Data Security as a Business Enabler

Data Security as a Business Enabler

Security has evolved since the days when cybersecurity systems were evaluated by the number of incidents handled by the InfoSec team over a year. IT departments and organizational leadership adopted the attitude that no news (or no data breaches) meant no security problems, so all was well.

That approach wasn’t true then, and it certainly isn’t true now. Over time, the record has proven security to be the business enabler in digital transformation (DX), by most effectively protecting and managing the most valuable asset:data.

DX has been the force behind the rapid pace of innovation. Successful innovators must juggle the uncertainty of DX processes and security risks. One approach is based on the “fail fast, learn fast” rule. Cryptography is an example of this rule: Instead of giving mathematical proof that an algorithm is safe, the community accepts (and considers trusted) a cryptographic scheme because it is very unlikely it could be broken in foreseeable future.

Emphasizing Security in Digital Transformation (DX)

Threat actors, however, are diligent in their attempts to break into new technologies and find ways to get to the data. Security plays a vital role in any data-driven DX by staying ahead of such dangerous threat actors. Here are three examples of how companies in different industries are successfully managing DX, thanks to data security.

  • Digital Transformation in the Medical Industry

CheckPoint Cardio invented a wearable device that constantly sends dozens of raw health data (like ECG, pulse, blood pressure, etc.) to a remote center that correlates them in heart-related events and responds in real-time. Medical professionals use this information to treat patients and respond quickly to health emergencies.

But what happens if this medical data ends up in the wrong hands? It not only holds business value to healthcare facilities, but threat actors could manipulate the data that impacts patient health. Also, because there are strict regulations surrounding health data, compromised data could result in massive fines and penalties.

To protect the data, security such as client-side encryption decreases risks caused by third-party providers. The greater emphasis on security of the data makes it easier for hesitant companies to adopt this innovative and useful technology.

  • Digital Transformation in the Media/Social Platforms Industry

Facebook always sold information generated by users to external advertisers who, in turn, often resell the same information. The data mining and sharing by Cambridge Analytics showed both the value of the data to outside entities and the security and privacy implications for the Facebook users. Facebook’s reputation was seriously damaged by the scandal.

Since then, the company changed its data security and privacy approach to meet GDPR compliance (in all its technical and organizational measures) and this has become a compelling security requirement for the company to assure its ads-based business to flourish.

  • Digital Transformation in the Financial Industry

Consumers increasingly want a fully personalized offering from their financial providers. The more contextualized data the company accumulates from its customers, the easier it is to improve and personalize its service. A traditional data-lake system that follows security and privacy best practices would do the job, but companies are also constantly researching new security tools to best protect consumer data and increase its marketing appetite. One such tool (even with its security and privacy shortcomings) is blockchain technology.

The Challenge of Legacy Systems

DX opens the doors for new revenue opportunities for companies, and data-driven security is designed to enable such DX by keeping the additional information safe. However, organizations that rely on legacy systems lack data-driven security awareness. A Cambridge University research survey reveals that “71 percent of respondents agreed that there are data quality and integrity issues that make it difficult or impossible to implement a data-driven business model, as users quickly abandon apps that provide incorrect information.”

John Chambers, CEO of Cisco at the time, commented that dynamic companies, i.e., the ones who adapt services to customer needs, will gain a competitive advantage. “Forty percent of businesses in this room, unfortunately, will not exist in a meaningful way in ten years,” he said in a keynote address. Additionally, while 70 percent of companies will attempt to go digital, only 30 percent will actually succeed.

At the heart of successful digitalization is data security. But success of DX security is the responsibility of corporate leadership:

  • The CEO is the main sponsor of the DX project and is the individual ultimately accountable for its success (or failure) in front of the steering board and investors.
  • The CIO (or CTO) reports to the CEO and is accountable for the Business-as-Usual (BAU) IT Operations during all phases of the DX.
  • The CISO reports to the CEO and possibly the CIO and is accountable for unforeseen malicious threats happening during or after the DX.

Accountability and Predictability in Secure Digital Transformation

To meet the challenge of a secure digital transformation, leadership needs to emphasize two areas: accountability and predictability.

  • Accountability Security should always be a shared-responsibility matter that concerns everybody in the company. To promote that mindset, security behavior should be incentivized with bonuses and rewards. This way employees will not see security solely as checkbox-tasks dictated from above, but as a real added value to the organization for protecting core assets, businesses and, ultimately, reputation.
  • Unpredictability This has to do with lateral thinking, but will be treated in my next article, more oriented to the architect and technical fo

Conclusion

Although security should be deemed mandatory by everyone, it is rarely seen as the main enabler for DX itself. As seen by the examples from different industry verticals, security shall own this active role to make business advance in digitalization.

A small change to your mind set can result in a big change to your bottom line. You will save resources from a breach that could disrupt operations, damage brand, or make you go bust.  But you will also find new markets and generate new income sources with a security-by-default mindset.

Whether you’d prefer to embrace a potential win or avoid a sure loss, it is definitely worth digging into the topic more.

A New Enterprise Perimeter and the Cybersecurity Raising Challenges

A New Enterprise Perimeter and the Cybersecurity Raising Challenges

The security industry has faced a variety of challenges throughout 2020. The pandemic put pressure on security and IT operations and shone a spotlight on underlying issues many organizations were facing in terms of their digital transformation and security posture. If that wasn’t enough, the threat landscape also shifted and is now more volatile than ever.

As security leaders prepare to handle what lies ahead in 2021 and beyond, there are three key trends they should pay special attention to: the increase in adoption of policy-based security models, new ransomware threats and greater utilization of artificial intelligence.

Adoption of policy-based security models

The prospect of moving an onsite workforce to a remote setting had a huge impact on many organizations, as they realized they weren’t ready for such a dramatic shift. Moving to remote work due to COVID-19 exacerbated the shortcomings of the traditional enterprise perimeter security model. This led to more organizations choosing policy-based security models, such as Zero Trust, to ensure the protection of their employees while remote work continues to be a norm.

As remote work becomes more normalized – beyond the pandemic -, rather than equating trust to a corporate network location, a Zero Trust model analyzes information about the user, data, applications and devices to contextualize security risks and dynamically adapt access rights. Successful adoption will depend on organizations fully integrating various tools within their environment, from authentication systems and network security appliances to endpoint detection and response.

Increase in data breaches and ransomware attacks

Attackers are constantly changing their methods, resulting in new and evolving risks. It is important for companies to be prepared and aware of new threats to stay ahead of them and protect their data from any potential compromise.

Looking ahead, companies should expect to see an increase in ransomware, with bad actors increasingly threatening to expose encrypted files if they refuse to pay a ransom.Organizations have begun to do a good job in building, testing and operationalizing their office backup strategies to mitigate the risk of ransomware. Unfortunately, most of these organizations have failed to mitigate the actual risks, if data has been compromised before – whether directly from the company or through third parties – threat actors will still be able to gain a foothold into the company’s assets. The focus moving forward should fall into ensuring they have robust backup and data recovery strategies that can help address the systemic weaknesses attackers are exploiting.

We’re also going to see a considerable increase in the use of illicit Auth 2.0 grants to compromise accounts. In general, organizations have created better phishing awareness programs, increased multifactor authentication, and created rules to detect anomalous logons; however, attackers have shifted to trick users into Illicit Oauth 2.0 grants. To prepare, companies should limit which applications can request OAuth 2.0 grants from end users or disallow specific OAuth 2.0 scopes from ever being granted.

Utilization of Artificial Intelligence

We will see an increased utilization of AI particularly within the IoT and OT industries, given the technology’s ability to help automate many tasks to reduce costs and improve productivity. However, as security leaders decide to adopt AI, they will need to prioritize the integrity of the data and make sure basic cyber hygiene protocols are in place.

Utilizing AI without the basics – from asset and patch management to user awareness – will only exacerbate the number of breaches we will see, as simpler exploits will be able to leverage any weak spots.

Looking ahead to 2021 and beyond, organizations need to be prepared to secure their resources no matter where they are accessed from. Leaders will need to make sure they add security-based policies to their business continuity plans as well as understand all the threats’ shifts and how to adopt new technologies to mitigate potential risks.

This blog was originally featured in VMblog.com

Identifying Malicious Traffic on Your Web or Mobile Application: 6 Signs to Look For

Identifying Malicious Traffic on Your Web or Mobile Application: 6 Signs to Look For

Additional online traffic during the pandemic has increased cases of fraud and credential stuffing, giving fraudsters more ways to get into your web and mobile platforms. During such an attack, it’s not uncommon for 80-99% of traffic to ultimately be found to be malicious.

The high volume and velocity of malicious traffic during such an attack can make it difficult to pinpoint the source and apply countermeasures. Not only are these high-volume attacks damaging to brand reputation and revenue, but they are extremely taxing to backend systems and may even result in extra charges for your fraud prevention tools.

We recently sat down with Dan Woods, VP of the Shape Intelligence Center, which is now part of F5 Networks, for a webcast to understand 6 of the primary indicators they look for to determine genuine users vs. imposters.

6 Indicators of Malicious Traffic to Watch For

1. Disruption of normal traffic patterns

This is the first indicator that something is amiss on your web or mobile application. Over time, you should notice specific patterns in your traffic—the most common of which is based on time of day. If your traffic doesn’t follow a diurnal pattern—peaking during daytime hours and falling during nighttime hours—that’s a sign there is some malicious activity happening. Additionally, if traffic spikes are unrelated to marketing campaigns, such as email campaigns or television ads, that’s another sign your app might be receiving a high volume of malicious traffic.

2. Contrived or missing user interactions

When analyzing in-app interactions like keystrokes and mouse clicks, you’ll find that human interactions tend to be clumsy and inefficient. In an automated interaction, however, you’ll find that multiple interactions happen within milliseconds.

Or, you may find that a user is clicking the same XY coordinate over and over again. That is extremely difficult for a human user to replicate. Even if the attacker started clicking a different XY coordinate each time, if you notice any kind of formulaic relationship between the two coordinates, that’s also a signal of a synthetic event.

An example of contrived mouse clicks following a formulaic pattern of XY coordinates.

In the case of a malware attack, missing interactions are as much of an indicator as contrived interactions. For example, if you see a user who logs into their frequent flier account and redeems points for a gift card without touching their keyboard, mouse or touchscreen on their smartphone, that would indicate a malware attack running in the background.

3. Changes in password key event patterns or frequency

A fraudulent login attempt will likely have a much different pattern and frequency than a human attempt. When repeated by a genuine user, password key events should follow roughly the same pattern and timespan. After entering in a password so many times, you develop a rhythm that a fraudster cannot match.

 

A genuine user’s password entry will follow a similar cadence and timespan compared to a fraudster.

4. Highly efficient user interactions

Another way to tell the difference between good traffic and malicious traffic is the efficiency of interactions. Real human interactions are somewhat random. Sometimes a user will click even when there isn’t anything to click. They may be reading the screen, moving the mouse, and clicking just to pass time.

Fraudulent bot interactions, on the other hand, often move in perfectly straight lines. Even if the bot adds entropy, it typically shows up as smooth arcs. And on a login form, for example, a bot has no incentive to click anywhere but the username and password fields and the submit button.

The mouse movements and clicks for genuine users will be much less efficient than a bot or fraudster.

Fraudulent manual interactions are right in the middle when it comes to efficiency. They’re going to be more efficient than good human interactions, but not as efficient as bot interactions. Let’s examine this hypothetical: a user logging into their financial application to add a payee and send a sum of cash. A real user would likely have to search out the “add payee” button because they don’t add a payee every day, which would add a second or two to the workflow. It’s possible an imposter adds payees hundreds of times per day, so they would be able to navigate that workflow extremely quickly.

5. Spoofed user agent strings

In addition to collecting behavioral biometrics, it’s also important to look at the environment the traffic is coming from. Shape will look at how emojis are rendered to determine whether or not traffic is being spoofed. Emojis will render differently on different platforms and applications. So if a user agent string purports to be Chrome, but the browser is rendering emojis like Firefox, it’s likely fraudulent traffic. A genuine user would have no incentive to lie about their user agent string. 

A spoofed browser may render emojis differently than the browser identified in the user agent string.

Similarly, you can look at how really big, hexadecimal numbers convert on each platform. Shape has developed JavaScript code that will ask the browser to convert a hexadecimal to a decimal. Different browsers will provide different answers due to the way they choose to round. The difference is negligible, but enough to help identify which browser the traffic is coming from. Again, if the user agent string tells us the traffic is coming from Chrome, but they’re converting the hexadecimal like Firefox, then we know it’s fraudulent.

6. Spoofed HTTP header data

Oftentimes, imposters will try to spoof the HTTP header of the website or application, but they will struggle to get everything correct. Therefore, the header can provide a lot of useful signals that the traffic is fraudulent.

Many of these indicators can’t be uncovered with standard application security monitoring. With the addition of a tool like Shape—that incorporates advanced client-side signals, behavioral biometrics, network signals, machine learning, and artificial intelligence—we can improve the efficiency and effectiveness of application fraud detection and response. To learn more about how to incorporate Shape or other application security tools into your network infrastructure, contact Kudelski Security here.

Business Agility 2020: How to Achieve 360-Degree Security Visibility in the COVID Era

Business Agility 2020: How to Achieve 360-Degree Security Visibility in the COVID Era

Among the chief concerns for security leaders today is a lack of visibility into risk and threats in the corporate ecosystem. COVID has only exacerbated the issue as organizations of all sizes and in all industries accelerate digital transformation plans in order to enable a mobile workforce. The ecosystem today has become expanded and fragmented due to rapid adoption of cloud and SaaS systems and the shift to a mobile workforce.

There are more opportunities for mistakes and security issues than ever before, and attackers are taking notice. First, by finding new points of entry through home networks and devices. And second, the lockdowns have provided an opportunity to hone their skills and make attacks more sophisticated.

With more endpoints on the network and a higher volume and sophistication of attacks, it’s no surprise that security teams are inundated with alerts. There are too many signals coming in, which obfuscates actual security incidents and takes time away from other critical engineering work.

These factors call for a more streamlined, strategic approach to security visibility and threat detection. At Kudelski Security, we use a four-step framework in order to help security teams gain a 360-degree view of enterprise business security, identify and prioritize relevant risks, and adapt response and monitoring capabilities accordingly.

Step 1: Determine your threat profile and business-specific risks.

First and foremost, to understand your threat profile, you have to understand exactly what’s on your network. It’s especially hard right now as IoT and BYOD has exploded since moving the workforce remote, but the more visibility you have, the better you can control and monitor it.

Similarly, patch management plays a large role in your threat profile. It’s a back-to-basics type of activity, but vulnerable systems are still one of the number one ways for attackers to get into the network. It’s critical to continually assess the status of vulnerable systems and validate that patches have been applied properly.

With a better understanding of your threat profile, you can start to identify your business-specific risks. It’s easy as security leaders to look at the latest cybersecurity news and vulnerabilities and turn our focus to that. What’s more important, however, is to understand where the risks and true threats are for your business and are and get visibility into those specific areas.

Step 2: Understand the 16 known threat categories.

As you begin to execute a threat monitoring practice, you have to know exactly what you’re looking for and why you’re looking for it. A haphazard approach may make your team feel “busy” but won’t necessarily be productive. As part of our client work in our Cyber Fusion Center, we’ve developed 16 threat monitoring use cases and identified associated attacker behavioral patterns in order to help focus and guide monitoring efforts.

Step 3: Outline the required data sources necessary for visibility.

A SIEM or log management platform is only going to be as useful as the data feeding into it. For many companies, installing a SIEM is meant to check a compliance box. For effective threat monitoring, however, you must be intentional about the data you’re collecting. Otherwise, you’re just filling up the SIEM with data that isn’t relevant to your business or the risks you face.

Take a couple of steps back and look at your threat profile and your identified business risks and then determine what type of data you need to collect in the platform. Look at the attacker behavior patterns, so you can identify and address threats before they become an actual indicator of compromise.

Step 4: Expand visibility based on threat models.

The threat landscape is constantly evolving and expanding, which means your security visibility and threat detection capabilities must expand and evolve as well. By having all the right data from the start, analysts, whether in an internal SOC or outsourced through an MSS partner, can fully investigate issues and validate their legitimacy. This reduces the number of alerts being thrown over the fence, so your team can focus response to actual security incidents.

It’s also important to be prepared for the unknown threats happening now or potential issues related to vulnerabilities or new attack vectors. This requires proactively looking for indicators of compromise through threat hunting practices. For example, WMI or PowerShell activity could just be an admin deploying some software or it could be an indicator that a bad actor is attempting to move laterally through the network. Having threat hunting as part of your visibility and monitoring practice, whether internal or outsourced, is incredibly important for preventing future attacks.

Kudelski Security applies this four-step framework for all managed services clients through our Cyber Fusion Center (CFC), a Gartner-recognized service that combines combines use case frameworks, purpose-built tools, and cutting-edge technologies with rich business and contextual data to detect threats faster, respond more effectively, and reduce risk. To request more information about the CFC, contact us here

This blog is based on the webinar “2020 Business Agility” with Kudelski Security partners Pulse Secure, illusive networks, and F5

Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

Through an Assessor’s Lens: Discovering the Value of a NIST CSF Assessment

NIST CSF, a cybersecurity framework helping uncover unknown risks, set up new controls, break down internal silos, achieve cybersecurity maturity.

As cybersecurity continues to mature and be at the top of everyone’s mind, a natural shift has occurred from focusing on meeting regulatory compliance mandates, to involving the business and reducing risks associated with their valuable assets.

Blocking every threat would be nice but is cost-prohibitive (not to mention nearly impossible). Instead, organizations are responsible for allocating resources to reduce areas of cyber risk within their defined tolerances levels. This is where the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) excels.

The NIST CSF was first published in 2014 under the Presidential Executive Order of ‘Improving Critical Infrastructure Cybersecurity,’ which called for a standardized security framework. Existing frameworks like NIST 800-53 and ISO 27001 provided specific controls and processes, while the creating of NIST CSF offered a more digestible and flexible cybersecurity framework, allowing all adopters to see their security program from a more strategic, business-centric view.

Why use NIST CSF?

One of the major benefits of NIST CSF is that it’s far less prescriptive than other cybersecurity standards as it is more open to adaptation. Any organization can use NIST CSF to identify and fill gaps in their cybersecurity program. That said, while the framework can be useful for achieving compliance goals, it is not a compliance exercise. Instead, it’s a tool to assess, identify risks, and put controls in place to address them.

The framework categorizes cybersecurity maturity in four tiers:

  • Partial: Controls are put in place ad hoc and issues are mitigated reactively.
  • Risk-informed: Controls are in place but usually not organization-wide.
  • Repeatable: Controls are formally approved and consistently implemented.
  • Adaptive: Controls are continually updated to reflect current threats and activities.

Moving from one tier to the next requires a cultural change, investment of time and resources, and formal coordination between cybersecurity and the rest of departments within the business.

NIST CSF provides a ‘closed-loop’ for continuous improvement in cybersecurity. By regularly assessing the current state of different controls and setting objectives for improvement, an organization can systematically reduce cyber risk.

Incorporating NIST CSF into your cybersecurity program

The framework does not meet every organization’s needs nor is it intended to replace others. NIST CSF is a descriptive (not prescriptive) framework, designed to be adapted to the needs of any type of organization. To get the maximum benefit, security leaders need to assess where the framework fits within the company’s needs and where it doesn’t. They also need to be mindful of the framework’s gaps (e.g. emerging technologies) that might be overlooked and consider complementing the framework’s controls with others specifically design for the current business and security challenges.

Organizations aren’t limited to using one cybersecurity framework. NIST CSF works well with other available frameworks, which may incorporate a blended set of controls because they fit both business and security needs. This is also applicable when an organization intends to obtain a certification (e.g. ISO/IEC 27001) or needs to meet regulatory requirements.

In addition, if the organization is coming from a place of low cybersecurity maturity, NIST CSF can be the stepping stone to build a foundational cybersecurity program. Next steps would be to develop a reasonable and attainable roadmap that can be created to improve said maturity for the future state.

Through the process, it is vital to get the buy-in from the business. This is to ensure that security is built into the culture and that the framework is formally integrated, aligned, and prioritized in the day-to-day operations.

NIST CSF assessments

A NIST CSF assessment is not an audit, rather an engagement to drive business value by identifying risks. In heavily regulated industries, it may be a requirement to perform a risk assessment each year; however, in lesser or unregulated industries, it is recommended to get an assessment every two years due to the continual evolution of threats.

A typical NIST CSF assessment follows three steps:

  • Step #1: Interviews and workshops with relevant subject matter experts and control owners.
  • Step #2: Review of documentation (policies, standards, and procedures) and evidence of controls in place.
  • Step #3: Report on the detailed findings, risks, and recommended steps to remediation control weaknesses or gaps in the current cybersecurity program.

It’s important to work with a qualified, independent assessor who has seen how the controls are applied across different industries and similar organizations. An experienced assessor can give organizations assistance on how the framework should be successfully applied, offer valuable insight into the level of maturity compared to others, provide risk mitigation techniques, and incorporate ‘hot topics’ during the risk assessment ensuring the organization is well protected.

Leveraging a professional brings many benefits for an organization, including:

  • Uncover control weaknesses and hidden/unknown risks. Interviews include discussions on how and where systems are connected and protected, which often uncover unknown risks. Likely to happen when operational and security departments act as silos and/or don’t have formal and centralized processes.
  • Identify areas where additional resources would help reduce risk. Risk reduction is fundamental, and NIST CSF assessments are valuable to identify the most important areas for investment of human, technology, and financial resources.
  • Realign cybersecurity priorities based on independent perspectives. It’s easy for decision-makers to ignore internal voices, but harder to do so with an unbiased independent assessment.
  • Address questions from executive management. An assessment provides an impartial answer to “Are we covering all major information security risks?” and boosts executive confidence in the program.

If you choose to work with an assessor, remember to always be transparent. Sharing all weaknesses enables the assessor to provide better guidance, which may also provide a platform for obtaining additional support or resources from management to address the areas of risks.

Risk assessment for Covid-19 and beyond

Covid-19 showed us the importance of having plans in place to address business continuity, security in the supply chain, and vendor risk focused on the resources that affect the organization’s up-stream and down-stream operations. Many organizations found themselves in the uncomfortable position of having to alter business operations because they didn’t assess or develop action plans.

Leveraging the NIST CSF, organizations can work on their cybersecurity maturity in a time when threats are constantly on the rise. Having a qualified assessor review your organization’s cybersecurity program, specifically using NIST CSF, can be helpful to identify risks that aren’t intuitively obvious but could cause serious disruption when they become a reality.

Cory Steinbicker, Senior Advisor – Strategy & Governance, Kudelski Security

This article was originally published in IT Pro Portal.

Cybersecurity Concerns with COVID-19

Cybersecurity Concerns with COVID-19

We are having increasing numbers of conversations with clients about cybersecurity and business continuity challenges resulting from the rapid adoption of work-from-home scenarios to combat the spread of COVID-19.

Clients are interested in cybersecurity policy updates to improve remote access, and asking for increased employee education around BYOD security, secure WiFi use, basic security hygiene, and COVID-19 phishing attack awareness. And finally, clients are asking how they can maintain security with a dramatic increase in devices and employees accessing sensitive data and systems from remote locations.

Below are some of the frequently asked questions (FAQs) we’re being asked along with the advice we are sharing.  There are likely many approaches, and many other questions. Please join the conversation by posting your point of view. We’re interested to hear how others are solving the challenges.

Technology Concerns:

My corporate VPN will not handle the strain of thousands of telecommuting employees. What should I do?

Most organizations do not have VPN capacity for everyone. If you find your existing VPN infrastructure overwhelmed, it will be challenging to procure physical equipment and increase the capacity of your internet links, in a short time period.

We recommend you start by asking ‘what applications and business processes really require VPN’. Many services your business consumes are now delivered from the Cloud and are accessible directly without a VPN connection. (i.e. Office 365, Salesforce, Netsuite, Workday, etc.)

If you really need to increase VPN capacity, we can suggest a temporary workaround: Open VPN Server via the AWS marketplace. A number of our clients have done this.  You can procure the license and the VM’s in a pay-as-you-go model. This allows you to leverage Amazon’s internet presence, and by establishing a site-to-site VPN back to your internal systems, you can rapidly increase your VPN capabilities while you procure enhancements to your internal infrastructure.  Typically, your existing firewalls can handle more traffic via a site-to-site VPN than from 1000’s of remote users.

What technology should I prioritize to facilitate business continuity in a work-from-home situation?

  • Collaboration licenses. Do you have enough collaboration license for everyone? With meetings shifting online it will likely stretch your collaboration infrastructure. 

We recommend balancing capabilities along with the desire to allow employees and business partners to communicate via both voice and video when it makes sense. Video could become very important to maintaining a cohesive environment over time if people are unable to meet in person for an expended period of time.

  • Password reset infrastructure.

The pressure on password reset infrastructure will become a challenge.

We suggest investing in self-service capabilities, if not already done so.  If you haven’t, you are likely to face problems and potentially have your helpdesk over-run with requests.

Security Concerns

What are the current tactics most commonly employed by attackers to compromise my security?  

Kudelski Security has received many reports from our clients about the following:

  • Fake Users Requesting Remote Access from the HelpDesk. This will continue to grow in frequency

Organizations will need to have a robust method of authenticating their remote employees in order to avoid falling victim to this type of attack. Hopefully, the time you previously invested in having a robust password reset process for your helpdesk will be able to be leveraged to protect against this attack.

  • Fake Users Pretending to be Helpdesk Support. This tactic usually involves the attacker asking employees to install software. This will also continue to grow in frequency.

We recommend you educate your workforce on how to identify a valid helpdesk request.  Technical controls limiting the software employees can install is also a good call at this point.

  • Fake Hardware Purchasing Requests Attackers are attempting to place orders for hardware under the auspices of a newly remotely working employee.

You will be better protected if you authenticate your requestors properly. Having a process in place where your hardware vendors only accept requests from validated sources will help you here.

What are the implications of remote working on my SOC data and operations?

A dramatic increase in remote connections is going to throw off your SOC baselines and will require you to re-baseline your traffic. It could also test your SEIM capacity to process and analyze all the new alerts.

We recommend you refine your threat hunting activities since all of these new remote connections are going to make it much harder to find bad actors.

Many employees work with sensitive data.  How can we facilitate secure business continuity in a remote-office environment?

Many employees are working with sensitive data and may not be used to working with it outside of the office environment.

We recommend you run some compulsory security training to remind employees about good security practice (secure WiFi use, issues around BYOD, shadow cloud/IT, basic security hygiene, and Covid-19 phishing attack awareness).

We also suggest you may need to revamp your process to enable this type of work securely. This extends to having sensitive conversations in an unsecure environment, and will impact your research and development personnel who may be working on unreleased products. What are you going to let them take home? Or will you have to suspend certain projects if you determine you need to close your office?

Staffing & Business Continuity Concerns

What are the best ways to support employees working from home, many of whom are not used to working remotely?

Having a large influx of new remote employees, many of whom are not accustomed to working remotely will place a significant short term strain on your support staff.

Start by looking at additional resources or special incentive plans to mitigate any slack.  Do people have the hardware to be productive?, i.e. printers, multiple monitors, power adaptors, dongles for our Mac people, etc. And while many clients are enabling staff to outfit their home offices with equipment from their primary offices, some cataloging should be done. At some point, many of these folks will likely return to an office. Corporate IT and finance will want to account for all the extra hardware that was either borrowed or purchased during this time to ensure it is returned or inventoried.

How can we keep morale and momentum going, in the medium to long-term? How do I keep revenue-generating employees engaged if the pandemic continues to affect new sales?

Honesty here is key. We also recommend having an open and honest discussion with your employees about the situation as it develops. It’s important that staff are reassured that this situation won’t last forever. Maintaining morale and ‘just checking in’ on your teams through regular phone calls/video calls will go a long way to keeping employees engaged.

See this unprecedented situation as an opportunity for online training. Programs that help skills development for remote working as well as developing industry-relevant knowledge are readily available.

What is the best way to preserve capital?

Preserving capital is an important point for reflection.

We suggest effective action is to right-size your project portfolio. Take the time to determine what projects across the enterprise are business-critical given the new operating environment. It’s likely you have many initiatives that can be postponed so that staff can focus on business-critical ones during this event. Not only does this preserve capital, but it also helps with any future staffing shortages

Need an expert? We can help. Click here.

This is an on-going blog post. Please comment here with anyone questions or concerns you may have and one of our experts will answer.