Much has changed due to Covid-19, Remote Work from Home (or Anywhere) and the ongoing SolarWinds fiasco have caused every cybersecurity team to review “what really matters in terms of cyber risk,” and master the basics as the foundation of their security program.
As I have been known to say, in ‘cyber’ what was once true yesterday, may not be so today! It is often recommended to check-in from time-to-time and explore what may have changed. This continues to ring true today. When Covid-19 lockdowns were officially announced in March of 2020, much of the workforce had to rapidly shift to a new mode of working opening or compound existing attack vectors for businesses.1, 3
The New Terrain
Some of these vectors include persistent email phishing attacks, shadow IT, Internet of Things, device management and supply chain risks.4 Email remains the top attack vector for penetrating the enterprise, small business and governments. Attackers are exploiting the “human vulnerability” having to rapidly migrate to a highly distributed attack surface. Business Email Compromise (BEC), or domain name email spoofing accounts for many impersonation attacks leading to theft of funds. One of the top mitigations for this is to configure DMARC and SPF records and only permit authorized sign senders.5
While on the topic of electronic communication, it is worth noting due to this massive shift in “remote-work-from-anywhere” and business reliance on communications tools such as Slack, Microsoft Teams and Zoom, these tools have opened a new vector for exploitation.6 An important item to note, is that not all “Cloud Access Security Brokers or CASBs are created equal and we may find that in certain use cases dual or multi-CASB deployments may be recommended to mitigate different attack vectors. These integrations are often simple to implement with Application Program Interfaces or APIs. None-the-less review the default configurations and customize any and all policies for your specific environment.
What do you know, about the unknown?
Any and all online meeting communication tools should be inventoried and monitored for potential breaches, data leakage and supply chain risks. Online productivity tools such as Office 365, Dropbox, Hubspot, HelloSign and FreshBooks have proven instrumental as Software-as-a-Service (SaaS) Solutions helping to keep our economies operational. Moreover, these tools used in combination without the necessary security controls expose businesses to data exfiltration.7 In the rush to continue serving their clients and remaining cost conscious, many businesses subscribed to the “freemium” tiers of service using their corporate domains. While this provided the interim capability to continue business operations, it has simultaneously created a blind spot for the Information Technology and Security Teams as this tier of service often comes with little controls to prevent data theft.8
Some of the recommended mitigations are to inventory these services, subscribe for business or advanced tiers of service, integrate advanced tools such as Security Event Information Management (SEIM), and Cloud Access Security Broker for inline authentication and single sign-on. These will provide a greater level of visibility, earlier warning of potential breach and granular authentication and policy controls. Given the overwhelming evidence, any and all online applications and administrative tools should be viewed as a potential attack vector which could debilitate the business due to data loss or theft. Separation of Duties, Least Privileged Access, Password Management, Multi-factor Authentication and proper Identity and Access Management cannot be overlooked.9 Fast forward to 2021 and we appear to be in a hybrid security model between castle and moat architectures, cloud and the massive influx of remote locations. The change appears to be permanent for the foreseeable future and therefore must be accounted for in our perimeter architectures.
Shifting Right
Networks are rapidly moving from Multi-Protocol Label Switching (MPLS) and site-to-site VPN to Software Defined Perimeters or ZeroTrust Network Architectures (ZTNA). Due to substantial costs associated with maintaining inflexible MPLS network and costly port density costs for VPN hardware upgrades, careful consideration and caution should be exercised while researching these new solutions. Furthermore, developing technology advancements have ushered in the era of Next Generation Cloud Access Security Brokers and Secure Access Service Edge or SASE Providers.10
Varying providers offer different capabilities and although these may converge over time, it is critical to know what capabilities are offered and more importantly any deficits which could open the risk of exposure. While evaluating solutions, we recommend working with a “trusted advisor” which has an appreciation and resources to explore differences in approaches and leads with a “client-first” philosophy. This one is important; your business may have to live with it for a couple of years.
The requirement for next generation anti-virus (NGAV) or malware detection, often referred to as Endpoint Detection and Response (EDR) and XDR for Extended Detection and Response cannot be understated.11 This is foundational for Threat Hunters and Cybersecurity Teams with the mass propagation of cyberattack tools such as CobaltStrike, EternalBlue and rapidly ongoing development of zero-day threats, we must assume that even these tools can and will one day fail us.12 They can be exceptional for API integrations, Advance Frameworks such as MITRE and assembling the attack kill chain rapidly, duly noted these tools can be used to disable an organization, whether used properly or misconfigured. Proper controls, change controls and privileged access must be segmented, restricted and monitored to only the “most trusted” and trained privileged users. Establish a configuration backup procedure to mitigate against hostile insiders or attackers.
With the onslaught of technology innovation and business disruption in the Information Technology sector, there is an over abundance of tools which will eventually converge with time. Some NextGen-AV has expanded capability to perform backup and disaster recovery, and while these tools offer greater financial benefits, it is worth exploring separation of these tools for your specific business context. Some NextGen-AV currently offer rollback features as a defense from a ransomware infection. Simply put backup and disaster recovery is so economically viable that no organization should be without this capability today. Separating NextGen-AV, XDR/EDR from Backup and Disaster Recovery (BCDR) could offer an additional mechanism. In short, roll back and fail back are two different functions and could bolster a defense in-depth strategy. It is highly recommended to evaluate for your use case as some teams may not have sufficient resources for additional complexity.
More of the same
This could not be truer when it comes to device management.13 Covid-19 has massively and rapidly changed our security context. Every enterprise business cannot always afford to provide or the business model does not provide for a corporate owned device. Furthermore, due to extenuating circumstances using a personal device may be essential to satisfying a client, meeting a deadline or producing revenue. While IT Security’s job is to maintain, enforce and optimize the organization security policies for ever changing conditions, they must be enabled with the tools to do so. IT Security must seek to remove friction and bottleneck’s while aligning to the organizations policies and enforcement thereof and adapt a continuously iterative mindset backed by processes and controls.14
The era of Covid-19 has thrusted business into a highly distributed model where data is dispersed and quite likely unknown further exposing organizations to data breaches or fines from compliance violations. “The data is everywhere!15, 16 Do you know who has access to it? What they can do with it? Or whether they should have access to it?”
The Internet of Things
You are likely not alone. There are new techniques which use a culmination of APIs, Computer Vision and Control Frameworks which can help identify the data, reconcile compliance and apply policies to help mitigate the threat of a data breach or exfiltration from Shadow IT. This is new territory for many businesses and should be reviewed with a strategic advisor.
This article would not be complete without discussing the Internet of Things. Recently it was discovered that an ADT employee had configured administrative credentials on a home video camera allowing for remote viewing of sexual activity.17 While this is a horrendous event, the implications of having a “person-in-the-middle installed by default,” could potentially lead to “island hoping” or lateral movement into the corporate network. Isolation of corporate assets from consumer grade electronic devices on the same network is paramount to mitigating the risk of credential theft and further escalating privileges. Explore the benefits of Software-Defined WAN in combination with NextGen CASB as a potential mitigation approach.
If we have learned anything from the SolarWinds breach, with enough time and resources attackers will breach our defenses. While we cannot and should not let down our guard, it is imperative that we plan to prepare and respond to a cyber breach.18 At the risk of being cliché, “hope for the best and plan for the worst.” When was the last time your business has revisited your incident response plan? When was the last time your senior leadership performed a tabletop exercise? What best practices were observed? Has the business accounted for these lessons? These are all questions which must be robustly interrogated and planned for and practiced regularly with accountability at the board level. Don’t wait until a breach or ransomware attack occurs to practice. Further explore areas of continuous breach detection and testing as an early warning indication of this potential exposure.
Where do we go from here?
An incident response plan is not complete without the appropriate review and coverage of cyber insurance.19 Given cyber insurance’s rapid evolution, seek the advice of a specialist. Ensure you have the appropriate coverage to avoid the risk, reduce it, transfer it or accept the risk. In short, “read the fine print”. Or at a minimum engage the necessary legal council to help decipher what is covered and what is not, and understanding your obligations.20 Evaluate and align the cyber insurance policy coverage with your service provider’s cost to help restore business operations versus paying the ransomware.
As we navigate the maze of cybersecurity, “we all need to use a holistic, risk based security strategy to manage it all”.2 No matter which governance framework you may be bound to, one theme is common is that we must identify and prioritize our risk based on the residual effects. Loss of revenue, brand equity, customer loyalty and legal exposure and other intrinsic factors should be prioritized taking a risk-based management approach.
In conclusion, cybersecurity is a rapidly evolving space full of unknown, unknowns in the dynamic connected era, sometimes referred to as “Industry 4.0.” The attack surface will continue to morph and grow with new exploits and vulnerabilities. The industry must remain committed and double down on convergence and streamlining efficiencies. We must prepare for the worst case scenarios and the unforeseen to occur. “We do not know, what we do not know,” from that vantage point we remain agile, vigilant and curious about continuously seeking and preventing the next great threat. There is no finish line with Cybersecurity, we must remain humble and drive continuous improvement while training and preparing to invoke the cyber resilience and recovery plan.
References:
1 How to think about cybersecurity in the era of COVID-19
2 Cyber risk, what really matters?
3 The COVID-19 Pandemic Has Become a Catalyst for Cyberattacks
4 8 ways attackers are exploiting the COVID-19 crisis
5 Preventing address spoofing with DMARC, DKIM and SPF
6 The Unintended Data Security Consequences of Remote Collaboration
7 Cloud-based collaboration tools are a major driver of data exfiltration
8 What is a cloud access security broker and why do I need one?
9 Resource Guide for Cybersecurity During the COVID-19 Pandemic
10 Telco cloud evolution: SD-WAN, uCPE and SASE
11 Benefits of Using XDR in Addition to EDR
12 Hackers exploit legitimate admin tools in 30% of successful cyber attacks
13 COVID-19 Shift to Security Enabled by Evolving Device Management
14 Top 5 solutions to reduce ‘cyber friction’
15 Managing a Remote Workforce During COVID-19
16 COVID-19 Poses Increased Cybersecurity Risks to Employers and Businesses
17 ADT techie admits he peeked into women’s home security cams thousands of times to watch them undress, have sex
18 Technology’s greatest supply chain challenge? Establishing trust
19 Cyber Insurance and Incident Response: What to Know
20 What are your Legal & Reasonable Obligations when it comes to Cybersecurity?