Tagged: INFOSEC Toggle Comment Threads | Keyboard Shortcuts

  • Justin Pineda 8:51 pm on April 29, 2020 Permalink | Reply
    Tags: business continuity, covid-19, cybersecurity, INFOSEC, malware, pinedacybersecurity, remote work, security awareness, , wfh, work from home   

    Securing the Organization’s IT Assets Amidst COVID-19 

    man having a video call on his phone

    Photo by Edward Jenner on Pexels.com

    How should organizations conduct operations during a pandemic? How should organizations secure their IT assets during a pandemic? For big multinational companies, they have their respective Business Continuity Plans (BCP) that assist them in times like lockdowns, quarantines, or any disruptions to normal business activities. However, a lot of companies were caught off-guard and they were not able to smoothly transition to the “quarantine mode.”

    How organizations are affected by COVID-19

    According to an April 2020 report from Accenture about the effects of COVID-19 to organizations, there are significant impacts on system resilience and business continuity from the perspective of technology.  On a survey that they conducted in 2019 on system resilience, only 10% of the 8,300 respondents answered that their technology is resilient.  They summarized the effects on IT based on the following: business continuity risks, a surge in transaction volumes, workforce productivity challenges, and security risks.
    Common cybersecurity issues faced

    Phishing, scams, malware, access to malicious/bogus sites unknowingly are the common cybersecurity issues that organizations faced during the pandemic. Attacks on NASA have been reported consistently since the spread of COVID-19. Local banks like BPI, have issued a memo warning customers of phishing attacks that spoof BPI online platforms.  Google reported that there were 18 million malware detected in a week that are related to COVID-19. Trend Micro also reported a surge in COVID-19 themed attacks ranging from spam, malware, and malicious domains. Worse, unscrupulous individuals host COVID-19 case trackers and fill it with malware so visitors will be infected as they visit.

    The following are the major cybersecurity issues organizations face:

    • Increased number of phishing and malware attacks that use COVID-19 as bait or theme.
    • There is an increase in cybersecurity risks because employees are in their homes which IT has a hard time managing. On the other end, support on the company networks will also be lessened because of reduced IT staffing.
    • Remote work/Work from home security issues.

    Cybersecurity defense against attacks

    SANS has created the SANS Security Awareness Deployment Guide that is very useful for organizations and employees during this time of reduced IT staff and work from home for a lot of employees. It contains all the materials that organizations will need such as templates, fact sheets, posters, and messaging for employees. It even has short learning videos that are very informative covering wide topics on social engineering, securing your home, and working remotely.

    It is alarming to note as well that a lot of big multinational companies mentioned in the introduction whose technology and security maturity are both at the top of the line still suffer a lot of cybersecurity attacks such as phishing and malware. They have the best industry-grade anti-malware with a lot of advanced features, encryption in the hard drive level, and other security tools. But as we say in security, the technology is just as strong as the weakest link, which is the people. We have to emphasize the need for a consistent and periodic Security Awareness for employees especially now that the IT/Security team has a limited view of the organization’s assets.

    It is also important that the IT/Security team should be accessible not only for support but for security incidents. Attacks can be well-planned and it can target certain people in the organization. Reporting the information about security incidents will help IT/Security team to respond promptly and make important communication to the stakeholders to prevent others from being victimized.

    There also has to be clear guidelines/policies for employees. Remote work is a different and new environment that may need further and detailed guidance. For example, should users be allowed to connect to public Wi-Fi? Or are they only allowed to access their home network? If they are only allowed to use their home network, what necessary configurations should be done? A clear policy/guideline will be very helpful.

    Management support is also of utmost importance. Quick and immediate approval of policies/guidelines is necessary for this volatile time. Budget is also a key element especially when you need to procure additional security software licenses. Management can provide both approval and budget.

    The following are some of the security issues that need to be discussed with employees to take note of:

    Social Engineering – Phishing, spear phishing, vishing, CEO fraud, and USB drop are some of the non-technical attacks that can target your organization. Employees must be trained on how to spot these attacks and report them immediately to the IT/Security team. Usual ways to spot these attacks include a strong sense of urgency, pressuring you to violate a policy, generic e-mail, brief message, and use of personal e-mail.

    Passwords – Since the use of passwords is the most common type of authentication, certain best practices have to be observed so that attackers will have a hard time to access your account. The use of passphrases,  unique passwords for different accounts, password managers (see LastPass and KeePass), and the use of multi-factor authentication (MFA) (see Google Auth and LastPass Authenticator) are the best practices to build a layered-defense for your passwords.

    Updated Systems – From your router to your laptops, mobile devices all the way to the applications, you need to ensure that they are always up-to-date. A lot of successful attacks leverage the exploitation of vulnerable systems, those that are not updated.  You need to enable Automatic Updating.

    Backups – Another important practice is to back up your files routinely. The usual expectation of the IT/Security team is that worst-case scenarios will happen such as your workstation will be infected by ransomware or that the device will be lost. Aside from wanting to wipe out the contents of the device, you want to retrieve the information in it. That’s where backups play a vital role.

    VPN – In some organizations, confidential company data must remain in the trusted network (company network). But since a lot of employees are working from home, a secured way of getting access to company data stored internally is through a Virtual Private Network (VPN).

    Device Misuse – Another important practice is to maintain the use of company-issued devices for work use only. A lot of malware nowadays comes from social networking platforms through third-party ads, hoax, etc.  It is important to remove that risk by not using it for personal use. At the same time, company resources should not be accessed on a personal device. It may be accidentally shared or retained unknowingly.  Lastly, children/relatives/guests should not be allowed to use company-issued devices.

    The new normal in the time of pandemic forces business to take drastic and rapid changes in its day-to-day operations. While initially, the move of a lot of organizations is to relax security so that business continuity will not be hindered, it is important that security mechanisms must be restored, reconfigured, and recalibrated so that it will fit the current setup of the organization.

    Here is the slide deck on Securing the Organization’s Assets Amidst COVID-19 v1.0. Feel free to use it to help inform more people on how to secure their respective organizations.

     

     

     
  • Justin Pineda 3:41 pm on April 5, 2020 Permalink | Reply
    Tags: INFOSEC, security mechanisms, security services   

    Lesson 10: What are Security Services and Mechanisms? 

     

    silhouette-photo-of-person-holding-door-knob-792032

    Photo Credit: George Becker from https://www.pexels.com/

    In the usual scenario, companies are more reactive than proactive with regard to security. Due to the perception that IT, which includes cybersecurity, is a cost center, procuring technologies may not be appealing to management unless a security incident occurs.  In Lesson 6, we discussed the value of the CISO to help align the company’s strategy and the necessary controls in place to ensure protection.

    Coming from a technical security background, you would like to have the best tools and software available. But remember, the management sees it as a cost without seeing the return on investment since it’s for internal use.  The inconvenient truth list below will make the technical security personnel understand why sometimes (or maybe most of the time), the tools that we want are not approved.

    The Cybersecurity Inconvenient Truths

    • You cannot protect everything from everyone.

    If we will list down all potential threats that an organization can face, it will be a very long one. DDoS, Malware, incompetence resulting in loss of data, ransomware, corporate spies, etc. Since the list of threats is very long, it means that there’s a lot of security controls that we have to put in place. Unfortunately, we don’t have everything to prevent or mitigate all these threats.

    • There are not enough resources and money in the world to totally mitigate all risks.

    Corollary to the discussion regarding the management’s perception of IT/Cybersecurity, the budget for the team is limited. So if resources are limited, we can only do what we can within the budget. And that leads to the next inconvenient truth.

    • Focus on protecting the most important information first, that which must be protected, and that with the highest risk.

    Since we cannot protect everything and we have limited budget, the goal is to prioritize which threats have the highest risk with high severity. In that way, you are able to cover the majority of the security incidents in the organization.

    This activity of prioritizing the controls based on the risk-rating is called Risk Assessment. We will have another discussion about it in another lesson.

    Security Services and Security Mechanisms

    To properly align the organization’s strategy and the cybersecurity team’s goals, we have to define the security services and mechanisms. Security services reflect on how the organization’s objectives are manifested. Security mechanisms, on the other hand, are the specific solutions that we can implement in the organization.

    See example below:

    We conduct risk assessment first before we can come up with the Security Services and Mechanisms.

    • Goal: The organization wants to focus on physical security
    • Security Services: (1)Personnel security; (2) Access control
    • Security Mechanisms: (1) Security clearance, training, rules of behavior; (2) Biometrics, proximity card, mantraps;

    What industry do you think will have this type of security goal?

    It can probably be a bank or law enforcement (government) office.

    It is important to determine the organization’s security services and mechanisms so that the cybersecurity team will also have a level of expectation on the types of controls and tasks that they will be doing.

    So the next time you think about a cybersecurity project, you have to revisit again the defined security services and mechanisms of the team and see if they are aligned with each other. Otherwise, you will have to let it go so you won’t waste your time and effort.

     

     

     

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: