Guest Blog: Rethinking Security Operations For The Next Normal

Guest blog by Bryllyant

2020 has seen the acceleration of remote working, telehealth, e-commerce, and distance learning. The necessary intense focus on serving customers, workers, patients, and students through non-traditional digital channels has put significant security pressures on organizations. With the threat landscape changing almost overnight, many companies were not prepared for those looking to exploit weaknesses and access sensitive applications and data.

Attackers quickly saw opportunities and ramped up efforts to manipulate the security gaps created by so many individuals accessing data through less secure devices and networks. Threat actors have also been known to utilize techniques to exploit people’s fears, a real challenge during a global pandemic. ​BBC.com​  reported that during April, scammers were sending 18 million hoax emails about Covid-19 to Gmail users every day. The tech giant says the pandemic has led to an explosion of phishing attacks in which criminals try to trick users into revealing personal data.

While the Twitter Bitcoin hacking scam of prominent ​US figures ​was front-page news, sophisticated attacks occur every day that most people never know about. The Center for Strategic and International Studies (CSIS), a US bipartisan think tank, outlines significant cyber-attacks on government agencies, defense, and high-tech companies. Their list includes over 70 events in 2020 alone as of the writing of this article.

In late September 2020, an unnamed US federal agency suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. According to a ​Threatpost.com​ report.

Across the globe, we see a fundamental shift in the very nature of how we work. From our supply chains, to risk management, to regulatory oversight, to how employees and customers view their interaction with the digital world, all are being reshaped as McKinsey ​ outlined in a report earlier this year.

How then do cybersecurity professionals build the most efficient, next normal systems for their organizations and clients that allow employees, customers, channel partners, and other stakeholders to work together efficiently while also addressing a rapidly evolving threat environment?

Be Flexible

The challenges facing cybersecurity professionals have multiplied as users, customers, partners and the resources they need to access has changed daily. However, there are key areas on which you should focus when building (and revising) your playbook.

Educate Users

BitDefender​ shared that companies’ common enemy for data breaches is, unfortunately, often their own employees. Not surprisingly, the evolution of cybercrime in recent years shows attacks consistently rely on the human factor to succeed. In 2017, 20% of registered breaches were due to employee negligence. The percentages increased slightly in 2018, to 21%, only to return to 20% in 2019. The term “employee negligence” encompasses several attack methods, including phishing and malware attacks launched from emails or unsecured devices. There is rarely any malice, and attacks happen most often because of a lack of or infrequent education.

Staff working remotely, who have less direct contact with supervisors and co-workers, may be even more susceptible. Employing regular online security training to teach staff how to avoid risks, especially now, is vital. Conducting frequent awareness campaigns (the ​National Cyber Security Centre​  has valuable content) combined with frequent anti-phishing tests will also be useful.

Develop Bring Your Own Device (BYOD) Policies

The rapid shift early this year led to many employees working from home and utilizing personal devices in work situations. Without the proper security in place, personal devices can not only put your data and that of your customers, partners, and vendors at risk, but it can also expose the employee’s personal information should your company network be breached.

Establishing a BYOD policy streamlines operations, especially during times of limited in-office operations, and saves your organization money on laptops’ purchase and maintenance. Many companies offer employees a stipend instead of covering device costs and data plans. Other advantages BYOD offers are increased productivity, as staff are already comfortable using their own devices.

Regardless of the type of devices being used, your BYOD policy should include:

• Security Policies
• VPN required use
• Minimum required security controls
• Where data will be stored
• Inactivity timeouts
• Your remote wipe policy
• Industry-specific/compliance restrictions and requirements
• Acceptable use guide
• Mobile device management software
• Two-factor authentication for company applications
• Simple sign-up process

Know The Risks

The attack mentioned earlier on a US federal agency is thought to have been possible when hackers gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

As for how the attackers managed to get their hands on the credentials in the first place, U.S. Cybersecurity and Infrastructure Security Agency’s investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.

“It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure,” according to the ​alert.

School districts utilizing video collaboration tools such as Zoom have increasingly become targets of hackers demanding ransom in return for unlocking district computer servers that they have taken “ransom.” When ​Clark County ​ School District refused to pay, hackers released sensitive data, including Social Security numbers, student grades, and other private information to the public.

So, what is a security team to do? With numerous applications being used, each software update can be an open door, a vulnerability, a new opportunity for hackers to breach the walls. By proactively finding and addressing vulnerabilities in networks, systems, and applications, you will be one step ahead of those looking to take advantage. This can be accomplished through penetration testing. ​Penetration testing (or pen testing) is a method to delve into your IT environment and identify how hackers can exploit the exposed vulnerabilities. It’s commonly called ethical hacking, as it involves your pen testers mimicking the hacker’s act, but with permissions.

The first step here is to scan for security vulnerabilities in your IT infrastructure. Once the vulnerability assessment is completed, you can leverage pen testing to identify ways a hacker can exploit your environment’s weaknesses and build a robust vulnerability management program.

Know Your Data

Three key factors, known as the CIA Triad, should guide an organization’s efforts to keep its data secure: confidentiality, integrity, and availability.

Confidentiality

Confidentiality refers to data privacy and providing access only to those with approved access. Data encryption is a standard method of ensuring confidentiality.

Integrity

Integrity refers to the consistency and accuracy of data over its life cycle.

Availability

Availability ensures that the data is accessible when needed and by all who need it.

Ensuring availability often involves redundant systems and creating backups.

While all of an organization’s information is important to its operations, certain data types are particularly at risk because of its value to others. This includes personally identifiable information, a company’s intellectual property, sensitive government information, or financial data. There is significant concern about the amount of data that is potentially at risk now that many more employees in the healthcare, financial institutions, and government sectors are working from home.

Know Your Roles

Organizations must determine the right access control model to utilize based on their industry, how sensitive the data they are managing, and any potential regulatory considerations. If your data could be of any value to someone else who does not have the authorization to access it, then your organization must implement strong access control. A ​Carbon Black ​report outlined how a botnet mined sensitive information that included internal IP addresses, domain information, usernames, and passwords.

4 Types of access control

Discretionary Access Control​ (DAC)

A discretionary access control policy is a means of assigning access rights based on rules specified by users. The underlying philosophy in DAC is that subjects can determine who has access to their objects.

Access Control​ (MAC)

Mandatory access control (MAC) is a security strategy that restricts the ability of individual resource owners to grant or deny access to resource objects in a file system. MAC criteria are defined by the system administrator, strictly enforced by the operating system (OS) or security kernel, and cannot be altered by end-users.

Role-Based Access Control ​RBAC

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC, such as role-permissions, user-role, and role-role relationships, make it simple to perform user assignments.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object), actions, and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned.

Move Beyond Passwords

An upside to WFH is that the sticky note that “Bill” has on his monitor with his passwords is no longer creating a security risk. You cannot blame Bill too much. The human brain has its limitations. According to psychologist George Miller, humans are best at remembering numbers of seven digits, plus or minus two. With all the various systems we need to access, we are becoming overwhelmed. In 2016, ​RoboForm surveyed web users, and 74 percent said that they were using six or more websites or applications a day. No wonder Bill needs a sticky note.

The challenge for security operations professionals is that passwords are creating weak points in the systems. A ​Verizon​ report noted that in 2020 stolen and weak credentials were responsible for 80% of corporate hacking-related data breaches.

Even if you have staff that are diligent about utilizing complex passwords and update them regularly, hackers can often make quick work of them. ​During an Ars Technical experiment​ in 2013, hackers managed to crack 90% of 16,449 hashed passwords. Six passwords were cracked each minute, including 16-character versions such as ‘qeadzcwrsfxv1331.’

The cost of an antiquated password system goes beyond the security risk they pose. There are operational costs of maintaining passwords, including help-desk expenses and the lost productivity of employees who become locked out of critical systems.

New technologies such as biometrics, user analytics, risk-based adaptive authentication, and geolocation will provide security operations teams with the next-generation cybersecurity systems.

New systems often include multiple-factor authentication that occurs through separate routes. This makes it more difficult for those trying to access data without authorization. It is also interesting that while multiple-factor authentication may seem more complicated, it can often reduce user friction by allowing employees and users to choose how they access digital information. Below are just a few of the tools that can enhance system security, improve user experience, and accelerate business goals.

Biometrics

• Fingerprint
• Facial recognition
• Iris Scan
• Vein scan
• DNA
• Voice analyzer Other authentication tools
• Location-based
• Usage times and access patterns
• Blockchains
• Soft tokens

Focus End To End

Endpoint security​ or endpoint protection is an approach to protecting computer networks that are remotely bridged to client devices. The connection of laptops, tablets, mobile phones, Internet of Things (IoT) devices, and other wireless devices to corporate networks create attack paths for security threats.

CSO Online ​shares recent trends in endpoint security.

1. Machine learning and AI
2. SaaS-based endpoint security
3. Layered protection against fileless attacks
4. Putting IoT devices under the protective umbrella
5. Reducing complexity and consolidating agents

Open Lines Of Communication

A return to pre-March 2020 seems unlikely anytime soon. Blended back-to-office plans are being revised daily. While technological solutions will undoubtedly mitigate the lion’s share of cybersecurity threats, there is no substitute for open and regular communication. This is even more critical while people are working remotely. According to an Information Systems Audit and Control Association (ISACA) ​survey​, only half of the senior leaders were highly confident that their cybersecurity teams are ready to detect and respond to the rising cybersecurity attacks during COVID-19. Speaking up and addressing concerns will help keep your organization, or your clients, working efficiently as we all move forward into the next normal.

Connect with Brylyant
https://bryllyant.com/

Our Blog
https://bryllyant.com/blog

Our LinkedIn
https://www.linkedin.com/company/bryllyant

About the Author of This Blog – Bryllyant

Bryllyant is a boutique software development company that designs, develops and deploys custom technology solutions that ignite business intelligence. We see our clients as partners and go beyond technology to create custom solutions to advance meaningful business goals. 

Our dedicated team of developers, designers, data architects and business leaders work on projects in mobile and web app development, platform development and artificial intelligence / machine learning.