By David Kane, Ethical Intruder
Since the beginning of the COVID-19 pandemic, businesses have seen a tremendous need to evolve in order to maintain their business. It is imperative for organizations to ensure that COVID-19 has not softened the defenses that protect customer data and intellectual property.
While shifting internal budgets and making new purchases may be necessary in the new normal, one suggestion would be to simply re-evaluate the undervalued parts of your existing security and compliance programs.
There are several core components of a good InfoSec or compliance program that often have a hard time gaining traction. Reasons include perceived inconvenience, a disruption to the comfort of employees’ normal processes, or understanding how to work through specific scenarios seeming unlikely to be necessary. What we have learned from COVID-19 is that our employees are open to adapting to change and have handled uncomfortable situations with grace. Everyone has become open to facing risks that seem unlikely, such as a pandemic. Those of us in the InfoSec community have seen that malicious actors are taking advantage of many of these underserved areas, and regularly exploiting organizations at a time where they are already feeling vulnerable.
Some areas of concern we see that should become a priority for organizations to combat the current security environment are as follows:
Multi-Factor Authentication. Take it from a hacker (an ethical hacker), there is nothing a company can do to protect themselves that slows us hackers down more than Multi-Factor Authentication (MFA). There is a cost to this protection, for example, many organizations have backed off implementation due to fear that it will complicate their users’ experience and slow them down. However, it is of the upmost importance to push through any obstacles and enable MFA on your environment. In addition to the monumental importance of having MFA on your own environment, it is critical that you review your third-party systems that you do not control, especially those which contain sensitive company data, and find out whether Multi-Factor is available.
Incident Response Policy and Tabletop Exercises. Knowing what to do in the event of a security incident is paramount to protecting your data. Poorly coordinated responses can not only increase liability, but can also affect how an insurance provider will pay a claim in the event of a breach. Knowing who should be on the team, their roles, how to categorize an incident, how to track key milestones and how to save important evidence are key points and processes to fully grasp and be able to execute efficiently and expertly. Once a plan is in place, a tabletop exercise is the business equivalent of a fire drill. It helps to ensure your organization has the proper muscle memory when it comes to handling a security incident.
O365 – Security & Compliance Center. Many organizations have moved from an on-premise Microsoft email system to 0365. What a vast majority of organizations do not realize is that Microsoft has added almost uncountable new offerings for security and compliance into their cloud solutions. There was an old adage which stated that people only know about 5% of what core Microsoft products can do, such as Word or Excel. That adage applies even more so to O365 which includes a built-in robust security and compliance center. All that is needed is some self-training before organizations can open themselves to features that assist with data loss prevention, phishing, logging, monitoring, user traceability and seemingly unlimited security and compliance dashboards.
Review Your Network and Corporate Boundaries. Typically, companies consider their network or corporate boundary as the environment within their own organization, or those that extend to their cloud environment. Many organizations do not extend that boundary to remote workers in a way that supports the majority of your workforce being at home. Knowing what systems your company is responsible for protecting when it comes to remote workers, and who is responsible for monitoring and patching those remote systems is extremely important for developing policies. Additionally, knowing who is responsible for anti-virus and anti-malware, and who will support those environments should be discussed and turned into policy.
Performing Test Recoveries and Reviewing Disaster Recovery. This is a check list activity that, for some reason, is not taken very seriously. All companies have some form of backup, and some have multiple forms of backup. No matter what your strategy, if you do not test the recovery process, you are opening yourself to significant risk. Recent ransomware attacks that have affected major industry leaders, as well as local governments, demonstrate the need to ensure your systems are designed to recover the data you need and recover it when you need it.
Social Engineering. Take it from a hacker, we are not trying to break in through your next generation firewall when we can simply ask your users for credentials. Social engineering is typically viewed as an IT issue or an HR training responsibility. The reality is that social engineering is a behavioral issue that malicious attackers utilize against your workforce. Especially during the pandemic, attackers are preying on the behaviors of your employees who are currently very susceptible to clicking, downloading files or providing credentials on almost anything related to COVID-19. Helping your organization to understand the threats and how to protect themselves can be one of the most significant improvements an organization can make.
Remediation of Existing Known Vulnerabilities. An oldie but a goodie, review those vulnerability evaluations and penetration tests you had over the past six months to a year. Make sure you are on top of the known open security issues found during these tests. If your security partner knows about those open issues, a malicious hacker could easily gather the same information. Focusing on what is already known as a vulnerability is a much better value rather than extending into new solutions you may not require.
Pittsburgh has a fantastic InfoSec community. When in doubt, there are many resources to lean on for guidance.