Our top cybersecurity predictions for 2023

Our top cybersecurity predictions for 2023

It’s the time of year when the industry begins making its top cybersecurity predictions for the year ahead. Gartner, among others, recently released their top 8 cybersecurity predictions for 2023, writing that supply chain and geopolitical issues will continue to dominate cybersecurity.

In this article, our team looks into the proverbial crystal ball to share their top cybersecurity predictions and what initiatives security leaders should prioritize for 2023.

What Cybersecurity Lessons Did We Learn in 2022?

The breaches, hacks, and cyber breakdowns in 2022  taught us many cybersecurity lessons that we can use to improve security in the new year. Lessons learned include:

  • You can’t rely on MFA.
  • Company stakeholders, including VCs and board members, must have insight into their company’s security stance.
  • Don’t sacrifice security for a 1% improvement of your product. Constant re-architecting creates numerous security holes.
  • Continuous security is mandatory for blockchain. Instead of one-time assessments at launch, teams should strive for continuous validation throughout the project lifecycle.

What Are the Top Cybersecurity Predictions for 2023?

The top cybersecurity predictions for 2023 identified by the team of experts at Kudelski security are:

  1. Basic, human-targeted attacks will be the biggest risk to cyber defenses.
  2. Zero trust will replace VPN.
  3. Insider and third-party risk will rise.
  4. Reliance on passwords will decline.
  5. Skepticism around blockchain security and availability will continue.
  6. Quantum-interested companies will need to start assessing risks.

Prediction #1: Basic, human-targeted attacks, like ransomware, phishing, and email attacks will be the biggest risk to cyber defenses.

In 2023, we will see the most basic security attacks — email compromise, active directory attacks, ransomware, phishing, and multi-factor authentication attacks — continue to be the most effective and lucrative for cybercriminals.

Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system. Phishing and emerging MFA bombing schemes are more sophisticated than ever and will render cybersecurity training ineffective.

“Whenever humans are introduced into the security equation, they immediately create holes in the corporate cyber defense system.”

To combat these attacks, corporate security teams should not trust human factors. Instead, they should adopt an offensive security posture. Detection and response initiatives should focus on preventative features instead of reactive quick fixes.

Will your threat detection and response strategies stand up to advanced threats? Watch our webinar to learn how to improve program maturity.

Prediction #2: Zero trust will replace VPN to secure a distributed workforce.

In 2023, zero trust will replace virtual private networks completely as security teams adjust to a more dispersed workforce. With work-from-home here to stay, company network borders won’t look anything like they used to. Employees are accessing most work applications via SaaS, and IT teams are hesitant to inherit the risk of home networks. Mistrusting every device is the key to supporting and securing remote workforces.

Can zero trust be a business enabler? Read our take on this blog from Vincent Whaart.

Prediction #3: Insider and third-party risk will rise as attackers take advantage of vulnerable parties in the economic downturn.

The impending recession will loom even closer in 2023, and cybercriminals will take advantage of the dire economic situation to bribe their way into corporate systems. We predict that software hacking will decline in 2023 in favor of “insider risk.”

Attackers will set aside their hacking skills and instead single out vulnerable employees at third-party vendors, such as shipping authorities, supply chain companies, internet service providers, and software vendors.

Companies must remain vigilant to not only secure their own network perimeters but also build a strong vendor risk management program.

Prediction #4: Reliance on passwords will decline as the flimsiness of MFA is exposed.

While it’s unlikely that passwords will completely disappear in 2023, MFA fatigue could usher in a passwordless future in years to come. The recent Uber breach highlighted the flimsiness of MFA and left security teams searching for a better alternative. In 2023, we’ll see an emphasis on securing accounts with as many other safeguards as possible, including stronger passwords and password managers.

Prediction #5: Skepticism around blockchain security and availability will continue without more caution.

2023 will be another tumultuous year for blockchain technologies unless it shifts away from “point in time” security measures. Currently, too much trust is put into code to be perfect.

Blockchain security teams must layer in more robust controls, including detection and response capabilities, to deter threat actors. The billions of dollars of bridge hacks that occurred in 2022 put a huge dent in users’ confidence in blockchain security.

Luckily, blockchain enterprises and projects are aware that customers are just as concerned about their chosen blockchain’s security as its features. This will lead blockchains to apportion the appropriate resources to improve security in 2023.

In addition to cryptocurrency theft, blockchain availability and stability should be a priority in 2023. If outages and slowdowns continue, blockchains face user decline or even complete collapse.

Learn more about Kudelski Security’s portfolio of blockchain security services.

Prediction #6: Companies concerned about quantum computing should begin assessing risks now.

Controls to prepare for quantum computing are unlikely to see mass adoption in 2023, but keep an eye on it for 2024. The current risks of quantum computing don’t quite outweigh the incredible investment required yet. That said, companies that stand the most to lose from future quantum attacks — e.g., financial services, defense contractors, and companies that transmit extremely sensitive data especially — should begin assessing their risks now.

Are you ready for the era of quantum computing? Watch our webinar to know how to be better prepared.

What Impact Will the Recession Have on Security Teams in 2023?

The recession should have relatively little impact on security teams in 2023. We predict security teams are going to remain mostly untouched even as companies across industries are forced to make cuts to their budgets and workforce in response to the upcoming recession.

American privacy laws will likely elevate to reach current European standards, putting a renewed focus on security and compliance in boardrooms and C-suites.

Additionally, cybersecurity labeling for consumer products, especially on hardware, will further the importance of corporate security teams. Economic hardships will necessitate that security teams work smarter and consolidate to meet the evolving economic and tech landscape.

What Should Security Leaders Prioritize in 2023?

In response to these top cybersecurity predictions for 2023, security leaders should prioritize the following initiatives:

  • Adopting an offensive security posture rather than a defensive one.
  • Focusing detection and response initiatives on preventive features instead of reactive fixes.
  • Phasing out VPN in favor of zero trust strategies for the remote workforce.
  • Building out a strong vendor risk management program to protect against third-party risk.
  • Looking for alternatives to MFA while implementing stronger password requirements and account protections.
  • Working smarter and consolidating to meet the evolving economic and tech landscape.
  • Bolstering availability and security of blockchain-related services.
  • Assessing risks related to quantum computing, especially for those in financial services, defense, or other industries that deal with highly sensitive data.

Get in Touch

Kudelski Security can help you prepare for 2023 and beyond with a comprehensive suite of security advisory services. From MDR and zero trust to blockchain and quantum, our experts can assess, design, implement and manage a resilient cybersecurity strategy. Get in touch with  our team here.

15 Practical Tips for More Effective Cybersecurity Incident Response

15 Practical Tips for More Effective Cybersecurity Incident Response

Building an effective cyber incident response plan requires more than having the right tools in place or engaging the right cyber incident response services. As a security leader, you’re responsible for building the right security foundation and fostering a culture of teamwork and open dialogue during a crisis. Summarizing a recent webinar, this article will explain:

  • 3 Common Pitfalls in Cybersecurity Incident Response
  • 8 Practical Tips for Building an Effective Incident Response Team
  • 4 Technical Fixes to Reduce the Likelihood of a Breach

It almost goes without saying that everything is connected to the internet these days. It’s a business enabler and a necessity in the global economy. But it’s also a playground for cybercriminals.

The good news is the impact of cyberattacks like ransomware can be minimized or entirely prevented with an effective incident response plan in place. And it doesn’t require fancy techniques like AI and machine learning. Don’t get me wrong AI and machine learning can help detect attacks. But they are frequently overrated. It won’t do the job we would all like to think it can do.

Based on our team’s experience investigating breaches for clients, here are the common pitfalls we see CISOs fall into during an incident and some practical tips for avoiding them.

Three Common Pitfalls in Cybersecurity Incident Response

There are three characteristics that come up again and again in organizations that experience an incident, and they are all totally avoidable.

 

#1 Speed-Based Trust – Thinking Security Vendors Will Do the Full Job for You

Collectively, we have a culture of outsourcing trust. Where we used to trust our peers or institutions, we are now in an era of outsourced, “speed-based” trust. We assume trust in exchange for convenience.

Just as we trust Uber to get us to the right location safely, we trust our security vendors to keep our organizations safe. None of these security vendors, however, can fully address our security issues. We’re going to have gaps.

We call this a Swiss Cheese Model of security. While an MSSP or EDR solution may have you covered when it comes to detection and response, you’re still going to have to assume responsibility for applying patches to close any backdoors that may go undetected and ensure that your systems have secure configuration.

#2 Not Doing the Basics (It Was Never Going to End Well for the Titanic)

Almost worse than the Swiss Cheese Model of security is the Cyber Titanic Model. In the Cyber Titanic Model, you believe you have built a ship that can’t sink. You believe so much in the tools you have invested in, that you let your guard down. Maybe you even relax your security requirements.

Eventually, the boat will sink, and you will not be prepared.

Investing in endpoint detection and network security makes sense, but you need to balance it with basic security practices. If you don’t have a solid foundation of patching, configuration, segregation and hardening, you will just be investing in a sinking boat. Too many times we see breaches that could have been prevented if the basics were in place.

#3 Not Understanding Where to Harden vs. Add New Solutions

To put a finer point on this, detection technology isn’t the end-all-be-all when it comes to preventing an attack. Often security vendors will use the MITRE attack framework to show you how much coverage they can give you across the phases of the attack. This can be helpful but also misleading.

Detection is not the only way to prevent attacks. You can also use MITRE to understand where you need to harden your system to make it harder or impossible to breach your security at each phase of an attack, to begin with.

Watch the webinar “Common Pitfalls Every C-Level Should Know About – Stories From Our Incident Response Team”

Tips for Building a More Effective Incident Response Team

Building a more effective incident response team requires more soft skills than technical skills. Leadership, communication, and policy are critical to improving response outcomes. Here are my top tips.

#1 Understand Organizational Bias

We all have bias because we have experience in certain areas and blind spots in others. Having bias is not the issue. It becomes a problem when you do not recognize the bias.

As a CISO, you will have to understand the bias of your team. They may have a limited view of an issue because they are specialized in a specific area of security. You need to identify the biases, articulate them, and map them. This is foundational to addressing incident response blind spots.

Watch out, especially for the more expert or senior team members who may be very confident in explaining an issue, but don’t have the whole picture.

#2 Bridge Skills to Avoid Bias

One way you can break through the bias is by bringing different teams together to solve a problem. Ask questions that require teamwork to answer. Instead of “Are we secure?”, ask “How bad could it get?”

Then put together a purple team to work together to create a joint report with agreed-upon points of action. This creates a culture of exchange. Teams with better communication will be much better equipped to respond in a crisis situation.

This can cause the organization to focus on a very narrow component of security without addressing the entire ecosystem.

#3 Develop KPIs with Value

Bad KPIs run rampant in security. Security can be hard to report on. But because we want to prove our value, we end up reporting on KPIs that don’t actually mean anything.

We say we blocked one million attacks on our firewalls, or we processed three trillion events because we want to look like we are effective. But what do these numbers actually tell us? If we say we blocked one million attacks on a firewall, all that communicates is that we configured a firewall. If you’re asked for those numbers, challenge the requester, and ask what they’re really trying to understand.

Instead, I recommend going smaller and more actionable with your metrics. Rather than how many attacks we blocked, try reporting on metrics like these:

  • # of common attack vectors removed
  • # of new techniques added to detection coverage
  • % decrease in the attack surface

#4 Shrink Your Digital Footprint

Think about all the data stored in email, your Google accounts, and your mobile apps. All that data can be exfiltrated. Reducing your personal and corporate digital footprint also reduces the impact of a successful attack.

When data is no longer needed, delete it rather than archive it. If you have a legal requirement to keep the data, encrypt it and store the keys off the server. Encrypted data leaks have little to no impact on security, as long as the secret keys remain secret!

Further, how you store data is important. If you have a document on SharePoint called “Insurance Policies” or “Digital Assets Value”, you are giving an attacker a flashing arrow to the documents they need to hold you ransom. If they know your insurance policy is for one million dollars and that one day of disruption would cost your company ten million dollars, they know exactly what to ask for.

#5 Augment your team

Major incidents require more work than your day-to-day security operations. It would be difficult to scale your internal team for such a situation.

Bringing in external partners can help augment your incident response team. Remember to look beyond security when it comes to team augmentation. Your incident response plan will likely include system administrators, cloud administrators, etc.

As a rule of thumb, if you don’t have a dedicated team member working on a required security discipline on a monthly basis, you may need to find an external partner in the event of a breach. While thinking about this, don’t forget your IT. You’ll need to augment your IT operation capabilities. Rebuilding an infrastructure can absorb a lot of resources.

There are different options.  Emergency response support, preparation and resilience support. The best option to go for is usually a 24/7 incident response retainer because you have guaranteed response support when things go wrong. It’s a safe investment – many companies will ensure the retainer can be reassigned to another program, if not spent on incident response services.

#6 Explore Different Response Paths

There is no one-size-fits-all incident response plan. It is up to you, the CISO, to explore different paths and choose the one that will work the best for the organization. In some cases, it may make sense to choose the plan that results in the least business impact. In other cases, it may make sense to err on the side of security.

Augmentation, as mentioned above, can help your team move faster and work on steps in parallel. After all, your incident response process should not be linear; that will only slow things down. If you do augment your team with an external partner or security provider, carefully consider their recommendations and the tradeoff between value and cost.

For example, forensic disk imaging might make sense as part of the plan, but it could overwhelm your IT team with time-consuming tickets. Additionally, security providers may take advantage of an organization’s desperation during an incident, knowing they’ll do anything to get the business back up and running.

Challenge every recommendation and request. Look at the types of requests, the costs, and the hours associated. Ask “Is this really necessary?” or “Could we do this differently?” Explore all the different response paths and choose a way forward.

#7 Foster Open Dialogue

Creating a culture of open dialogue during an incident is incredibly important. If people are afraid to speak up or ask questions, you will not be able to accurately assess the team’s understanding of the question. There are a number of reasons a team member may not feel comfortable asking questions:

  • Fear of looking stupid
  • Tensions within the team
  • Power dynamics created by an authority figure or expert

“Asking questions may mean that you don’t understand something.  But not asking questions, will mean that you remain ignorant.”

As a CISO, you need to be able to spot this behavior and act on it very quickly. You must ensure that everyone has the right level of understanding to do their work. It’s how you will turn an incident into a constructive, rather than destructive, experience where everyone is learning from each other.

#8 Show Your Appreciation

Breaches are stressful for everyone in the organization. As a C-level, you can send signals to your team that you understand the toll an incident takes on them and their families.

It could be as simple as providing food, drinks, and a place close to the office for the team to stay. For remote employees, you could provide a meal of their choice for themselves and their family. It sends a really strong message that you appreciate the work that they (or their mother, father, or spouse) are doing to help the organization. These types of signals can change the mood.

Learn more about Kudelski Security’s Incident Preparedness and Cyber Resilience advisory services

Four Technical Fixes to Reduce the Likelihood of a Breach

In addition to the nontechnical guidance above, I’d like to leave you with four of the low-hanging technical fixes that could significantly reduce the likelihood of a breach. In 70% of the cases we’ve investigated, one of these four best practices was missing.

#1 Proper Segmentation

Often in breach scenarios, we find the organization has a flat network, which makes it much easier for the threat actor to move through.

#2 Zero Trust

Understand the zero trust framework and how to apply it in your organization. Achieving zero trust won’t happen overnight. It’s very iterative work, so be patient.

#3 Timely Patching / Emergency Patching

Threat actors will quickly be there to exploit new vulnerabilities. For that reason, it’s important to have an emergency patching plan in place. Ask yourself “Do I want to have an operational issue or a security issue? Would I rather have a system down or data leaked?”

#4 Configuration

Misconfiguration can have a huge impact, and so, proper configuration can also have a huge impact. Sometimes it’s just a small detail that is overlooked that would allow an attacker to gain access to something they shouldn’t.

Download the Infographic: 15 Practical Tips for More Effective Cybersecurity Incident Response

Get in Touch

It is my hope that if you follow the advice presented in this article, that you will never need our services. However, if you do experience a breach or if you would like a pre-emptive review of your current configurations, architecture, or incident response plan, please get in touch with our incident preparedness and response team here.

BIG-IP iControl REST API Authentication Bypass

BIG-IP iControl REST API Authentication Bypass

Credit: Yann Lehmann iControl REST is an evolution of F5 iControl framework. Leveraging this Representational State Transfer (REST) API, an authenticated user can accomplish anything that can be accomplished from the F5 BIG-IP command line. It is an extremely powerful API. On May 04, 2022, F5 disclosed a critical CVE, CVE-2022-1388. It may allow an unauthenticated attacker with network access to the management port or the self IP addresses of the BIG-IP system to leverage the iControl REST component. This is because some requests to iControl REST can directly bypass the authentication mechanism. Due to the capabilities of this component, anyone with network access to the management port or the self IP addresses can execute arbitrary system commands and modify services or files. From the nature of the iControl rest component, this is a control plane vulnerability that does not expose the data plane. For additional details on how to identify what could be your impacted systems, please review the attached advisory. Would you need further assistance, please ask the Cyber Fusion Center by using the MSS Portal or by phone: North America: 1-866-929-3528 EMEA: +41 58 317 77 77 Kind regards, The Cyber Fusion Center
Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities

Summary

On March 23rd, 2020 Microsoft publicly disclosed the existence of two critical 0-Day vulnerabilities in all recent versions of the Microsoft Windows operating system. Microsoft is aware of limited targeted attacks that leverage these 0-Day vulnerabilities and has provided guidance on how to temporarily mitigate the exploitation of these unpatched vulnerabilities. Patches for these vulnerabilities are not expected until April’s “Patch Tuesday” release.

The 2 (two) 0-Day Remote Code Execution (RCE) vulnerabilities exist because of the way the Windows Adobe Type Library improperly handles a specially crafted font file in the “Adobe Type 1 PostScript” format. This Adobe Type Library is included by default in all Windows systems and, as such, all recent Microsoft Windows systems are impacted.

Successful exploitation of this vulnerability requires that attackers trick users into either previewing or opening a maliciously crafted document. Exploitation will likely be in the form of a phishing attempt with a malicious document attached. Attackers could also leverage Web Distributed Authoring and Versioning (WebDAV) based HTTP requests to load previews of the maliciously crafted font files in order to exploit these vulnerabilities.

Systems running Windows 10 are still vulnerable to potential exploitation but built-in mitigations make successful exploitation much more difficult. Windows 10 leverages isolated “App Containers” with limited privileges. The use of these isolated “App Containers” significantly increases the difficulty of successfully compromising a system by exploiting these issues but does not prevent exploitation.

For additional details on how Windows 10 mitigates these types of exploits, review Microsoft’s article on Windows 10’s zero-day exploit mitigation features (including mitigating font parsing vulnerabilities).

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted Dynamic Linked Library (DLL) file (ATMFD.DLL)

For additional details on how to successfully mitigate these issues, please review the “Temporary Mitigation” section of this advisory.

Affected software

  • Windows 10 (All versions)
  • Windows 8.1 (All versions)
  • Windows 7 (All versions)
  • Windows Server 2008 / R2 (All versions)
  • Windows Server 2012 / R2 (All versions)
  • Windows Server 2016 (All versions)
  • Windows Server 2019 (All versions)

Impact

Successful exploitation of these vulnerabilities can provide attackers kernel level privileges on impacted Windows systems. Such access enables attackers take complete control of impacted systems.

Temporary Mitigation & Workarounds

The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (Especially on non-Windows 10 systems). Mitigation options include:

  • Disabling the Preview Pane and Details Pane in Windows Explorer
  • Disabling the WebClient (for WebDAV) service
  • Renaming the impacted DLL file (ATMFD.DLL)

The sections below describe how to apply these temporary workarounds to prevent the exploitation of these 0-Day vulnerabilities.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2008 (R2), Windows 7, Windows Server 2012 (R2), and Windows 8.1):

Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click Organize, and then click Layout.
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Organize, and then click Folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2016, Windows 10, and Windows Server 2019):

To disable these panes, perform the following steps:

  1. Open Windows Explorer, click the View
  2. Clear both the Details pane and Preview pane menu options.
  3. Click Options, and then click Change folder and search options.
  4. Click the View
  5. Under Advanced settings, check the Always show icons, never thumbnails box.
  6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebDAV WebClient Service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

Note: Even after disabling the WebClient Service, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs already installed on the targeted computer or programs which are available via local network file shares. However, this mitigation will now prompt users before running arbitrary software from non-local sources (such as the internet).

To disable the WebClient Service, perform the following steps:

  1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
  2. Right-click WebClient service and select Properties.
  3. Change the Startup type to Disabled. If the service is running, click Stop.
  4. Click OK and exit the management application.

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 32-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

takeown.exe /f atmfd.dll

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F)

rename atmfd.dll x-atmfd.dll

  1. Restart the system

Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 64-bit systems

  1. Enter the following commands at an administrative command prompt:
cd "%windir%\system32"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll

      cd "%windir%\syswow64"

      takeown.exe /f atmfd.dll

      icacls.exe atmfd.dll /save atmfd.dll.acl

      icacls.exe atmfd.dll /grant Administrators:(F)

      rename atmfd.dll x-atmfd.dll
  1. Restart the system.

Disable the Adobe Type Manager Library via registry on Windows 8.1 or below (not recommended)

It’s possible for Windows administrators to disable the Adobe Type Manager Library by modifying the Windows registry on Windows 8.1 and below.

However, disabling the library in this method may impact applications that rely on embedded font technology Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. For details on how to disable ATMDF via registry changes please review Microsoft’s Security Advisory.

For details on potential impacts of these workarounds, or details on how to roll back these changes, please review Microsoft’s security advisory.

Sources

Cybersecurity Concerns with COVID-19

Cybersecurity Concerns with COVID-19

We are having increasing numbers of conversations with clients about cybersecurity and business continuity challenges resulting from the rapid adoption of work-from-home scenarios to combat the spread of COVID-19.

Clients are interested in cybersecurity policy updates to improve remote access, and asking for increased employee education around BYOD security, secure WiFi use, basic security hygiene, and COVID-19 phishing attack awareness. And finally, clients are asking how they can maintain security with a dramatic increase in devices and employees accessing sensitive data and systems from remote locations.

Below are some of the frequently asked questions (FAQs) we’re being asked along with the advice we are sharing.  There are likely many approaches, and many other questions. Please join the conversation by posting your point of view. We’re interested to hear how others are solving the challenges.

Technology Concerns:

My corporate VPN will not handle the strain of thousands of telecommuting employees. What should I do?

Most organizations do not have VPN capacity for everyone. If you find your existing VPN infrastructure overwhelmed, it will be challenging to procure physical equipment and increase the capacity of your internet links, in a short time period.

We recommend you start by asking ‘what applications and business processes really require VPN’. Many services your business consumes are now delivered from the Cloud and are accessible directly without a VPN connection. (i.e. Office 365, Salesforce, Netsuite, Workday, etc.)

If you really need to increase VPN capacity, we can suggest a temporary workaround: Open VPN Server via the AWS marketplace. A number of our clients have done this.  You can procure the license and the VM’s in a pay-as-you-go model. This allows you to leverage Amazon’s internet presence, and by establishing a site-to-site VPN back to your internal systems, you can rapidly increase your VPN capabilities while you procure enhancements to your internal infrastructure.  Typically, your existing firewalls can handle more traffic via a site-to-site VPN than from 1000’s of remote users.

What technology should I prioritize to facilitate business continuity in a work-from-home situation?

  • Collaboration licenses. Do you have enough collaboration license for everyone? With meetings shifting online it will likely stretch your collaboration infrastructure. 

We recommend balancing capabilities along with the desire to allow employees and business partners to communicate via both voice and video when it makes sense. Video could become very important to maintaining a cohesive environment over time if people are unable to meet in person for an expended period of time.

  • Password reset infrastructure.

The pressure on password reset infrastructure will become a challenge.

We suggest investing in self-service capabilities, if not already done so.  If you haven’t, you are likely to face problems and potentially have your helpdesk over-run with requests.

Security Concerns

What are the current tactics most commonly employed by attackers to compromise my security?  

Kudelski Security has received many reports from our clients about the following:

  • Fake Users Requesting Remote Access from the HelpDesk. This will continue to grow in frequency

Organizations will need to have a robust method of authenticating their remote employees in order to avoid falling victim to this type of attack. Hopefully, the time you previously invested in having a robust password reset process for your helpdesk will be able to be leveraged to protect against this attack.

  • Fake Users Pretending to be Helpdesk Support. This tactic usually involves the attacker asking employees to install software. This will also continue to grow in frequency.

We recommend you educate your workforce on how to identify a valid helpdesk request.  Technical controls limiting the software employees can install is also a good call at this point.

  • Fake Hardware Purchasing Requests Attackers are attempting to place orders for hardware under the auspices of a newly remotely working employee.

You will be better protected if you authenticate your requestors properly. Having a process in place where your hardware vendors only accept requests from validated sources will help you here.

What are the implications of remote working on my SOC data and operations?

A dramatic increase in remote connections is going to throw off your SOC baselines and will require you to re-baseline your traffic. It could also test your SEIM capacity to process and analyze all the new alerts.

We recommend you refine your threat hunting activities since all of these new remote connections are going to make it much harder to find bad actors.

Many employees work with sensitive data.  How can we facilitate secure business continuity in a remote-office environment?

Many employees are working with sensitive data and may not be used to working with it outside of the office environment.

We recommend you run some compulsory security training to remind employees about good security practice (secure WiFi use, issues around BYOD, shadow cloud/IT, basic security hygiene, and Covid-19 phishing attack awareness).

We also suggest you may need to revamp your process to enable this type of work securely. This extends to having sensitive conversations in an unsecure environment, and will impact your research and development personnel who may be working on unreleased products. What are you going to let them take home? Or will you have to suspend certain projects if you determine you need to close your office?

Staffing & Business Continuity Concerns

What are the best ways to support employees working from home, many of whom are not used to working remotely?

Having a large influx of new remote employees, many of whom are not accustomed to working remotely will place a significant short term strain on your support staff.

Start by looking at additional resources or special incentive plans to mitigate any slack.  Do people have the hardware to be productive?, i.e. printers, multiple monitors, power adaptors, dongles for our Mac people, etc. And while many clients are enabling staff to outfit their home offices with equipment from their primary offices, some cataloging should be done. At some point, many of these folks will likely return to an office. Corporate IT and finance will want to account for all the extra hardware that was either borrowed or purchased during this time to ensure it is returned or inventoried.

How can we keep morale and momentum going, in the medium to long-term? How do I keep revenue-generating employees engaged if the pandemic continues to affect new sales?

Honesty here is key. We also recommend having an open and honest discussion with your employees about the situation as it develops. It’s important that staff are reassured that this situation won’t last forever. Maintaining morale and ‘just checking in’ on your teams through regular phone calls/video calls will go a long way to keeping employees engaged.

See this unprecedented situation as an opportunity for online training. Programs that help skills development for remote working as well as developing industry-relevant knowledge are readily available.

What is the best way to preserve capital?

Preserving capital is an important point for reflection.

We suggest effective action is to right-size your project portfolio. Take the time to determine what projects across the enterprise are business-critical given the new operating environment. It’s likely you have many initiatives that can be postponed so that staff can focus on business-critical ones during this event. Not only does this preserve capital, but it also helps with any future staffing shortages

Need an expert? We can help. Click here.

This is an on-going blog post. Please comment here with anyone questions or concerns you may have and one of our experts will answer.