adds that those need a quick process redesign and risk assessment to come up with a short-term action plan followed up with a sustainable long-term control framework.
Do not wash your hands of cyber hygiene.
The article points out that the most significant threat to cybersecurity is still employee negligence. Anticipate a substantial increase in malicious cyber-targeting of remote workers.
That article adds that, no matter the location, you must establish a culture of security, protect mobile devices, maintain computer cyber-hygiene, properly deploy and maintain firewalls, have current antivirus software, and, most importantly, plan for the unexpected.
Focus on endpoint security and VPN use.
The article points out that companies need to ensure robust endpoint security and VPN use on all devices, including personal devices that may now be accessing company systems and data.
Using a cloud-managed solution enables streamlined centralized control, visibility, and policy enforcement.
Assess your company’s threat model work.
The article points out that a good rule of thumb that easily translates to remote work, VPN use, etc. is to view all traffic and actors as nefarious until proven otherwise.
The article adds that, in the end, cybersecurity measures ultimately come down to a company’s threat model work, which is the primary key to driving their cybersecurity risk assessment and countermeasures.
A whole new role.
The focus on cyber security peaked in 2017 as the world realised that any defence against this growing threat needs to be formalised and not piece-meal. Roles such as Chief Information Officers were established in companies and they started to hold board positions and are now involved in some of the most intricate planning within companies.
These departments grew as strategy required feet on the ground. I recently read on article on Security Boulevard which pointed out that as a Chief Information Security Officer (CISO), your cyber security strategy plan drives data protection for the organization across every aspect of business processes including new hires and onboarding.
The article points out that it is not uncommon for an organization to have an HR step where the hiring manager requests network account credentials and permissions for a new employee. Without the right procedures in place, hiring managers could ask for extensive permissions and violate the principle of least privilege. High-privilege accounts should be given with caution including virtual and physical access. With the right strategy plan in place, a CISO can maintain hardened cyber security compliance and still offer managers a smooth onboarding transition.
Phishing User Credentials is Big Business for Hackers.
The article pointed out that, in last year’s Verizon Data Breach Investigations Report, a survey found that the second most common type of attack resulting in data disclosure was phishing. In this same report, 33% of attacks were from social engineering and 28% involved malware. These numbers are alarmingly high especially when more and more organizations store several data points on customers including financials, contact information and passwords. For many attacks, the goals are financial for an attacker, so they use phishing to gain access to accounts that provide permissions to sensitive data. High-privileged accounts are an attacker’s main target as these accounts can be leveraged for massive exfiltration of valuable data.
The article added that, to avoid unnecessary privileges and thwart potential phishing attacks, a CISO’s cyber security strategy plan should include an onboarding checklist that ensures tightened protocols for a new hire’s network access. The following is not an exhaustive list, but this checklist has several questions that could be useful when determining an onboard permission process:
- What department will the employee be working for?
- What network resources does the employee need to access to perform their job functions?
- Who is the employee’s direct manager?
- Are extended privileges needed and for what job function?
- Is physical access to any resource necessary? And
- If the hire is a transfer, what resources from the old position are no longer needed?
The article pointed out that the last question involves onboarding an already existing employee transferring to a new position. Privilege accumulation is another real issue for organizations. If your cyber security strategy does not include revoking privileges when an employee transfers, the accumulated permissions can be used by attackers to make lateral moves across the network. Some CISOs perform regular reviews of user permissions to identify any unnecessary privileges that must be revoked to ensure this issue does not happen.
Another challenge for CISOs is how frequent users should change their passwords. It is widely considered an unnecessary and a dying concept to require mandatory password changes. Keyloggers can be used to capture password changes and identify user behaviour patterns to figure out passwords even after they have been changed. Password expiration rules will also need to be determined during onboarding strategy planning.
Guidelines and Security Frameworks for New CISOs.
The article added that a new CISO might be great at risk assessment7 but knowing the right guidelines and frameworks can be more of a challenge for someone who is unfamiliar with guiding businesses at the CISO level. To get started, the CIO and CISO Councils created a CISO Handbook that lays out the best standards and approach towards cyber regulations. The CISO handbook covers one of the most important frameworks for CISOs – NIST (National Institute of Standards and Technology) from the US Department of Commerce.
The NIST framework covers a roadmap for CISOs to get started with cybersecurity development and collaboration. Following the NIST framework will keep organizations aligned with PCI-DSS, HIPAA, and FISMA (to name a few of the most prominent). These regulatory guidelines control the way businesses protect data especially within a specific industry, but the NIST framework covers general guidelines that will protect the business as a whole.
The article pointed out that some other frameworks that a CISO should be familiar with include:
- ISO/IEC 27000 family – an international framework for managing security systems;
- SOC 2 – security standards that oversee data stored in the cloud;
- CIS v7 – general guidelines and standards for development of baseline security standards;
- COBIT – a framework for production performance that works well with cybersecurity;
- FedRAMP – standards specifically for government agencies; and
- Bringing an Organization into Current-Year Cyber Security Strategies
Not always easy.
The article pointed that it is not always easy changing cyber security protocols within an existing organization. A new CISO could have work cut out for him. One goal that should be communicated to the organization is that short-term convenience will be replaced with long-term cyber security protection that reduces risk of a massive data breach.
In addition to cyber security strategies, the CISO can launch training programs to empower users so that they can identify phishing and social engineering warning signs. User train has shown to reduce click-through rates from phishing email links from 25% in 2012 to 3% in 2018, so it can be a critical component of a strong onboarding strategy.
The article added that user onboard protocols, password policies and training should all be a part of a CISO’s cyber security strategy plan. CISOs should be tightly engrained in every user access request by standardizing an organization’s user account creation, management, and deactivation procedures. In addition, user training familiarizes users with the pitfalls of phishing and social engineering and helps them recognize an attack. As challenging as it can be to get an organization on board with these protocols, a good CISO can explain the need for these steps to increase data protection and reduce risks that can cost millions in damages.
The game changer.
Artificial Intelligence (AI) has always promised much when it comes to the fight against cyber crime. I recently read an article on Security Magazine which pointed out that there are important things to consider when incorporating AI:
- Establish the Foundation. AI offers powerful potential for augmenting existing cybersecurity tools beyond traditional signature-based approaches and offers a mechanism for the rapid validation and prioritization of threats. However, understanding the basics of the network are essential for success, specifically in the areas of visibility, governance, storage, and processing and workflows;
- Visibility. First, all assets on the network must be accounted for through an established IT Asset Management Program. Studies more than a decade old show that most organizations cannot account for nearly 30 percent of their assets – a troubling statistic that our experience continues to prove true today. Understanding what is on the network is key to recognizing and responding to cybersecurity incidents, in addition to ensuring AI models are using the right data. Crowdstrike’s 2019 Global Threat Report suggests threats actor’s ability to spread across the network takes between 18 minutes to nine hours. Attempting to track down assets after detection can significantly increase the Mean Time to Remediation;
- Governance. Next, the best operationalized AI use cases require multiple data feeds, which represent a unique perspective on what is happening on an organization’s network and infrastructure. As with any human operations, AI performs best when many perspectives can be fused together into one comprehensive picture. However, this is often challenging, as each model may be expecting data in a unique structure and format. For this reason, it is critical that organizations stand up a common data model (e.g. the Splunk Common Information Model (CIM) or the Elastic Common Schema (ECS)). This model can be used to link multiple data feeds together into a single source of data truth and ensures each algorithm in an organization’s model suite is built on the same data foundation;
- Storage and Processing. Once the data is standardized, the use of a data broker (e.g., Kafka, RabbitMQ) can help move data outside of existing security platforms to where advanced analytic capabilities can take place. By decoupling the storage and compute layers, resource intensive AI models can run more freely without bogging down the real-time identification of threats. This will also prohibit vendor lock-in should organizations change products at a later time. These separate systems also support the storage of tagged flat files more suitable for AI use cases where currently deployed tools do not support a similar extensible storage method;
- Workflows. Last, organizations must establish clearly defined and organized workflows and processes that extend beyond the security team. In a 2019 Ponemon Institute study, only 23 percent of organizations out of 3,665 said their company had an incident response plan applied consistently across the entire enterprise. Alternatively, in the same study, 24 percent of organizations admitted to not having an incident response plan in place at all. As new threats are detected, organizations need a solid grasp on their incident response processes to effectively address threats. If the number of alerts begins to rise after new detection methods, analysts can become quickly overwhelmed, which in turn poses issues to the success of an organization’s AI deployment.
Through a similar approach, organizations will be more effectively prepared to validate, prioritize, and analyse potential threats. With the basics covered, launching AI across your organization is just a few more steps away.